MOPC/MOPC-Portal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: applicant portal — document uploads, round filtering, auth hardening

Browse Source 
Fix round-specific document uploads (submittedAt no longer blocks uploads),
add view/download buttons for existing files, enforce active-round-only for
uploads/deletes. Harden auth layout and set-password page. Filter applicant
portal rounds by award track membership.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Matt
2026-03-04 13:29:39 +01:00
parent 1103d42439
commit a39e27f6ff
8 changed files with 192 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
src/app/(applicant)/applicant/documents/page.tsx
View File

@@ -3,6 +3,7 @@
import { useSession } from 'next-auth/react' import { useSession } from 'next-auth/react'
import { trpc } from '@/lib/trpc/client' import { trpc } from '@/lib/trpc/client'
import { Badge } from '@/components/ui/badge' import { Badge } from '@/components/ui/badge'
import { Button } from '@/components/ui/button'
import { import {
Card, Card,
CardContent, CardContent,
@@ -20,6 +21,7 @@ import {
Video, Video,
File, File,
Download, Download,
Eye,
} from 'lucide-react' } from 'lucide-react'
const fileTypeIcons: Record<string, typeof FileText> = { const fileTypeIcons: Record<string, typeof FileText> = {
@@ -42,6 +44,34 @@ const fileTypeLabels: Record<string, string> = {
SUPPORTING_DOC: 'Supporting Document', SUPPORTING_DOC: 'Supporting Document',
} }
function FileActionButtons({ bucket, objectKey, fileName }: { bucket: string; objectKey: string; fileName: string }) {
const { data: viewData } = trpc.file.getDownloadUrl.useQuery(
{ bucket, objectKey, forDownload: false },
{ staleTime: 10 * 60 * 1000 }
)
const { data: dlData } = trpc.file.getDownloadUrl.useQuery(
{ bucket, objectKey, forDownload: true, fileName },
{ staleTime: 10 * 60 * 1000 }
)
const viewUrl = typeof viewData === 'string' ? viewData : viewData?.url
const dlUrl = typeof dlData === 'string' ? dlData : dlData?.url
return (
<div className="flex items-center gap-1 shrink-0">
<Button variant="ghost" size="sm" className="h-7 px-2 text-xs gap-1" asChild disabled={!viewUrl}>
<a href={viewUrl || '#'} target="_blank" rel="noopener noreferrer">
<Eye className="h-3 w-3" /> View
</a>
</Button>
<Button variant="ghost" size="sm" className="h-7 px-2 text-xs gap-1" asChild disabled={!dlUrl}>
<a href={dlUrl || '#'} download={fileName}>
<Download className="h-3 w-3" /> Download
</a>
</Button>
</div>
)
}
export default function ApplicantDocumentsPage() { export default function ApplicantDocumentsPage() {
const { status: sessionStatus } = useSession() const { status: sessionStatus } = useSession()
const isAuthenticated = sessionStatus === 'authenticated' const isAuthenticated = sessionStatus === 'authenticated'
@@ -82,7 +112,7 @@ export default function ApplicantDocumentsPage() {
) )
} }
const { project, openRounds } = data const { project, openRounds, isRejected } = data
const isDraft = !project.submittedAt const isDraft = !project.submittedAt
return ( return (
@@ -98,8 +128,20 @@ export default function ApplicantDocumentsPage() {
</p> </p>
</div> </div>
{/* Rejected banner */}
{isRejected && (
<Card className="border-destructive/50 bg-destructive/5">
<CardContent className="flex items-center gap-3 py-4">
<AlertTriangle className="h-5 w-5 text-destructive shrink-0" />
<p className="text-sm text-destructive">
Your project was not selected to advance. Documents are view-only.
</p>
</CardContent>
</Card>
)}
{/* Per-round upload sections */} {/* Per-round upload sections */}
{openRounds.length > 0 && ( {!isRejected && openRounds.length > 0 && (
<div className="space-y-6"> <div className="space-y-6">
{openRounds.map((round: { id: string; name: string; windowCloseAt?: string | Date | null }) => { {openRounds.map((round: { id: string; name: string; windowCloseAt?: string | Date | null }) => {
const now = new Date() const now = new Date()
@@ -163,18 +205,18 @@ export default function ApplicantDocumentsPage() {
<div className="space-y-2"> <div className="space-y-2">
{project.files.map((file) => { {project.files.map((file) => {
const Icon = fileTypeIcons[file.fileType] || File const Icon = fileTypeIcons[file.fileType] || File
const fileRecord = file as typeof file & { isLate?: boolean; roundId?: string | null } const fileRecord = file as typeof file & { isLate?: boolean; roundId?: string | null; bucket?: string; objectKey?: string }
return ( return (
<div <div
key={file.id} key={file.id}
className="flex items-center justify-between p-3 rounded-lg border" className="flex items-center justify-between p-3 rounded-lg border"
> >
<div className="flex items-center gap-3"> <div className="flex items-center gap-3 min-w-0">
<Icon className="h-5 w-5 text-muted-foreground" /> <Icon className="h-5 w-5 text-muted-foreground shrink-0" />
<div> <div className="min-w-0">
<div className="flex items-center gap-2"> <div className="flex items-center gap-2">
<p className="font-medium text-sm">{file.fileName}</p> <p className="font-medium text-sm truncate">{file.fileName}</p>
{fileRecord.isLate && ( {fileRecord.isLate && (
<Badge variant="warning" className="text-xs gap-1"> <Badge variant="warning" className="text-xs gap-1">
<AlertTriangle className="h-3 w-3" /> <AlertTriangle className="h-3 w-3" />
@@ -189,6 +231,13 @@ export default function ApplicantDocumentsPage() {
</p> </p>
</div> </div>
</div> </div>
{fileRecord.bucket && fileRecord.objectKey && (
<FileActionButtons
bucket={fileRecord.bucket}
objectKey={fileRecord.objectKey}
fileName={file.fileName}
/>
)}
</div> </div>
) )
})} })}

20
src/app/(applicant)/applicant/page.tsx
View File

@@ -111,7 +111,7 @@ export default function ApplicantDashboardPage() {
) )
} }
const { project, timeline, currentStatus, openRounds, hasPassedIntake } = data const { project, timeline, currentStatus, openRounds, hasPassedIntake, isRejected } = data
const programYear = project.program?.year const programYear = project.program?.year
const programName = project.program?.name const programName = project.program?.name
const totalEvaluations = evaluations?.reduce((sum, r) => sum + r.evaluationCount, 0) ?? 0 const totalEvaluations = evaluations?.reduce((sum, r) => sum + r.evaluationCount, 0) ?? 0
@@ -221,8 +221,23 @@ export default function ApplicantDashboardPage() {
</Card> </Card>
</AnimatedCard> </AnimatedCard>
{/* Rejected banner */}
{isRejected && (
<AnimatedCard index={1}>
<Card className="border-destructive/50 bg-destructive/5">
<CardContent className="flex items-center gap-3 py-4">
<AlertCircle className="h-5 w-5 text-destructive shrink-0" />
<p className="text-sm text-destructive">
Your project was not selected to advance. Your project space is now read-only.
</p>
</CardContent>
</Card>
</AnimatedCard>
)}
{/* Quick actions */} {/* Quick actions */}
<AnimatedCard index={1}> {!isRejected && (
<AnimatedCard index={2}>
<div className="grid gap-4 sm:grid-cols-2 lg:grid-cols-3"> <div className="grid gap-4 sm:grid-cols-2 lg:grid-cols-3">
<Link href={"/applicant/documents" as Route} className="group flex items-center gap-3 rounded-xl border border-border/60 p-4 transition-all duration-200 hover:-translate-y-0.5 hover:shadow-md hover:border-blue-500/30 hover:bg-blue-500/5"> <Link href={"/applicant/documents" as Route} className="group flex items-center gap-3 rounded-xl border border-border/60 p-4 transition-all duration-200 hover:-translate-y-0.5 hover:shadow-md hover:border-blue-500/30 hover:bg-blue-500/5">
<div className="rounded-xl bg-blue-500/10 p-2.5 transition-colors group-hover:bg-blue-500/20"> <div className="rounded-xl bg-blue-500/10 p-2.5 transition-colors group-hover:bg-blue-500/20">
@@ -266,6 +281,7 @@ export default function ApplicantDashboardPage() {
)} )}
</div> </div>
</AnimatedCard> </AnimatedCard>
)}
{/* Document Completeness */} {/* Document Completeness */}
{docCompleteness && docCompleteness.length > 0 && ( {docCompleteness && docCompleteness.length > 0 && (

5
src/app/(applicant)/applicant/team/page.tsx
View File

@@ -123,6 +123,7 @@ export default function ApplicantProjectPage() {
const project = dashboardData?.project const project = dashboardData?.project
const projectId = project?.id const projectId = project?.id
const isIntakeOpen = dashboardData?.isIntakeOpen ?? false const isIntakeOpen = dashboardData?.isIntakeOpen ?? false
const isRejected = dashboardData?.isRejected ?? false
const { data: teamData, isLoading: teamLoading, refetch } = trpc.applicant.getTeamMembers.useQuery( const { data: teamData, isLoading: teamLoading, refetch } = trpc.applicant.getTeamMembers.useQuery(
{ projectId: projectId! }, { projectId: projectId! },
@@ -398,7 +399,7 @@ export default function ApplicantProjectPage() {
Everyone on this list can view and collaborate on this project. Everyone on this list can view and collaborate on this project.
</CardDescription> </CardDescription>
</div> </div>
{isTeamLead && ( {isTeamLead && !isRejected && (
<Dialog open={isInviteOpen} onOpenChange={setIsInviteOpen}> <Dialog open={isInviteOpen} onOpenChange={setIsInviteOpen}>
<DialogTrigger asChild> <DialogTrigger asChild>
<Button size="sm"> <Button size="sm">
@@ -578,7 +579,7 @@ export default function ApplicantProjectPage() {
</div> </div>
</div> </div>
{isTeamLead && member.role !== 'LEAD' && teamData.submittedBy?.id !== member.userId && ( {isTeamLead && !isRejected && member.role !== 'LEAD' && teamData.submittedBy?.id !== member.userId && (
<AlertDialog> <AlertDialog>
<AlertDialogTrigger asChild> <AlertDialogTrigger asChild>
<Button variant="ghost" size="icon" className="text-destructive"> <Button variant="ghost" size="icon" className="text-destructive">

5
src/app/(auth)/layout.tsx
View File

@@ -19,13 +19,14 @@ export default async function AuthLayout({
// Redirect logged-in users to their dashboard // Redirect logged-in users to their dashboard
// But NOT if they still need to set their password // But NOT if they still need to set their password
if (session?.user && !session.user.mustSetPassword) { if (session?.user && !session.user.mustSetPassword) {
// Verify user still exists in DB (handles deleted accounts with stale sessions) // Verify user still exists in DB and check onboarding status
const dbUser = await prisma.user.findUnique({ const dbUser = await prisma.user.findUnique({
where: { id: session.user.id }, where: { id: session.user.id },
select: { id: true }, select: { id: true, onboardingCompletedAt: true },
}) })
if (dbUser) { if (dbUser) {
const role = session.user.role const role = session.user.role
if (role === 'SUPER_ADMIN' || role === 'PROGRAM_ADMIN') { if (role === 'SUPER_ADMIN' || role === 'PROGRAM_ADMIN') {
redirect('/admin') redirect('/admin')

12
src/app/(auth)/set-password/page.tsx
View File

@@ -36,17 +36,9 @@ export default function SetPasswordPage() {
setIsSuccess(true) setIsSuccess(true)
// Update the session to reflect the password has been set // Update the session to reflect the password has been set
await updateSession() await updateSession()
// Redirect after a short delay // Redirect after a short delay — all roles go to onboarding first
setTimeout(() => { setTimeout(() => {
if (session?.user?.role === 'JURY_MEMBER') { router.push('/onboarding')
router.push('/jury')
} else if (session?.user?.role === 'SUPER_ADMIN' || session?.user?.role === 'PROGRAM_ADMIN') {
router.push('/admin')
} else if (session?.user?.role === 'APPLICANT') {
router.push('/onboarding')
} else {
router.push('/')
}
}, 2000) }, 2000)
}, },
onError: (err) => { onError: (err) => {

25
src/lib/auth.ts
View File

@@ -15,7 +15,19 @@ const LOCKOUT_DURATION_MS = 15 * 60 * 1000 // 15 minutes
export const { handlers, auth, signIn, signOut } = NextAuth({ export const { handlers, auth, signIn, signOut } = NextAuth({
...authConfig, ...authConfig,
adapter: PrismaAdapter(prisma), adapter: {
...PrismaAdapter(prisma),
async useVerificationToken({ identifier, token }: { identifier: string; token: string }) {
try {
return await prisma.verificationToken.delete({
where: { identifier_token: { identifier, token } },
})
} catch (e) {
if ((e as { code?: string }).code === 'P2025') return null
throw e
}
},
},
providers: [ providers: [
// Email provider for magic links (used for first login and password reset) // Email provider for magic links (used for first login and password reset)
EmailProvider({ EmailProvider({
@@ -129,7 +141,7 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
}, },
}) })
if (!user || user.status === 'SUSPENDED' || !user.passwordHash) { if (!user || user.status === 'SUSPENDED') {
// Track failed attempt (don't reveal whether user exists) // Track failed attempt (don't reveal whether user exists)
const current = failedAttempts.get(email) || { count: 0, lockedUntil: 0 } const current = failedAttempts.get(email) || { count: 0, lockedUntil: 0 }
current.count++ current.count++
@@ -139,19 +151,24 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
} }
failedAttempts.set(email, current) failedAttempts.set(email, current)
// Log failed login // Log failed login — real security event
await prisma.auditLog.create({ await prisma.auditLog.create({
data: { data: {
userId: null, userId: null,
action: 'LOGIN_FAILED', action: 'LOGIN_FAILED',
entityType: 'User', entityType: 'User',
detailsJson: { email, reason: !user ? 'user_not_found' : user.status === 'SUSPENDED' ? 'suspended' : 'no_password' }, detailsJson: { email, reason: !user ? 'user_not_found' : 'suspended' },
}, },
}).catch(() => {}) }).catch(() => {})
return null return null
} }
if (!user.passwordHash) {
// Magic-link user tried credentials form — expected, not a security event
return null
}
// Verify password // Verify password
const isValid = await verifyPassword(password, user.passwordHash) const isValid = await verifyPassword(password, user.passwordHash)
if (!isValid) { if (!isValid) {

10
src/lib/storage/index.ts
View File

@@ -126,6 +126,14 @@ export function getContentType(fileName: string): string {
* Validate image file type * Validate image file type
*/ */
export function isValidImageType(contentType: string): boolean { export function isValidImageType(contentType: string): boolean {
const validTypes = ['image/jpeg', 'image/png', 'image/gif', 'image/webp'] const validTypes = [
'image/jpeg',
'image/jpg', // non-standard but common browser alias for image/jpeg
'image/png',
'image/gif',
'image/webp',
'image/svg+xml',
'application/octet-stream', // some browsers send this as a fallback
]
return validTypes.includes(contentType) return validTypes.includes(contentType)
} }

89
src/server/routers/applicant.ts
View File

@@ -20,6 +20,16 @@ function generateInviteToken(): string {
return crypto.randomBytes(32).toString('hex') return crypto.randomBytes(32).toString('hex')
} }
/** Check if a project has been rejected in any round (based on ProjectRoundState, not Project.status) */
// eslint-disable-next-line @typescript-eslint/no-explicit-any
async function isProjectRejected(prisma: any, projectId: string): Promise<boolean> {
const rejected = await prisma.projectRoundState.findFirst({
where: { projectId, state: 'REJECTED' },
select: { id: true },
})
return !!rejected
}
export const applicantRouter = router({ export const applicantRouter = router({
/** /**
* Get submission info for an applicant (by round slug) * Get submission info for an applicant (by round slug)
@@ -276,6 +286,11 @@ export const applicantRouter = router({
}) })
} }
// Block rejected projects from uploading
if (await isProjectRejected(ctx.prisma, input.projectId)) {
throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. Uploads are no longer permitted.' })
}
// If uploading against a requirement, validate mime type and size // If uploading against a requirement, validate mime type and size
if (input.requirementId) { if (input.requirementId) {
const requirement = await ctx.prisma.fileRequirement.findUnique({ const requirement = await ctx.prisma.fileRequirement.findUnique({
@@ -303,21 +318,29 @@ export const applicantRouter = router({
let isLate = false let isLate = false
// Can't upload if already submitted // Can't upload if already submitted — but only for initial application edits.
if (project.submittedAt && !isLate) { // Round-specific uploads (business plan, video for later rounds) are allowed
// as long as the round is active.
if (project.submittedAt && !input.roundId) {
throw new TRPCError({ throw new TRPCError({
code: 'BAD_REQUEST', code: 'BAD_REQUEST',
message: 'Cannot modify a submitted project', message: 'Cannot modify a submitted project',
}) })
} }
// Fetch round name for storage path (if uploading against a round) // Fetch round info and verify it's active
let roundName: string | undefined let roundName: string | undefined
if (input.roundId) { if (input.roundId) {
const round = await ctx.prisma.round.findUnique({ const round = await ctx.prisma.round.findUnique({
where: { id: input.roundId }, where: { id: input.roundId },
select: { name: true }, select: { name: true, status: true },
}) })
if (round && round.status !== 'ROUND_ACTIVE') {
throw new TRPCError({
code: 'BAD_REQUEST',
message: 'This round is closed. Documents can no longer be uploaded.',
})
}
roundName = round?.name roundName = round?.name
} }
@@ -385,6 +408,11 @@ export const applicantRouter = router({
}) })
} }
// Block rejected projects
if (await isProjectRejected(ctx.prisma, input.projectId)) {
throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. File changes are no longer permitted.' })
}
const { projectId, roundId, isLate, requirementId, ...fileData } = input const { projectId, roundId, isLate, requirementId, ...fileData } = input
// Delete existing file: by requirementId if provided, otherwise by fileType // Delete existing file: by requirementId if provided, otherwise by fileType
@@ -459,14 +487,33 @@ export const applicantRouter = router({
}) })
} }
// Can't delete if project is submitted // Block rejected projects
if (file.project.submittedAt) { if (await isProjectRejected(ctx.prisma, file.project.id)) {
throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. File changes are no longer permitted.' })
}
// Can't delete initial application files after submission
if (file.project.submittedAt && !file.roundId) {
throw new TRPCError({ throw new TRPCError({
code: 'BAD_REQUEST', code: 'BAD_REQUEST',
message: 'Cannot modify a submitted project', message: 'Cannot modify a submitted project',
}) })
} }
// Round-specific files can only be deleted while the round is active
if (file.roundId) {
const round = await ctx.prisma.round.findUnique({
where: { id: file.roundId },
select: { status: true },
})
if (round && round.status !== 'ROUND_ACTIVE') {
throw new TRPCError({
code: 'BAD_REQUEST',
message: 'This round is closed. Documents can no longer be modified.',
})
}
}
await ctx.prisma.projectFile.delete({ await ctx.prisma.projectFile.delete({
where: { id: input.fileId }, where: { id: input.fileId },
}) })
@@ -809,6 +856,11 @@ export const applicantRouter = router({
}) })
} }
// Block rejected projects
if (await isProjectRejected(ctx.prisma, input.projectId)) {
throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. Team changes are no longer permitted.' })
}
// Check if already a team member // Check if already a team member
const existingMember = await ctx.prisma.teamMember.findFirst({ const existingMember = await ctx.prisma.teamMember.findFirst({
where: { where: {
@@ -1020,6 +1072,11 @@ export const applicantRouter = router({
}) })
} }
// Block rejected projects
if (await isProjectRejected(ctx.prisma, input.projectId)) {
throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. Team changes are no longer permitted.' })
}
// Can't remove the original submitter // Can't remove the original submitter
if (project.submittedByUserId === input.userId) { if (project.submittedByUserId === input.userId) {
throw new TRPCError({ throw new TRPCError({
@@ -1234,7 +1291,7 @@ export const applicantRouter = router({
} }
} }
const isRejected = currentStatus === 'REJECTED' const isRejected = await isProjectRejected(ctx.prisma, project.id)
const hasWonAward = project.wonAwards.length > 0 const hasWonAward = project.wonAwards.length > 0
// Build timeline // Build timeline
@@ -1382,9 +1439,10 @@ export const applicantRouter = router({
isTeamLead, isTeamLead,
userRole: userMembership?.role || (project.submittedByUserId === ctx.user.id ? 'LEAD' : null), userRole: userMembership?.role || (project.submittedByUserId === ctx.user.id ? 'LEAD' : null),
}, },
openRounds, openRounds: isRejected ? [] : openRounds,
timeline, timeline,
currentStatus, currentStatus,
isRejected,
hasPassedIntake: !!passedIntake, hasPassedIntake: !!passedIntake,
isIntakeOpen: !!activeIntakeRound, isIntakeOpen: !!activeIntakeRound,
logoUrl, logoUrl,
@@ -1442,9 +1500,12 @@ export const applicantRouter = router({
select: { configJson: true }, select: { configJson: true },
}) })
: [] : []
const navProjectRejected = await isProjectRejected(ctx.prisma, project.id)
hasEvaluationRounds = closedEvalRounds.some((r) => { hasEvaluationRounds = closedEvalRounds.some((r) => {
const parsed = EvaluationConfigSchema.safeParse(r.configJson) const parsed = EvaluationConfigSchema.safeParse(r.configJson)
return parsed.success && parsed.data.applicantVisibility.enabled if (!parsed.success || !parsed.data.applicantVisibility.enabled) return false
if (parsed.data.applicantVisibility.hideFromRejected && navProjectRejected) return false
return true
}) })
} }
@@ -1746,11 +1807,16 @@ export const applicantRouter = router({
}> }>
}> = [] }> = []
const projectIsRejected = await isProjectRejected(ctx.prisma, project.id)
for (let i = 0; i < evalRounds.length; i++) { for (let i = 0; i < evalRounds.length; i++) {
const round = evalRounds[i] const round = evalRounds[i]
const parsed = EvaluationConfigSchema.safeParse(round.configJson) const parsed = EvaluationConfigSchema.safeParse(round.configJson)
if (!parsed.success || !parsed.data.applicantVisibility.enabled) continue if (!parsed.success || !parsed.data.applicantVisibility.enabled) continue
// Skip this round if hideFromRejected is on and the project has been rejected
if (parsed.data.applicantVisibility.hideFromRejected && projectIsRejected) continue
const vis = parsed.data.applicantVisibility const vis = parsed.data.applicantVisibility
// Get evaluations via assignments — NEVER select userId or user relation // Get evaluations via assignments — NEVER select userId or user relation
@@ -1991,6 +2057,11 @@ export const applicantRouter = router({
throw new TRPCError({ code: 'FORBIDDEN', message: 'You are not a member of this project' }) throw new TRPCError({ code: 'FORBIDDEN', message: 'You are not a member of this project' })
} }
// Block rejected projects
if (await isProjectRejected(ctx.prisma, input.projectId)) {
throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. Logo changes are no longer permitted.' })
}
return getImageUploadUrl( return getImageUploadUrl(
input.projectId, input.projectId,
input.fileName, input.fileName,