MOPC/MOPC-Portal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: MOPC:b1a994a9d60bd805608c2d0619693e550a1b9f11
Branches Tags
MOPC:main MOPC:with-test
..
compare: MOPC:79ac60dc1e78c68f000a838c77384df56dbd4d04
Branches Tags
MOPC:main MOPC:with-test

2 Commits
b1a994a9d6 ... 79ac60dc1e

Author SHA1 Message Date
Matt
79ac60dc1e feat: automatic mutation audit logging for all non-super-admin users
Some checks failed
Build and Push Docker Image / build (push) Has been cancelled
Details 
Implement withMutationAudit middleware in tRPC that automatically logs
every successful mutation for non-SUPER_ADMIN users. Captures procedure
path, sanitized input (passwords/tokens redacted), user role, IP, and
user agent. Applied to all procedure types except superAdminProcedure.

- Input sanitization: strips sensitive fields, truncates long strings
  (500 chars), limits array size (20 items), caps nesting depth (4)
- Entity ID auto-extraction from common input patterns (id, userId,
  projectId, roundId, etc.)
- Action names derived from procedure path (e.g., evaluation.submit
  becomes EVALUATION_SUBMIT)
- Audit page updated with new action types and entity types for
  filtering auto-generated entries
- Failures silently caught — audit logging never breaks operations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-04 18:04:52 +01:00
Matt
6c52e519e5 feat: impersonation system, semi-finalist detail page, tRPC resilience 
- Add super-admin impersonation: "Login As" from user list, red banner
  with "Return to Admin", audit logged start/end, nested impersonation
  blocked, onboarding gate skipped during impersonation
- Fix semi-finalist stats: check latest terminal state (not any PASSED),
  use passwordHash OR status=ACTIVE for activation check
- Add /admin/semi-finalists detail page with search, category/status filters
- Add account_reminder_days setting to notifications tab
- Add tRPC resilience: retry on 503/HTML responses, custom fetch detects
  nginx error pages, exponential backoff (2s/4s/8s)
- Reduce dashboard polling intervals (60s stats, 30s activity, 120s semi)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-04 17:55:44 +01:00
20 changed files with 1032 additions and 106 deletions
Expand all files Collapse all files

81
src/app/(admin)/admin/audit/page.tsx
View File

@@ -57,8 +57,9 @@ import { CsvExportDialog } from '@/components/shared/csv-export-dialog'
import { formatDate } from '@/lib/utils'
import { cn } from '@/lib/utils'
// Action type options
// Action type options (manual audit actions + auto-generated mutation audit actions)
const ACTION_TYPES = [
// Manual audit actions
'CREATE',
'UPDATE',
'DELETE',
@@ -88,12 +89,48 @@ const ACTION_TYPES = [
'APPLY_AI_SUGGESTIONS',
'APPLY_SUGGESTIONS',
'NOTIFY_JURORS_OF_ASSIGNMENTS',
'IMPERSONATION_START',
'IMPERSONATION_END',
// Auto-generated mutation audit actions (non-super-admin)
'EVALUATION_START',
'EVALUATION_SUBMIT',
'EVALUATION_AUTOSAVE',
'EVALUATION_DECLARE_COI',
'EVALUATION_ADD_COMMENT',
'APPLICANT_SAVE_SUBMISSION',
'APPLICANT_SAVE_FILE_METADATA',
'APPLICANT_DELETE_FILE',
'APPLICANT_REQUEST_MENTORING',
'APPLICANT_WITHDRAW_FROM_COMPETITION',
'APPLICANT_INVITE_TEAM_MEMBER',
'APPLICANT_REMOVE_TEAM_MEMBER',
'APPLICANT_SEND_MENTOR_MESSAGE',
'APPLICATION_SUBMIT',
'APPLICATION_SAVE_DRAFT',
'APPLICATION_SUBMIT_DRAFT',
'MENTOR_SEND_MESSAGE',
'MENTOR_CREATE_NOTE',
'MENTOR_DELETE_NOTE',
'MENTOR_COMPLETE_MILESTONE',
'LIVE_CAST_VOTE',
'LIVE_CAST_STAGE_VOTE',
'LIVE_VOTING_VOTE',
'LIVE_VOTING_CAST_AUDIENCE_VOTE',
'DELIBERATION_SUBMIT_VOTE',
'NOTIFICATION_MARK_AS_READ',
'NOTIFICATION_MARK_ALL_AS_READ',
'USER_UPDATE_PROFILE',
'USER_SET_PASSWORD',
'USER_CHANGE_PASSWORD',
'USER_COMPLETE_ONBOARDING',
'SPECIAL_AWARD_SUBMIT_VOTE',
]
// Entity type options
const ENTITY_TYPES = [
'User',
'Program',
'Competition',
'Round',
'Project',
'Assignment',
@@ -101,6 +138,21 @@ const ENTITY_TYPES = [
'EvaluationForm',
'ProjectFile',
'GracePeriod',
'Applicant',
'Application',
'Mentor',
'Live',
'LiveVoting',
'Deliberation',
'Notification',
'SpecialAward',
'File',
'Tag',
'Message',
'Settings',
'Ranking',
'Filtering',
'RoundEngine',
]
// Color map for action types
@@ -128,8 +180,35 @@ const actionColors: Record<string, 'default' | 'destructive' | 'secondary' | 'ou
APPLY_AI_SUGGESTIONS: 'default',
APPLY_SUGGESTIONS: 'default',
NOTIFY_JURORS_OF_ASSIGNMENTS: 'outline',
IMPERSONATION_START: 'destructive',
IMPERSONATION_END: 'secondary',
// Auto-generated mutation audit actions
EVALUATION_START: 'default',
EVALUATION_SUBMIT: 'default',
EVALUATION_AUTOSAVE: 'outline',
EVALUATION_DECLARE_COI: 'secondary',
EVALUATION_ADD_COMMENT: 'outline',
APPLICANT_SAVE_SUBMISSION: 'default',
APPLICANT_DELETE_FILE: 'destructive',
APPLICANT_WITHDRAW_FROM_COMPETITION: 'destructive',
APPLICANT_INVITE_TEAM_MEMBER: 'default',
APPLICANT_REMOVE_TEAM_MEMBER: 'destructive',
APPLICATION_SUBMIT: 'default',
MENTOR_SEND_MESSAGE: 'outline',
MENTOR_CREATE_NOTE: 'default',
MENTOR_DELETE_NOTE: 'destructive',
LIVE_CAST_VOTE: 'default',
LIVE_CAST_STAGE_VOTE: 'default',
LIVE_VOTING_CAST_AUDIENCE_VOTE: 'default',
DELIBERATION_SUBMIT_VOTE: 'default',
SPECIAL_AWARD_SUBMIT_VOTE: 'default',
USER_UPDATE_PROFILE: 'secondary',
USER_SET_PASSWORD: 'outline',
USER_CHANGE_PASSWORD: 'outline',
USER_COMPLETE_ONBOARDING: 'default',
}
export default function AuditLogPage() {
// Filter state
const [filters, setFilters] = useState({

10
src/app/(admin)/admin/dashboard-content.tsx
View File

@@ -116,20 +116,21 @@ function getContextualActions(
export function DashboardContent({ editionId, sessionName }: DashboardContentProps) {
const { data, isLoading, error } = trpc.dashboard.getStats.useQuery(
{ editionId },
{ enabled: !!editionId, retry: 1, refetchInterval: 30_000 }
{ enabled: !!editionId, refetchInterval: 60_000 }
)
const { data: recentEvals } = trpc.dashboard.getRecentEvaluations.useQuery(
{ editionId, limit: 8 },
{ enabled: !!editionId, refetchInterval: 30_000 }
{ enabled: !!editionId, refetchInterval: 60_000 }
)
const { data: liveActivity } = trpc.dashboard.getRecentActivity.useQuery(
{ limit: 8 },
{ enabled: !!editionId, refetchInterval: 5_000 }
{ enabled: !!editionId, refetchInterval: 30_000 }
)
const { data: semiFinalistStats } = trpc.dashboard.getSemiFinalistStats.useQuery(
{ editionId },
{ enabled: !!editionId, refetchInterval: 60_000 }
{ enabled: !!editionId, refetchInterval: 120_000 }
)
const { data: featureFlags } = trpc.settings.getFeatureFlags.useQuery()
if (isLoading) {
return <DashboardSkeleton />
@@ -283,6 +284,7 @@ export function DashboardContent({ editionId, sessionName }: DashboardContentPro
byAward={semiFinalistStats.byAward}
unactivatedProjects={semiFinalistStats.unactivatedProjects}
editionId={editionId}
reminderThresholdDays={featureFlags?.accountReminderDays}
/>
</AnimatedCard>
)}

42
src/app/(admin)/admin/semi-finalists/page.tsx Normal file
View File

@@ -0,0 +1,42 @@
import type { Metadata } from 'next'
import { prisma } from '@/lib/prisma'
import { SemiFinalistsContent } from '@/components/admin/semi-finalists-content'
export const metadata: Metadata = { title: 'Semi-Finalists' }
export const dynamic = 'force-dynamic'
type PageProps = {
searchParams: Promise<{ editionId?: string }>
}
export default async function SemiFinalistsPage({ searchParams }: PageProps) {
const params = await searchParams
let editionId = params.editionId || null
if (!editionId) {
const defaultEdition = await prisma.program.findFirst({
where: { status: 'ACTIVE' },
orderBy: { year: 'desc' },
select: { id: true },
})
editionId = defaultEdition?.id || null
if (!editionId) {
const anyEdition = await prisma.program.findFirst({
orderBy: { year: 'desc' },
select: { id: true },
})
editionId = anyEdition?.id || null
}
}
if (!editionId) {
return (
<div className="py-12 text-center text-muted-foreground">
No edition found.
</div>
)
}
return <SemiFinalistsContent editionId={editionId} />
}

23
src/app/(applicant)/layout.tsx
View File

@@ -11,19 +11,22 @@ export default async function ApplicantLayout({
children: React.ReactNode
}) {
const session = await requireRole('APPLICANT')
const isImpersonating = !!session.user.impersonating
// Check if user has completed onboarding
const user = await prisma.user.findUnique({
where: { id: session.user.id },
select: { onboardingCompletedAt: true },
})
// Check if user has completed onboarding (skip during impersonation)
if (!isImpersonating) {
const user = await prisma.user.findUnique({
where: { id: session.user.id },
select: { onboardingCompletedAt: true },
})
if (!user) {
redirect('/login')
}
if (!user) {
redirect('/login')
}
if (!user.onboardingCompletedAt) {
redirect('/onboarding')
if (!user.onboardingCompletedAt) {
redirect('/onboarding')
}
}
return (

24
src/app/(jury)/layout.tsx
View File

@@ -11,20 +11,22 @@ export default async function JuryLayout({
children: React.ReactNode
}) {
const session = await requireRole('JURY_MEMBER')
const isImpersonating = !!session.user.impersonating
// Check if user has completed onboarding
const user = await prisma.user.findUnique({
where: { id: session.user.id },
select: { onboardingCompletedAt: true },
})
// Check if user has completed onboarding (skip during impersonation)
if (!isImpersonating) {
const user = await prisma.user.findUnique({
where: { id: session.user.id },
select: { onboardingCompletedAt: true },
})
if (!user) {
// User was deleted — session is stale, send to login
redirect('/login')
}
if (!user) {
redirect('/login')
}
if (!user.onboardingCompletedAt) {
redirect('/onboarding')
if (!user.onboardingCompletedAt) {
redirect('/onboarding')
}
}
return (

6
src/app/(mentor)/layout.tsx
View File

@@ -12,16 +12,16 @@ export default async function MentorLayout({
}) {
const session = await requireRole('MENTOR', 'PROGRAM_ADMIN', 'SUPER_ADMIN')
// Check if user has completed onboarding (for mentors)
// Check if user has completed onboarding (for mentors, skip during impersonation)
const isImpersonating = !!session.user.impersonating
const userRoles = session.user.roles?.length ? session.user.roles : [session.user.role]
if (userRoles.includes('MENTOR') && !userRoles.some(r => r === 'SUPER_ADMIN' || r === 'PROGRAM_ADMIN')) {
if (!isImpersonating && userRoles.includes('MENTOR') && !userRoles.some(r => r === 'SUPER_ADMIN' || r === 'PROGRAM_ADMIN')) {
const user = await prisma.user.findUnique({
where: { id: session.user.id },
select: { onboardingCompletedAt: true },
})
if (!user) {
// User was deleted — session is stale, send to login
redirect('/login')
}

23
src/app/(observer)/layout.tsx
View File

@@ -12,19 +12,22 @@ export default async function ObserverLayout({
children: React.ReactNode
}) {
const session = await requireRole('OBSERVER')
const isImpersonating = !!session.user.impersonating
// Check if user has completed onboarding
const user = await prisma.user.findUnique({
where: { id: session.user.id },
select: { onboardingCompletedAt: true },
})
// Check if user has completed onboarding (skip during impersonation)
if (!isImpersonating) {
const user = await prisma.user.findUnique({
where: { id: session.user.id },
select: { onboardingCompletedAt: true },
})
if (!user) {
redirect('/login')
}
if (!user) {
redirect('/login')
}
if (!user.onboardingCompletedAt) {
redirect('/onboarding')
if (!user.onboardingCompletedAt) {
redirect('/onboarding')
}
}
return (

6
src/app/layout.tsx
View File

@@ -2,6 +2,7 @@ import type { Metadata } from 'next'
import './globals.css'
import { Providers } from './providers'
import { Toaster } from 'sonner'
import { ImpersonationBanner } from '@/components/shared/impersonation-banner'
export const metadata: Metadata = {
title: {
@@ -22,7 +23,10 @@ export default function RootLayout({
return (
<html lang="en" suppressHydrationWarning>
<body className="min-h-screen bg-background font-sans antialiased">
<Providers>{children}</Providers>
<Providers>
<ImpersonationBanner />
{children}
</Providers>
<Toaster
position="top-right"
toastOptions={{

25
src/app/providers.tsx
View File

@@ -14,6 +14,16 @@ function makeQueryClient() {
queries: {
staleTime: 5 * 60 * 1000, // 5 minutes
refetchOnWindowFocus: false,
retry: (failureCount, error) => {
// Retry up to 3 times on server errors (503 cold-start, etc.)
if (failureCount >= 3) return false
const msg = (error as Error)?.message ?? ''
// Retry on JSON parse errors (HTML 503 from nginx) and server errors
if (msg.includes('is not valid JSON') || msg.includes('Unexpected token')) return true
if (msg.includes('500') || msg.includes('502') || msg.includes('503')) return true
return failureCount < 2
},
retryDelay: (attemptIndex) => Math.min(2000 * (attemptIndex + 1), 8000),
},
},
})
@@ -47,6 +57,21 @@ export function Providers({ children }: { children: React.ReactNode }) {
httpBatchLink({
url: `${getBaseUrl()}/api/trpc`,
transformer: superjson,
async fetch(url, options) {
const res = await globalThis.fetch(url, options)
// Detect nginx 503 / HTML error pages before tRPC tries to JSON.parse
if (!res.ok) {
const ct = res.headers.get('content-type') ?? ''
if (ct.includes('text/html') || !ct.includes('json')) {
throw new Error(
res.status >= 500
? 'Server is starting up — please wait a moment and try again.'
: `Server error (${res.status})`
)
}
}
return res
},
}),
],
})

265
src/components/admin/semi-finalists-content.tsx Normal file
View File

@@ -0,0 +1,265 @@
'use client'
import { useState, useMemo } from 'react'
import Link from 'next/link'
import type { Route } from 'next'
import { trpc } from '@/lib/trpc/client'
import { Card, CardContent, CardHeader, CardTitle } from '@/components/ui/card'
import { Input } from '@/components/ui/input'
import { Badge } from '@/components/ui/badge'
import { Button } from '@/components/ui/button'
import {
Select,
SelectContent,
SelectItem,
SelectTrigger,
SelectValue,
} from '@/components/ui/select'
import {
Table,
TableBody,
TableCell,
TableHead,
TableHeader,
TableRow,
} from '@/components/ui/table'
import {
Tooltip,
TooltipContent,
TooltipProvider,
TooltipTrigger,
} from '@/components/ui/tooltip'
import {
Users,
Search,
CheckCircle2,
AlertCircle,
Clock,
ArrowLeft,
Loader2,
} from 'lucide-react'
const categoryLabels: Record<string, string> = {
STARTUP: 'Startup',
BUSINESS_CONCEPT: 'Business Concept',
}
const statusConfig = {
active: { label: 'Active', color: 'bg-emerald-500', icon: CheckCircle2 },
invited: { label: 'Invited', color: 'bg-amber-500', icon: Clock },
none: { label: 'No Account', color: 'bg-red-500', icon: AlertCircle },
} as const
type SemiFinalistsContentProps = {
editionId: string
}
export function SemiFinalistsContent({ editionId }: SemiFinalistsContentProps) {
const { data, isLoading } = trpc.dashboard.getSemiFinalistDetail.useQuery(
{ editionId },
{ enabled: !!editionId }
)
const [search, setSearch] = useState('')
const [categoryFilter, setCategoryFilter] = useState<string>('all')
const [statusFilter, setStatusFilter] = useState<string>('all')
const filtered = useMemo(() => {
if (!data) return []
let items = data
if (categoryFilter !== 'all') {
items = items.filter(p => p.category === categoryFilter)
}
if (statusFilter === 'activated') {
items = items.filter(p => p.allActivated)
} else if (statusFilter === 'pending') {
items = items.filter(p => !p.allActivated)
}
if (search.trim()) {
const q = search.toLowerCase()
items = items.filter(p =>
p.title.toLowerCase().includes(q) ||
p.teamName?.toLowerCase().includes(q) ||
p.country?.toLowerCase().includes(q) ||
p.teamMembers.some(tm =>
tm.name?.toLowerCase().includes(q) ||
tm.email.toLowerCase().includes(q)
)
)
}
return items
}, [data, search, categoryFilter, statusFilter])
const stats = useMemo(() => {
if (!data) return { total: 0, activated: 0, pending: 0 }
return {
total: data.length,
activated: data.filter(p => p.allActivated).length,
pending: data.filter(p => !p.allActivated).length,
}
}, [data])
if (isLoading) {
return (
<div className="flex items-center justify-center py-24">
<Loader2 className="h-8 w-8 animate-spin text-muted-foreground" />
</div>
)
}
return (
<div className="space-y-6">
{/* Header */}
<div className="flex flex-col gap-3 sm:flex-row sm:items-center sm:justify-between">
<div className="flex items-center gap-3">
<Link href={'/admin' as Route}>
<Button variant="ghost" size="icon" className="h-8 w-8">
<ArrowLeft className="h-4 w-4" />
</Button>
</Link>
<div>
<h1 className="text-xl font-bold tracking-tight md:text-2xl">
Semi-Finalists
</h1>
<p className="text-sm text-muted-foreground">
{stats.total} projects &middot; {stats.activated} fully activated &middot; {stats.pending} pending
</p>
</div>
</div>
</div>
{/* Filters */}
<Card>
<CardContent className="pt-6">
<div className="flex flex-col gap-3 sm:flex-row">
<div className="relative flex-1">
<Search className="absolute left-3 top-1/2 h-4 w-4 -translate-y-1/2 text-muted-foreground" />
<Input
placeholder="Search by project, team, member name or email..."
value={search}
onChange={(e) => setSearch(e.target.value)}
className="pl-9"
/>
</div>
<Select value={categoryFilter} onValueChange={setCategoryFilter}>
<SelectTrigger className="w-full sm:w-[180px]">
<SelectValue placeholder="Category" />
</SelectTrigger>
<SelectContent>
<SelectItem value="all">All Categories</SelectItem>
<SelectItem value="STARTUP">Startup</SelectItem>
<SelectItem value="BUSINESS_CONCEPT">Business Concept</SelectItem>
</SelectContent>
</Select>
<Select value={statusFilter} onValueChange={setStatusFilter}>
<SelectTrigger className="w-full sm:w-[180px]">
<SelectValue placeholder="Account Status" />
</SelectTrigger>
<SelectContent>
<SelectItem value="all">All Statuses</SelectItem>
<SelectItem value="activated">Fully Activated</SelectItem>
<SelectItem value="pending">Pending Setup</SelectItem>
</SelectContent>
</Select>
</div>
</CardContent>
</Card>
{/* Table */}
<Card>
<CardHeader className="pb-3">
<CardTitle className="flex items-center gap-2 text-base">
<Users className="h-4 w-4 text-brand-blue" />
{filtered.length} project{filtered.length !== 1 ? 's' : ''}
</CardTitle>
</CardHeader>
<CardContent>
{filtered.length === 0 ? (
<p className="py-8 text-center text-sm text-muted-foreground">
No semi-finalist projects match your filters.
</p>
) : (
<div className="overflow-x-auto">
<Table>
<TableHeader>
<TableRow>
<TableHead>Project</TableHead>
<TableHead>Category</TableHead>
<TableHead>Country</TableHead>
<TableHead>Current Round</TableHead>
<TableHead>Team Members</TableHead>
<TableHead className="text-center">Status</TableHead>
</TableRow>
</TableHeader>
<TableBody>
{filtered.map((project) => (
<TableRow key={project.projectId}>
<TableCell>
<Link
href={`/admin/projects/${project.projectId}` as Route}
className="font-medium text-brand-blue hover:underline"
>
{project.title}
</Link>
{project.teamName && (
<p className="text-xs text-muted-foreground">{project.teamName}</p>
)}
</TableCell>
<TableCell>
<Badge variant="outline" className="text-xs">
{categoryLabels[project.category ?? ''] ?? project.category}
</Badge>
</TableCell>
<TableCell className="text-sm">{project.country || '—'}</TableCell>
<TableCell className="text-sm">{project.currentRound}</TableCell>
<TableCell>
<TooltipProvider>
<div className="space-y-1">
{project.teamMembers.map((tm, idx) => {
const cfg = statusConfig[tm.accountStatus]
const Icon = cfg.icon
return (
<Tooltip key={idx}>
<TooltipTrigger asChild>
<div className="flex items-center gap-1.5 text-sm">
<span className={`inline-block h-2 w-2 rounded-full ${cfg.color}`} />
<span className="max-w-[180px] truncate">
{tm.name || tm.email}
</span>
</div>
</TooltipTrigger>
<TooltipContent>
<p>{tm.email}</p>
<p className="text-xs text-muted-foreground">
{cfg.label}
{tm.lastLogin && ` · Last login: ${new Date(tm.lastLogin).toLocaleDateString()}`}
</p>
</TooltipContent>
</Tooltip>
)
})}
</div>
</TooltipProvider>
</TableCell>
<TableCell className="text-center">
{project.allActivated ? (
<CheckCircle2 className="mx-auto h-4 w-4 text-emerald-500" />
) : (
<AlertCircle className="mx-auto h-4 w-4 text-amber-500" />
)}
</TableCell>
</TableRow>
))}
</TableBody>
</Table>
</div>
)}
</CardContent>
</Card>
</div>
)
}

73
src/components/admin/user-actions.tsx
View File

@@ -2,6 +2,9 @@
import { useState } from 'react'
import Link from 'next/link'
import type { Route } from 'next'
import { useSession } from 'next-auth/react'
import { useRouter } from 'next/navigation'
import { trpc } from '@/lib/trpc/client'
import { Button } from '@/components/ui/button'
import {
@@ -33,6 +36,7 @@ import {
Trash2,
Loader2,
Shield,
LogIn,
} from 'lucide-react'
type Role = 'SUPER_ADMIN' | 'PROGRAM_ADMIN' | 'JURY_MEMBER' | 'MENTOR' | 'OBSERVER'
@@ -54,9 +58,21 @@ interface UserActionsProps {
currentUserRole?: Role
}
function getRoleHomePath(role: string): string {
switch (role) {
case 'JURY_MEMBER': return '/jury'
case 'APPLICANT': return '/applicant'
case 'MENTOR': return '/mentor'
case 'OBSERVER': return '/observer'
default: return '/admin'
}
}
export function UserActions({ userId, userEmail, userStatus, userRole, userRoles, currentUserRole }: UserActionsProps) {
const [showDeleteDialog, setShowDeleteDialog] = useState(false)
const [isSending, setIsSending] = useState(false)
const { data: session, update } = useSession()
const router = useRouter()
const utils = trpc.useUtils()
const sendInvitation = trpc.user.sendInvitation.useMutation()
@@ -65,6 +81,7 @@ export function UserActions({ userId, userEmail, userStatus, userRole, userRoles
utils.user.list.invalidate()
},
})
const startImpersonation = trpc.user.startImpersonation.useMutation()
const updateRoles = trpc.user.updateRoles.useMutation({
onSuccess: () => {
utils.user.list.invalidate()
@@ -105,6 +122,18 @@ export function UserActions({ userId, userEmail, userStatus, userRole, userRoles
updateRoles.mutate({ userId, roles: newRoles })
}
const handleImpersonate = async () => {
try {
const result = await startImpersonation.mutateAsync({ targetUserId: userId })
await update({ impersonate: userId })
toast.success(`Now impersonating ${userEmail}`)
router.push(getRoleHomePath(result.targetRole) as Route)
router.refresh()
} catch (error) {
toast.error(error instanceof Error ? error.message : 'Failed to start impersonation')
}
}
const handleSendInvitation = async () => {
if (userStatus !== 'NONE' && userStatus !== 'INVITED') {
toast.error('User has already accepted their invitation')
@@ -154,6 +183,19 @@ export function UserActions({ userId, userEmail, userStatus, userRole, userRoles
Edit
</Link>
</DropdownMenuItem>
{isSuperAdmin && session?.user?.id !== userId && (
<DropdownMenuItem
onClick={handleImpersonate}
disabled={startImpersonation.isPending}
>
{startImpersonation.isPending ? (
<Loader2 className="mr-2 h-4 w-4 animate-spin" />
) : (
<LogIn className="mr-2 h-4 w-4" />
)}
Login As
</DropdownMenuItem>
)}
{canChangeRole && (
<DropdownMenuSub>
<DropdownMenuSubTrigger disabled={updateRoles.isPending}>
@@ -237,8 +279,11 @@ export function UserMobileActions({
currentUserRole,
}: UserMobileActionsProps) {
const [isSending, setIsSending] = useState(false)
const { data: session, update } = useSession()
const router = useRouter()
const utils = trpc.useUtils()
const sendInvitation = trpc.user.sendInvitation.useMutation()
const startImpersonation = trpc.user.startImpersonation.useMutation()
const updateRoles = trpc.user.updateRoles.useMutation({
onSuccess: () => {
utils.user.list.invalidate()
@@ -253,6 +298,18 @@ export function UserMobileActions({
const canChangeRole = isSuperAdmin || (!['SUPER_ADMIN', 'PROGRAM_ADMIN'].includes(userRole))
const currentRoles: Role[] = userRoles?.length ? userRoles : [userRole]
const handleImpersonateMobile = async () => {
try {
const result = await startImpersonation.mutateAsync({ targetUserId: userId })
await update({ impersonate: userId })
toast.success(`Now impersonating ${userEmail}`)
router.push(getRoleHomePath(result.targetRole) as Route)
router.refresh()
} catch (error) {
toast.error(error instanceof Error ? error.message : 'Failed to start impersonation')
}
}
const handleSendInvitation = async () => {
if (userStatus !== 'NONE' && userStatus !== 'INVITED') {
toast.error('User has already accepted their invitation')
@@ -280,6 +337,22 @@ export function UserMobileActions({
Edit
</Link>
</Button>
{isSuperAdmin && session?.user?.id !== userId && (
<Button
variant="outline"
size="sm"
className="flex-1"
onClick={handleImpersonateMobile}
disabled={startImpersonation.isPending}
>
{startImpersonation.isPending ? (
<Loader2 className="mr-2 h-4 w-4 animate-spin" />
) : (
<LogIn className="mr-2 h-4 w-4" />
)}
Login As
</Button>
)}
<Button
variant="outline"
size="sm"

18
src/components/dashboard/semi-finalist-tracker.tsx
View File

@@ -5,6 +5,8 @@ import { Card, CardContent, CardHeader, CardTitle } from '@/components/ui/card'
import { Button } from '@/components/ui/button'
import { Badge } from '@/components/ui/badge'
import { Progress } from '@/components/ui/progress'
import Link from 'next/link'
import type { Route } from 'next'
import {
Users,
Send,
@@ -12,6 +14,7 @@ import {
AlertCircle,
Trophy,
Loader2,
ExternalLink,
} from 'lucide-react'
import { trpc } from '@/lib/trpc/client'
import { toast } from 'sonner'
@@ -44,6 +47,7 @@ type SemiFinalistTrackerProps = {
byAward: AwardStat[]
unactivatedProjects: UnactivatedProject[]
editionId: string
reminderThresholdDays?: number
}
const categoryLabels: Record<string, string> = {
@@ -57,6 +61,7 @@ export function SemiFinalistTracker({
byAward,
unactivatedProjects,
editionId,
reminderThresholdDays = 3,
}: SemiFinalistTrackerProps) {
const utils = trpc.useUtils()
const sendReminders = trpc.dashboard.sendAccountReminders.useMutation({
@@ -97,9 +102,16 @@ export function SemiFinalistTracker({
<Users className="h-4 w-4 text-brand-blue" />
Semi-Finalist Tracker
</CardTitle>
<Badge variant="outline" className="text-xs">
{totalActivated}/{totalProjects} activated
</Badge>
<div className="flex items-center gap-2">
<Badge variant="outline" className="text-xs">
{totalActivated}/{totalProjects} activated
</Badge>
<Link href={`/admin/semi-finalists?editionId=${editionId}` as Route}>
<Button variant="ghost" size="sm" className="h-6 px-2 text-xs">
See All <ExternalLink className="ml-1 h-3 w-3" />
</Button>
</Link>
</div>
</div>
</CardHeader>
<CardContent className="space-y-4">

21
src/components/settings/settings-content.tsx
View File

@@ -383,7 +383,7 @@ export function SettingsContent({ initialSettings, isSuperAdmin = true }: Settin
</TabsContent>
)}
<TabsContent value="notifications">
<TabsContent value="notifications" className="space-y-6">
<AnimatedCard>
<Card>
<CardHeader>
@@ -397,6 +397,25 @@ export function SettingsContent({ initialSettings, isSuperAdmin = true }: Settin
</CardContent>
</Card>
</AnimatedCard>
<AnimatedCard>
<Card>
<CardHeader>
<CardTitle>Account Reminders</CardTitle>
<CardDescription>
Configure when account setup reminders become appropriate
</CardDescription>
</CardHeader>
<CardContent>
<SettingInput
label="Days before account reminder"
description="Number of days after advancement before showing a warning icon and enabling reminder emails for unactivated accounts"
settingKey="account_reminder_days"
value={initialSettings.account_reminder_days || '3'}
type="number"
/>
</CardContent>
</Card>
</AnimatedCard>
</TabsContent>
{isSuperAdmin && (

51
src/components/shared/impersonation-banner.tsx Normal file
View File

@@ -0,0 +1,51 @@
'use client'
import { useSession } from 'next-auth/react'
import { useRouter } from 'next/navigation'
import { trpc } from '@/lib/trpc/client'
import { Button } from '@/components/ui/button'
import { ArrowLeft, Loader2 } from 'lucide-react'
import { toast } from 'sonner'
export function ImpersonationBanner() {
const { data: session, update } = useSession()
const router = useRouter()
const endImpersonation = trpc.user.endImpersonation.useMutation()
if (!session?.user?.impersonating) return null
const handleReturn = async () => {
try {
await endImpersonation.mutateAsync()
await update({ endImpersonation: true })
toast.success('Returned to admin account')
router.push('/admin/members')
router.refresh()
} catch (error) {
toast.error(error instanceof Error ? error.message : 'Failed to end impersonation')
}
}
return (
<div className="fixed top-0 left-0 right-0 z-50 flex items-center justify-center gap-3 bg-red-600 px-4 py-1.5 text-sm text-white shadow-md">
<span>
Impersonating <strong>{session.user.name || session.user.email}</strong>{' '}
({session.user.role.replace('_', ' ')})
</span>
<Button
size="sm"
variant="secondary"
className="h-6 px-3 text-xs"
onClick={handleReturn}
disabled={endImpersonation.isPending}
>
{endImpersonation.isPending ? (
<Loader2 className="mr-1 h-3 w-3 animate-spin" />
) : (
<ArrowLeft className="mr-1 h-3 w-3" />
)}
Return to Admin
</Button>
</div>
)
}

14
src/lib/auth.config.ts
View File

@@ -1,6 +1,13 @@
import type { NextAuthConfig } from 'next-auth'
import type { UserRole } from '@prisma/client'
type ImpersonationInfo = {
originalId: string
originalRole: UserRole
originalRoles: UserRole[]
originalEmail: string
}
// Extend the built-in session types
declare module 'next-auth' {
interface Session {
@@ -11,6 +18,7 @@ declare module 'next-auth' {
role: UserRole
roles: UserRole[]
mustSetPassword?: boolean
impersonating?: ImpersonationInfo
}
}
@@ -27,6 +35,7 @@ declare module '@auth/core/jwt' {
role: UserRole
roles?: UserRole[]
mustSetPassword?: boolean
impersonating?: ImpersonationInfo
}
}
@@ -61,15 +70,16 @@ export const authConfig: NextAuthConfig = {
return false // Will redirect to signIn page
}
// Check if user needs to set password
// Check if user needs to set password (skip during impersonation)
const mustSetPassword = auth?.user?.mustSetPassword
const isImpersonating = !!(auth?.user as Record<string, unknown>)?.impersonating
const passwordSetupAllowedPaths = [
'/set-password',
'/api/auth',
'/api/trpc',
]
if (mustSetPassword) {
if (mustSetPassword && !isImpersonating) {
// Allow access to password setup related paths
if (passwordSetupAllowedPaths.some((path) => pathname.startsWith(path))) {
return true

73
src/lib/auth.ts
View File

@@ -221,7 +221,7 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
],
callbacks: {
...authConfig.callbacks,
async jwt({ token, user, trigger }) {
async jwt({ token, user, trigger, session }) {
// Initial sign in
if (user) {
token.id = user.id as string
@@ -230,16 +230,66 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
token.mustSetPassword = user.mustSetPassword
}
// On session update, refresh from database
if (trigger === 'update') {
const dbUser = await prisma.user.findUnique({
where: { id: token.id as string },
select: { role: true, roles: true, mustSetPassword: true },
})
if (dbUser) {
token.role = dbUser.role
token.roles = dbUser.roles.length ? dbUser.roles : [dbUser.role]
token.mustSetPassword = dbUser.mustSetPassword
// On session update, handle impersonation or normal refresh
if (trigger === 'update' && session) {
// Start impersonation
if (session.impersonate && typeof session.impersonate === 'string') {
// Only SUPER_ADMIN can impersonate (defense-in-depth)
if (token.role === 'SUPER_ADMIN' && !token.impersonating) {
const targetUser = await prisma.user.findUnique({
where: { id: session.impersonate },
select: { id: true, email: true, name: true, role: true, roles: true, status: true },
})
if (targetUser && targetUser.status !== 'SUSPENDED' && targetUser.role !== 'SUPER_ADMIN') {
// Save original admin identity
token.impersonating = {
originalId: token.id as string,
originalRole: token.role as UserRole,
originalRoles: (token.roles as UserRole[]) ?? [token.role as UserRole],
originalEmail: token.email as string,
}
// Swap to target user
token.id = targetUser.id
token.email = targetUser.email
token.name = targetUser.name
token.role = targetUser.role
token.roles = targetUser.roles.length ? targetUser.roles : [targetUser.role]
token.mustSetPassword = false
}
}
}
// End impersonation
else if (session.endImpersonation && token.impersonating) {
const original = token.impersonating as { originalId: string; originalRole: UserRole; originalRoles: UserRole[]; originalEmail: string }
token.id = original.originalId
token.role = original.originalRole
token.roles = original.originalRoles
token.email = original.originalEmail
token.impersonating = undefined
token.mustSetPassword = false
// Refresh original admin's name
const adminUser = await prisma.user.findUnique({
where: { id: original.originalId },
select: { name: true },
})
if (adminUser) {
token.name = adminUser.name
}
}
// Normal session refresh
else {
const dbUser = await prisma.user.findUnique({
where: { id: token.id as string },
select: { role: true, roles: true, mustSetPassword: true },
})
if (dbUser) {
token.role = dbUser.role
token.roles = dbUser.roles.length ? dbUser.roles : [dbUser.role]
// Don't override mustSetPassword=false during impersonation
if (!token.impersonating) {
token.mustSetPassword = dbUser.mustSetPassword
}
}
}
}
@@ -251,6 +301,7 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
session.user.role = token.role as UserRole
session.user.roles = (token.roles as UserRole[]) ?? [token.role as UserRole]
session.user.mustSetPassword = token.mustSetPassword as boolean | undefined
session.user.impersonating = token.impersonating as typeof session.user.impersonating
}
return session
},

126
src/server/routers/dashboard.ts
View File

@@ -586,15 +586,16 @@ export const dashboardRouter = router({
.query(async ({ ctx, input }) => {
const { editionId } = input
// Find all projects with at least one PASSED state in this edition's rounds.
// Use the highest sortOrder PASSED round per project to avoid double-counting.
const passedStates = await ctx.prisma.projectRoundState.findMany({
// Find projects whose LATEST terminal state (PASSED/REJECTED/WITHDRAWN) is PASSED.
// A project that passed round 1 but was rejected in round 2 is NOT a semi-finalist.
const terminalStates = await ctx.prisma.projectRoundState.findMany({
where: {
state: 'PASSED',
state: { in: ['PASSED', 'REJECTED', 'WITHDRAWN'] },
round: { competition: { programId: editionId } },
},
select: {
projectId: true,
state: true,
round: { select: { id: true, name: true, sortOrder: true } },
project: {
select: {
@@ -608,6 +609,7 @@ export const dashboardRouter = router({
id: true,
email: true,
name: true,
status: true,
passwordHash: true,
},
},
@@ -618,16 +620,17 @@ export const dashboardRouter = router({
},
})
// Deduplicate: keep only the highest-sortOrder PASSED round per project
const projectMap = new Map<string, (typeof passedStates)[0]>()
for (const ps of passedStates) {
const existing = projectMap.get(ps.projectId)
if (!existing || ps.round.sortOrder > existing.round.sortOrder) {
projectMap.set(ps.projectId, ps)
// For each project, keep only the terminal state from the highest-sortOrder round
const projectMap = new Map<string, (typeof terminalStates)[0]>()
for (const ts of terminalStates) {
const existing = projectMap.get(ts.projectId)
if (!existing || ts.round.sortOrder > existing.round.sortOrder) {
projectMap.set(ts.projectId, ts)
}
}
const uniqueProjects = Array.from(projectMap.values())
// Only include projects whose latest terminal state is PASSED
const uniqueProjects = Array.from(projectMap.values()).filter(ps => ps.state === 'PASSED')
// Group by category
const catMap = new Map<string, { total: number; accountsSet: number; accountsNotSet: number }>()
@@ -636,7 +639,7 @@ export const dashboardRouter = router({
if (!catMap.has(cat)) catMap.set(cat, { total: 0, accountsSet: 0, accountsNotSet: 0 })
const entry = catMap.get(cat)!
entry.total++
const hasActivated = ps.project.teamMembers.some((tm) => tm.user.passwordHash !== null)
const hasActivated = ps.project.teamMembers.some((tm) => tm.user.passwordHash !== null || tm.user.status === 'ACTIVE')
if (hasActivated) entry.accountsSet++
else entry.accountsNotSet++
}
@@ -676,7 +679,7 @@ export const dashboardRouter = router({
for (const pid of projectIds) {
const ps = projectMap.get(pid)
if (ps) {
const hasActivated = ps.project.teamMembers.some((tm) => tm.user.passwordHash !== null)
const hasActivated = ps.project.teamMembers.some((tm) => tm.user.passwordHash !== null || tm.user.status === 'ACTIVE')
if (hasActivated) accountsSet++
else accountsNotSet++
}
@@ -684,15 +687,15 @@ export const dashboardRouter = router({
return { awardId, awardName, total: projectIds.size, accountsSet, accountsNotSet }
})
// Unactivated projects: no team member has passwordHash
// Unactivated projects: no team member has set up their account
const unactivatedProjects = uniqueProjects
.filter((ps) => !ps.project.teamMembers.some((tm) => tm.user.passwordHash !== null))
.filter((ps) => !ps.project.teamMembers.some((tm) => tm.user.passwordHash !== null || tm.user.status === 'ACTIVE'))
.map((ps) => ({
projectId: ps.projectId,
projectTitle: ps.project.title,
category: ps.project.competitionCategory,
teamEmails: ps.project.teamMembers
.filter((tm) => tm.user.passwordHash === null)
.filter((tm) => tm.user.passwordHash === null && tm.user.status !== 'ACTIVE')
.map((tm) => tm.user.email),
roundName: ps.round.name,
}))
@@ -700,6 +703,94 @@ export const dashboardRouter = router({
return { byCategory, byAward, unactivatedProjects }
}),
/**
* Get detailed semi-finalist list for the "See All" page.
* Returns every project whose latest terminal state is PASSED, with team and round info.
*/
getSemiFinalistDetail: adminProcedure
.input(z.object({ editionId: z.string() }))
.query(async ({ ctx, input }) => {
const { editionId } = input
// Fetch all terminal states for projects in this edition
const terminalStates = await ctx.prisma.projectRoundState.findMany({
where: {
state: { in: ['PASSED', 'REJECTED', 'WITHDRAWN'] },
round: { competition: { programId: editionId } },
},
select: {
projectId: true,
state: true,
round: { select: { id: true, name: true, sortOrder: true, roundType: true } },
project: {
select: {
id: true,
title: true,
teamName: true,
competitionCategory: true,
country: true,
teamMembers: {
select: {
role: true,
user: {
select: {
id: true,
email: true,
name: true,
status: true,
passwordHash: true,
lastLoginAt: true,
},
},
},
},
},
},
},
})
// Keep the latest terminal state per project
const projectMap = new Map<string, (typeof terminalStates)[0]>()
for (const ts of terminalStates) {
const existing = projectMap.get(ts.projectId)
if (!existing || ts.round.sortOrder > existing.round.sortOrder) {
projectMap.set(ts.projectId, ts)
}
}
// Only include PASSED projects
const semiFinalists = Array.from(projectMap.values())
.filter(ps => ps.state === 'PASSED')
.map(ps => ({
projectId: ps.projectId,
title: ps.project.title,
teamName: ps.project.teamName,
category: ps.project.competitionCategory,
country: ps.project.country,
currentRound: ps.round.name,
currentRoundType: ps.round.roundType,
teamMembers: ps.project.teamMembers.map(tm => ({
name: tm.user.name,
email: tm.user.email,
role: tm.role,
accountStatus: tm.user.passwordHash !== null
? 'active' as const
: tm.user.status === 'ACTIVE'
? 'active' as const
: tm.user.status === 'INVITED'
? 'invited' as const
: 'none' as const,
lastLogin: tm.user.lastLoginAt,
})),
allActivated: ps.project.teamMembers.every(
tm => tm.user.passwordHash !== null || tm.user.status === 'ACTIVE'
),
}))
.sort((a, b) => a.title.localeCompare(b.title))
return semiFinalists
}),
/**
* Send account setup reminder emails to semi-finalist team members
* who haven't set their password yet.
@@ -768,6 +859,7 @@ export const dashboardRouter = router({
id: true,
email: true,
name: true,
status: true,
passwordHash: true,
},
},
@@ -794,7 +886,7 @@ export const dashboardRouter = router({
for (const project of projects) {
const unactivated = project.teamMembers.filter(
(tm) => tm.user.passwordHash === null && !recentReminderEmails.has(tm.user.email)
(tm) => tm.user.passwordHash === null && tm.user.status !== 'ACTIVE' && !recentReminderEmails.has(tm.user.email)
)
for (const tm of unactivated) {

6
src/server/routers/settings.ts
View File

@@ -42,7 +42,7 @@ export const settingsRouter = router({
* These are non-sensitive settings that can be exposed to any user
*/
getFeatureFlags: protectedProcedure.query(async ({ ctx }) => {
const [whatsappEnabled, juryCompareEnabled, learningHubExternal, learningHubExternalUrl, supportEmail] = await Promise.all([
const [whatsappEnabled, juryCompareEnabled, learningHubExternal, learningHubExternalUrl, supportEmail, accountReminderDays] = await Promise.all([
ctx.prisma.systemSettings.findUnique({
where: { key: 'whatsapp_enabled' },
}),
@@ -58,6 +58,9 @@ export const settingsRouter = router({
ctx.prisma.systemSettings.findUnique({
where: { key: 'support_email' },
}),
ctx.prisma.systemSettings.findUnique({
where: { key: 'account_reminder_days' },
}),
])
return {
@@ -66,6 +69,7 @@ export const settingsRouter = router({
learningHubExternal: learningHubExternal?.value === 'true',
learningHubExternalUrl: learningHubExternalUrl?.value || '',
supportEmail: supportEmail?.value || '',
accountReminderDays: parseInt(accountReminderDays?.value || '3', 10),
}
}),

82
src/server/routers/user.ts
View File

@@ -1689,4 +1689,86 @@ export const userRouter = router({
return { sent, skipped, failed }
}),
/**
* Start impersonating a user (super admin only)
*/
startImpersonation: superAdminProcedure
.input(z.object({ targetUserId: z.string() }))
.mutation(async ({ ctx, input }) => {
// Block nested impersonation
if ((ctx.session as unknown as { user?: { impersonating?: unknown } })?.user?.impersonating) {
throw new TRPCError({
code: 'BAD_REQUEST',
message: 'Cannot start nested impersonation. End current impersonation first.',
})
}
const target = await ctx.prisma.user.findUnique({
where: { id: input.targetUserId },
select: { id: true, email: true, name: true, role: true, roles: true, status: true },
})
if (!target) {
throw new TRPCError({ code: 'NOT_FOUND', message: 'User not found' })
}
if (target.status === 'SUSPENDED') {
throw new TRPCError({ code: 'BAD_REQUEST', message: 'Cannot impersonate a suspended user' })
}
if (target.role === 'SUPER_ADMIN') {
throw new TRPCError({ code: 'BAD_REQUEST', message: 'Cannot impersonate another super admin' })
}
await logAudit({
prisma: ctx.prisma,
userId: ctx.user.id,
action: 'IMPERSONATION_START',
entityType: 'User',
entityId: target.id,
detailsJson: {
adminId: ctx.user.id,
adminEmail: ctx.user.email,
targetId: target.id,
targetEmail: target.email,
targetRole: target.role,
},
ipAddress: ctx.ip,
userAgent: ctx.userAgent,
})
return { targetUserId: target.id, targetRole: target.role }
}),
/**
* End impersonation and return to admin
*/
endImpersonation: protectedProcedure
.mutation(async ({ ctx }) => {
const session = ctx.session as unknown as { user?: { impersonating?: { originalId: string; originalEmail: string } } }
const impersonating = session?.user?.impersonating
if (!impersonating) {
throw new TRPCError({ code: 'BAD_REQUEST', message: 'Not currently impersonating' })
}
await logAudit({
prisma: ctx.prisma,
userId: impersonating.originalId,
action: 'IMPERSONATION_END',
entityType: 'User',
entityId: ctx.user.id,
detailsJson: {
adminId: impersonating.originalId,
adminEmail: impersonating.originalEmail,
targetId: ctx.user.id,
targetEmail: ctx.user.email,
},
ipAddress: ctx.ip,
userAgent: ctx.userAgent,
})
return { ended: true }
}),
})

169
src/server/trpc.ts
View File

@@ -1,6 +1,7 @@
import { initTRPC, TRPCError } from '@trpc/server'
import superjson from 'superjson'
import { ZodError } from 'zod'
import type { Prisma } from '@prisma/client'
import type { Context } from './context'
import type { UserRole } from '@prisma/client'
@@ -93,21 +94,126 @@ const hasRole = (...roles: UserRole[]) =>
})
})
// =============================================================================
// Mutation Audit Logging
// =============================================================================
/** Fields that must never appear in audit log input snapshots. */
const SENSITIVE_KEYS = new Set([
'password', 'passwordHash', 'currentPassword', 'newPassword', 'confirmPassword',
'token', 'secret', 'apiKey', 'accessKey', 'secretKey',
'creditCard', 'cvv', 'ssn',
])
/** Max depth / size for serialized input to avoid bloating the audit table. */
const MAX_INPUT_DEPTH = 4
const MAX_STRING_LENGTH = 500
const MAX_ARRAY_LENGTH = 20
/**
* Middleware for audit logging
* Recursively sanitize an input object for safe storage in audit logs.
* - Strips sensitive fields (passwords, tokens, secrets)
* - Truncates long strings and arrays
* - Limits nesting depth
*/
const withAuditLog = middleware(async ({ ctx, next, path }) => {
function sanitizeInput(value: unknown, depth = 0): unknown {
if (depth > MAX_INPUT_DEPTH) return '[nested]'
if (value === null || value === undefined) return value
if (typeof value === 'boolean' || typeof value === 'number') return value
if (typeof value === 'string') {
return value.length > MAX_STRING_LENGTH
? value.slice(0, MAX_STRING_LENGTH) + '...'
: value
}
if (value instanceof Date) return value.toISOString()
if (Array.isArray(value)) {
const truncated = value.slice(0, MAX_ARRAY_LENGTH).map(v => sanitizeInput(v, depth + 1))
if (value.length > MAX_ARRAY_LENGTH) truncated.push(`[+${value.length - MAX_ARRAY_LENGTH} more]`)
return truncated
}
if (typeof value === 'object') {
const result: Record<string, unknown> = {}
for (const [key, val] of Object.entries(value as Record<string, unknown>)) {
if (SENSITIVE_KEYS.has(key)) {
result[key] = '[REDACTED]'
} else {
result[key] = sanitizeInput(val, depth + 1)
}
}
return result
}
return String(value)
}
/**
* Middleware that automatically logs all successful mutations for non-SUPER_ADMIN users.
* Captures: procedure path, sanitized input, user role, IP, user agent.
* Failures are silently caught — audit logging never breaks the calling operation.
*/
const withMutationAudit = middleware(async ({ ctx, next, path, type, getRawInput }) => {
const result = await next()
// Log successful mutations
if (result.ok && path.includes('.')) {
const [, action] = path.split('.')
const mutationActions = ['create', 'update', 'delete', 'import', 'submit', 'grant', 'revoke']
// Only log mutations, only on success
if (type !== 'mutation' || !result.ok) return result
if (mutationActions.some((a) => action?.toLowerCase().includes(a))) {
// Audit logging would happen here
// We'll implement this in the audit service
// Must have an authenticated user
const user = ctx.session?.user
if (!user?.id) return result
// Skip SUPER_ADMIN — they have their own manual audit trail
if (user.role === 'SUPER_ADMIN') return result
try {
// Extract router name and procedure name from path (e.g., "evaluation.submit")
const dotIndex = path.indexOf('.')
const routerName = dotIndex > 0 ? path.slice(0, dotIndex) : path
const procedureName = dotIndex > 0 ? path.slice(dotIndex + 1) : path
// Convert procedure path to readable action (e.g., "evaluation.submit" → "EVALUATION_SUBMIT")
const action = path.replace(/\./g, '_').replace(/([a-z])([A-Z])/g, '$1_$2').toUpperCase()
// Get and sanitize the raw input
let sanitizedInput: unknown = undefined
try {
const rawInput = await getRawInput()
if (rawInput !== undefined) {
sanitizedInput = sanitizeInput(rawInput)
}
} catch {
// getRawInput can fail if input was already consumed; ignore
}
// Capitalize first letter of router name for entityType
const entityType = routerName.charAt(0).toUpperCase() + routerName.slice(1)
// Try to extract entityId from common input patterns
const inputObj = (typeof sanitizedInput === 'object' && sanitizedInput !== null)
? sanitizedInput as Record<string, unknown>
: undefined
const entityId = inputObj?.id ?? inputObj?.userId ?? inputObj?.projectId ??
inputObj?.roundId ?? inputObj?.competitionId ?? inputObj?.editionId ??
inputObj?.targetUserId ?? inputObj?.sessionId ?? inputObj?.awardId
await ctx.prisma.auditLog.create({
data: {
userId: user.id,
action,
entityType,
entityId: entityId ? String(entityId) : undefined,
detailsJson: {
procedure: path,
procedureName,
role: user.role,
roles: user.roles,
input: sanitizedInput,
} as Prisma.InputJsonValue,
ipAddress: ctx.ip,
userAgent: ctx.userAgent,
},
})
} catch (error) {
// Never break the calling operation on audit failure
console.error('[MutationAudit] Failed to log:', path, error)
}
return result
@@ -119,55 +225,56 @@ const withAuditLog = middleware(async ({ ctx, next, path }) => {
/**
* Protected procedure - requires authenticated user
* Mutations are automatically audit-logged for non-SUPER_ADMIN users.
*/
export const protectedProcedure = t.procedure.use(isAuthenticated)
export const protectedProcedure = t.procedure.use(isAuthenticated).use(withMutationAudit)
/**
* Admin procedure - requires SUPER_ADMIN or PROGRAM_ADMIN role
* PROGRAM_ADMIN mutations are audit-logged; SUPER_ADMIN mutations are skipped.
*/
export const adminProcedure = t.procedure.use(
hasRole('SUPER_ADMIN', 'PROGRAM_ADMIN')
)
export const adminProcedure = t.procedure
.use(hasRole('SUPER_ADMIN', 'PROGRAM_ADMIN'))
.use(withMutationAudit)
/**
* Super admin procedure - requires SUPER_ADMIN role
* No automatic mutation audit (super admins have manual audit trail).
*/
export const superAdminProcedure = t.procedure.use(hasRole('SUPER_ADMIN'))
/**
* Jury procedure - requires JURY_MEMBER role
* All mutations are automatically audit-logged.
*/
export const juryProcedure = t.procedure.use(hasRole('JURY_MEMBER'))
export const juryProcedure = t.procedure.use(hasRole('JURY_MEMBER')).use(withMutationAudit)
/**
* Mentor procedure - requires MENTOR role (or admin)
* MENTOR and PROGRAM_ADMIN mutations are audit-logged.
*/
export const mentorProcedure = t.procedure.use(
hasRole('SUPER_ADMIN', 'PROGRAM_ADMIN', 'MENTOR')
)
export const mentorProcedure = t.procedure
.use(hasRole('SUPER_ADMIN', 'PROGRAM_ADMIN', 'MENTOR'))
.use(withMutationAudit)
/**
* Observer procedure - requires OBSERVER role (read-only access)
* Mutations (if any) are audit-logged for OBSERVER and PROGRAM_ADMIN.
*/
export const observerProcedure = t.procedure.use(
hasRole('SUPER_ADMIN', 'PROGRAM_ADMIN', 'OBSERVER')
)
export const observerProcedure = t.procedure
.use(hasRole('SUPER_ADMIN', 'PROGRAM_ADMIN', 'OBSERVER'))
.use(withMutationAudit)
/**
* Award master procedure - requires AWARD_MASTER role (or admin)
* AWARD_MASTER and PROGRAM_ADMIN mutations are audit-logged.
*/
export const awardMasterProcedure = t.procedure.use(
hasRole('SUPER_ADMIN', 'PROGRAM_ADMIN', 'AWARD_MASTER')
)
export const awardMasterProcedure = t.procedure
.use(hasRole('SUPER_ADMIN', 'PROGRAM_ADMIN', 'AWARD_MASTER'))
.use(withMutationAudit)
/**
* Audience procedure - requires any authenticated user
* All mutations are automatically audit-logged.
*/
export const audienceProcedure = t.procedure.use(isAuthenticated)
/**
* Protected procedure with audit logging
*/
export const auditedProcedure = t.procedure
.use(isAuthenticated)
.use(withAuditLog)
export const audienceProcedure = t.procedure.use(isAuthenticated).use(withMutationAudit)