audit: production safety fixes, cleanup, and documentation overhaul

CRITICAL fixes: - Fix SQL injection in geoportal search (template literal in $queryRaw) - Preserve enrichment data during GIS re-sync (upsert update explicit fields only) - Fix ePay version race condition (advisory lock in transaction) - Add requireAuth() to compress-pdf and unlock routes (were unauthenticated) - Remove hardcoded Stirling PDF API key (env vars now required) IMPORTANT fixes: - Add admin role check on registratura debug-sequences endpoint - Fix reserved slot race condition with advisory lock in transaction - Use SSO identity in close-guard-dialog instead of hardcoded "Utilizator" - Storage DELETE catches only P2025 (not found), re-throws real errors - Add onDelete: SetNull for GisFeature → GisSyncRun relation - Move portal-only users to PORTAL_ONLY_USERS env var - Add security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy) - Add periodic cleanup for eTerra/ePay session caches and progress store - Log warning when ePay dataDocument is missing (expiry fallback) Cleanup: - Delete orphaned rgi-test page (1086 lines, unregistered, inaccessible) - Delete legacy/ folder (5 files, unreferenced from src/) - Remove unused ensureBucketExists() from minio-client.ts Documentation: - Optimize CLAUDE.md: 464 → 197 lines (moved per-module details to docs/) - Create docs/ARCHITECTURE-QUICK.md (80 lines: data flow, deps, env vars) - Create docs/MODULE-MAP.md (140 lines: entry points, API routes, cross-deps) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 06:40:34 +02:00
parent c012adaa77
commit 0c4b91707f
25 changed files with 579 additions and 3405 deletions
@@ -1,11 +1,20 @@
 import { NextRequest, NextResponse } from "next/server";
+import { requireAuth } from "./auth-check";

-const STIRLING_PDF_URL =
-  process.env.STIRLING_PDF_URL ?? "http://10.10.10.166:8087";
-const STIRLING_PDF_API_KEY =
-  process.env.STIRLING_PDF_API_KEY ?? "cd829f62-6eef-43eb-a64d-c91af727b53a";
+const STIRLING_PDF_URL = process.env.STIRLING_PDF_URL;
+const STIRLING_PDF_API_KEY = process.env.STIRLING_PDF_API_KEY;

 export async function POST(req: NextRequest) {
+  const authErr = await requireAuth(req);
+  if (authErr) return authErr;
+
+  if (!STIRLING_PDF_URL || !STIRLING_PDF_API_KEY) {
+    return NextResponse.json(
+      { error: "Stirling PDF nu este configurat" },
+      { status: 503 },
+    );
+  }
+
  try {
    // Buffer the full body then forward to Stirling — streaming passthrough
    // (req.body + duplex:half) is unreliable for large files in Next.js.
@@ -1,11 +1,20 @@
 import { NextRequest, NextResponse } from "next/server";
+import { requireAuth } from "../auth-check";

-const STIRLING_PDF_URL =
-  process.env.STIRLING_PDF_URL ?? "http://10.10.10.166:8087";
-const STIRLING_PDF_API_KEY =
-  process.env.STIRLING_PDF_API_KEY ?? "cd829f62-6eef-43eb-a64d-c91af727b53a";
+const STIRLING_PDF_URL = process.env.STIRLING_PDF_URL;
+const STIRLING_PDF_API_KEY = process.env.STIRLING_PDF_API_KEY;

 export async function POST(req: NextRequest) {
+  const authErr = await requireAuth(req);
+  if (authErr) return authErr;
+
+  if (!STIRLING_PDF_URL || !STIRLING_PDF_API_KEY) {
+    return NextResponse.json(
+      { error: "Stirling PDF nu este configurat" },
+      { status: 503 },
+    );
+  }
+
  try {
    // Stream body directly to Stirling — avoids FormData re-serialization
    // failure on large files ("Failed to parse body as FormData")
@@ -78,7 +78,7 @@ export async function GET(req: Request) {
          WHERE geom IS NOT NULL
            AND "layerId" LIKE 'TERENURI%'
            AND ("cadastralRef" ILIKE ${pattern}
-              OR enrichment::text ILIKE ${'%"NR_CAD":"' + q + '%'})
+              OR enrichment::text ILIKE ${`%"NR_CAD":"${q}%`})
          ORDER BY "cadastralRef"
          LIMIT ${limit}
        ` as Array<{
@@ -11,11 +11,21 @@ import { NextResponse } from "next/server";
 import { prisma } from "@/core/storage/prisma";
 import { getAuthSession } from "@/core/auth";

-export async function GET() {
+async function requireAdmin(): Promise<NextResponse | null> {
  const session = await getAuthSession();
  if (!session) {
    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  }
+  const u = session.user as { role?: string } | undefined;
+  if (u?.role !== "admin") {
+    return NextResponse.json({ error: "Admin access required" }, { status: 403 });
+  }
+  return null;
+}
+
+export async function GET() {
+  const denied = await requireAdmin();
+  if (denied) return denied;

  // Get all sequence counters
  const counters = await prisma.$queryRaw<
@@ -79,10 +89,8 @@ export async function GET() {
 }

 export async function POST() {
-  const session = await getAuthSession();
-  if (!session) {
-    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-  }
+  const denied = await requireAdmin();
+  if (denied) return denied;

  // Delete ALL old counters
  const deleted = await prisma.$executeRaw`DELETE FROM "RegistrySequence"`;
@@ -146,10 +154,8 @@ export async function POST() {
 * Rewrites the "number" field inside the JSONB value for matching entries.
 */
 export async function PATCH() {
-  const session = await getAuthSession();
-  if (!session) {
-    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-  }
+  const denied = await requireAdmin();
+  if (denied) return denied;

  // Map old 3-letter prefixes to new single-letter
  const migrations: Array<{ old: string; new: string }> = [
@@ -213,27 +213,33 @@ export async function POST(req: NextRequest) {
    let claimedSlotId: string | undefined;

    if (isPastMonth && direction === "intrat") {
-      // Try to claim a reserved slot
-      const allEntries = await loadAllEntries(true);
-      const slot = findAvailableReservedSlot(
-        allEntries,
-        company,
-        docDate.getFullYear(),
-        docDate.getMonth(),
-      );
+      // Try to claim a reserved slot — use advisory lock to prevent concurrent claims
+      const lockKey = `reserved:${company}-${docDate.getFullYear()}-${docDate.getMonth()}`;
+      const claimed = await prisma.$transaction(async (tx) => {
+        await tx.$executeRaw`SELECT pg_advisory_xact_lock(hashtext(${lockKey}))`;
+        const allEntries = await loadAllEntries(true);
+        const slot = findAvailableReservedSlot(
+          allEntries,
+          company,
+          docDate.getFullYear(),
+          docDate.getMonth(),
+        );
+        if (!slot) return null;
+        // Delete the placeholder slot within the lock
+        await tx.keyValueStore.delete({
+          where: { namespace_key: { namespace: "registratura", key: slot.id } },
+        });
+        return slot;
+      });

-      if (slot) {
-        // Claim the reserved slot — reuse its number
-        registryNumber = slot.number;
+      if (claimed) {
+        registryNumber = claimed.number;
        registrationType = "reserved-claimed";
-        claimedSlotId = slot.id;
-
-        // Delete the placeholder slot
-        await deleteEntryFromDB(slot.id);
+        claimedSlotId = claimed.id;

        await logAuditEvent({
-          entryId: slot.id,
-          entryNumber: slot.number,
+          entryId: claimed.id,
+          entryNumber: claimed.number,
          action: "reserved_claimed",
          actor: actor.id,
          actorName: actor.name,
@@ -144,8 +144,8 @@ export async function DELETE(request: NextRequest) {
            },
          },
        })
-        .catch(() => {
-          // Ignore error if item doesn't exist
+        .catch((err: { code?: string }) => {
+          if (err.code !== "P2025") throw err;
        });
    } else {
      // Clear namespace