feat(ST-1110.3+4): demo-guard proxy + block demo in QR-pairing

- proxy.ts: gebruik unsealData ipv getIronSession (middleware-compatibel) - pair/start: isDemo-check via cookies() guard - pair/claim: check pairing.user.is_demo na DB-read; 403 + clearPairCookie
2026-04-29 18:19:49 +02:00 · 2026-04-29 18:19:49 +02:00 · 84f0a2add4
commit 84f0a2add4
parent f1d2b11c0f
3 changed files with 23 additions and 7 deletions
--- a/app/api/auth/pair/claim/route.ts
+++ b/app/api/auth/pair/claim/route.ts
@ -80,6 +80,11 @@ export async function POST(request: Request) {
    return Response.json({ error: 'Pairing zonder user' }, { status: 500 })
  }

+  if (pairing.user?.is_demo) {
+    await clearPairCookie()
+    return Response.json({ error: 'Niet beschikbaar in demo-modus' }, { status: 403 })
+  }
+
  const session = await getIronSession<SessionData>(await cookies(), sessionOptions)
  session.userId = pairing.user_id
  session.isDemo = pairing.user?.is_demo ?? false
--- a/app/api/auth/pair/start/route.ts
+++ b/app/api/auth/pair/start/route.ts
@ -9,6 +9,8 @@
 //
 // Rate-limit: 10 pogingen per IP per minuut (lib/rate-limit.ts → 'pair-start').

+import { getIronSession } from 'iron-session'
+import { cookies } from 'next/headers'
 import { prisma } from '@/lib/prisma'
 import {
  generateMobileSecret,
@ -17,6 +19,7 @@ import {
 } from '@/lib/auth/pairing'
 import { setPairCookie } from '@/lib/auth/pair-cookie'
 import { checkRateLimit } from '@/lib/rate-limit'
+import { SessionData, sessionOptions } from '@/lib/session'

 export const runtime = 'nodejs'

@ -34,6 +37,11 @@ function getClientIp(request: Request): string {
 }

 export async function POST(request: Request) {
+  const session = await getIronSession<SessionData>(await cookies(), sessionOptions)
+  if (session.isDemo) {
+    return Response.json({ error: 'Niet beschikbaar in demo-modus' }, { status: 403 })
+  }
+
  const ip = getClientIp(request)
  if (!checkRateLimit(`pair-start:${ip}`)) {
    return Response.json(
--- a/proxy.ts
+++ b/proxy.ts
@ -1,6 +1,6 @@
 import { NextResponse } from 'next/server'
 import type { NextRequest } from 'next/server'
-import { getIronSession } from 'iron-session'
+import { unsealData } from 'iron-session'
 import { sessionOptions, type SessionData } from '@/lib/session'

 const protectedRoutes = ['/dashboard', '/products', '/todos', '/settings', '/solo']
@ -22,12 +22,15 @@ export async function proxy(request: NextRequest) {
    !SAFE_METHODS.has(method) &&
    !DEMO_WRITE_ALLOWLIST.some(p => pathname.startsWith(p))
  ) {
-    const session = await getIronSession<SessionData>(request.cookies, sessionOptions)
-    if (session.isDemo) {
-      return NextResponse.json(
-        { error: 'Niet beschikbaar in demo-modus' },
-        { status: 403 }
-      )
+    const raw = request.cookies.get(sessionOptions.cookieName)?.value
+    if (raw) {
+      const session = await unsealData<SessionData>(raw, { password: sessionOptions.password as string })
+      if (session.isDemo) {
+        return NextResponse.json(
+          { error: 'Niet beschikbaar in demo-modus' },
+          { status: 403 }
+        )
+      }
    }
  }