janpeter/Scrum4Me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

proxy: add /ideas to protectedRoutes; verify demo-guard for /api/ideas (M12 T-501)

Browse source 
- proxy.ts: /ideas added to protectedRoutes — unauthenticated users get
  redirected to /login when navigating to /ideas or /ideas/[id]
- existing demo-guard catch-all (\`/api/* + non-GET\`) already blocks
  POST/PATCH/DELETE /api/ideas* with 403 — confirmed via 3 new tests
- server-action endpoints (start-grill / start-make-plan / materialize /
  promote-to-idea) carry their own \`session.isDemo\` checks inside
  actions/ideas.ts and actions/todos.ts (defense in depth)

Tests: 9/9 in proxy demo-guard suite (added 3 idea cases).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Janpeter Visser 2026-05-04 19:56:41 +02:00
parent 4b234dc300
commit a1d1f99216
2 changed files with 21 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
proxy.ts
View file

@ -3,7 +3,7 @@ import type { NextRequest } from 'next/server'
import { unsealData } from 'iron-session'
import { sessionOptions, type SessionData } from '@/lib/session'
const protectedRoutes = ['/dashboard', '/products', '/todos', '/settings', '/solo']
const protectedRoutes = ['/dashboard', '/products', '/todos', '/ideas', '/settings', '/solo']
const authRoutes = ['/login', '/register']
const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS'])