janpeter/Scrum4Me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

merge into: janpeter:main
Branches Tags
janpeter:main
janpeter:claude/cranky-mahavira-593107
janpeter:claude/nice-ellis-73cb84
janpeter:feat/story-05mofrm7
janpeter:feat/story-v3leym34
janpeter:feat/story-qfpqpxzy
janpeter:feat/story-dgognlsz
janpeter:feat/story-d9sl8egw
janpeter:feat/story-mgsu85hr
janpeter:feat/auto-pr-ui-and-docs
janpeter:feat/pbi-36-sync-tab
janpeter:feat/pbi-36-deploy-controle
janpeter:feat/pbi-37-skipped-job-status
janpeter:feat/story-0vtnydpi
janpeter:feat/story-7pl4dsb6
janpeter:feat/story-hyikiufi
janpeter:feat/story-abeu63oz
janpeter:feat/story-xmwvqru1
janpeter:feat/story-111ci8t4
janpeter:feat/story-l9kkxh2m
janpeter:feat/story-nma6ylbl
janpeter:fix/idea-pbi-link-route
janpeter:fix/idea-timeline-auto-refresh
janpeter:fix/idea-timeline-hydration-locale
janpeter:fix/m12-bell-loses-idea-questions-on-reconnect
janpeter:fix/m12-idea-question-answering
janpeter:feat/m12-ideas
janpeter:docs/pr-merge-conflict-faq
janpeter:chore/before-launch-changelog
janpeter:feat/a11y-tap-targets-aria
janpeter:feat/a11y-audit-fixes
janpeter:feat/rate-limit-mutations
janpeter:feat/sentry-error-monitoring
janpeter:feat/story-q5wkvcsw
janpeter:feat/product-edit-icon-on-dashboard
janpeter:docs/v1-readiness
janpeter:feat/ST-1134-mobile-shell-foundation
janpeter:docs/pbi-11-plan-update
janpeter:feat/sprint-backlog-filter-popover
janpeter:chore/untrack-claude-settings
janpeter:fix/task-detail-dialog-scroll
janpeter:feat/entity-codes-required
janpeter:feat/dialogs-pattern-compliance
janpeter:fix/dashboard-product-dialog-click-bubble
janpeter:fix/navbar-product-switch-onclick
janpeter:restore/landing-and-edit
janpeter:feat/dashboard-edit-and-switch-fix
janpeter:feat/landing-local-first
janpeter:feat/story-5zxw315t
janpeter:feat/story-jhv1gvva
janpeter:feat/story-0ljj3v5f
janpeter:feat/story-1ljfxsml
janpeter:feat/story-bq1xaz8n
janpeter:pr-61
janpeter:feat/story-txfrl2fx
janpeter:feat/story-iaiejaai
janpeter:feat/story-g700butf
janpeter:feat/docs-adr-and-index
janpeter:feat/story-d22cg3jb
janpeter:feat/story-user88b9
janpeter:feat/story-r73bta1r
janpeter:feat/story-1r1t20mo
janpeter:fix/vercel-deploy-blockers
janpeter:feat/agent-cross-repo-support
janpeter:feat/story-0d5e4arl
janpeter:feat/story-slcb4r45
janpeter:feat/story-yr77flb1
janpeter:fix/insights-complete-page
janpeter:feat/story-ot7dymrf
janpeter:feat/story-2ap9tf9y
janpeter:feat/story-c9enpvfa
janpeter:feat/story-hlautjjp
janpeter:feat/story-x35n155c
janpeter:docs/dialog-pattern
janpeter:fix/sse-pg-cleanup-leak
janpeter:feat/story-liq2tae9
janpeter:feat/job-mgskzyvx
janpeter:feat/plan-snapshot-claude-job
janpeter:feat/split-pane-n-pane
janpeter:feat/M14-task-dialog
janpeter:chore/debug-realtime-tooling
janpeter:feat/M12-demo-readonly
janpeter:feat/M12-pbi-status
janpeter:chore/m12-docs-sync
janpeter:docs/cleanup-claude-md
janpeter:feat/M11-claude-questions
janpeter:feat/M10-qr-login
janpeter:feat/ST-1001-qr-login-milestone-plan
janpeter:feat/M9-active-product-backlog
janpeter:feat/ST-801-realtime-triggers
janpeter:tooling/insert-milestone-script
janpeter:feat/m8-realtime-solo-backlog
janpeter:docs/workflow-update-2026-04-27
janpeter:v1.0.0
janpeter:v0.9.0
...
pull from: janpeter:feat/story-nma6ylbl
Branches Tags
janpeter:main
janpeter:claude/cranky-mahavira-593107
janpeter:claude/nice-ellis-73cb84
janpeter:feat/story-05mofrm7
janpeter:feat/story-v3leym34
janpeter:feat/story-qfpqpxzy
janpeter:feat/story-dgognlsz
janpeter:feat/story-d9sl8egw
janpeter:feat/story-mgsu85hr
janpeter:feat/auto-pr-ui-and-docs
janpeter:feat/pbi-36-sync-tab
janpeter:feat/pbi-36-deploy-controle
janpeter:feat/pbi-37-skipped-job-status
janpeter:feat/story-0vtnydpi
janpeter:feat/story-7pl4dsb6
janpeter:feat/story-hyikiufi
janpeter:feat/story-abeu63oz
janpeter:feat/story-xmwvqru1
janpeter:feat/story-111ci8t4
janpeter:feat/story-l9kkxh2m
janpeter:feat/story-nma6ylbl
janpeter:fix/idea-pbi-link-route
janpeter:fix/idea-timeline-auto-refresh
janpeter:fix/idea-timeline-hydration-locale
janpeter:fix/m12-bell-loses-idea-questions-on-reconnect
janpeter:fix/m12-idea-question-answering
janpeter:feat/m12-ideas
janpeter:docs/pr-merge-conflict-faq
janpeter:chore/before-launch-changelog
janpeter:feat/a11y-tap-targets-aria
janpeter:feat/a11y-audit-fixes
janpeter:feat/rate-limit-mutations
janpeter:feat/sentry-error-monitoring
janpeter:feat/story-q5wkvcsw
janpeter:feat/product-edit-icon-on-dashboard
janpeter:docs/v1-readiness
janpeter:feat/ST-1134-mobile-shell-foundation
janpeter:docs/pbi-11-plan-update
janpeter:feat/sprint-backlog-filter-popover
janpeter:chore/untrack-claude-settings
janpeter:fix/task-detail-dialog-scroll
janpeter:feat/entity-codes-required
janpeter:feat/dialogs-pattern-compliance
janpeter:fix/dashboard-product-dialog-click-bubble
janpeter:fix/navbar-product-switch-onclick
janpeter:restore/landing-and-edit
janpeter:feat/dashboard-edit-and-switch-fix
janpeter:feat/landing-local-first
janpeter:feat/story-5zxw315t
janpeter:feat/story-jhv1gvva
janpeter:feat/story-0ljj3v5f
janpeter:feat/story-1ljfxsml
janpeter:feat/story-bq1xaz8n
janpeter:pr-61
janpeter:feat/story-txfrl2fx
janpeter:feat/story-iaiejaai
janpeter:feat/story-g700butf
janpeter:feat/docs-adr-and-index
janpeter:feat/story-d22cg3jb
janpeter:feat/story-user88b9
janpeter:feat/story-r73bta1r
janpeter:feat/story-1r1t20mo
janpeter:fix/vercel-deploy-blockers
janpeter:feat/agent-cross-repo-support
janpeter:feat/story-0d5e4arl
janpeter:feat/story-slcb4r45
janpeter:feat/story-yr77flb1
janpeter:fix/insights-complete-page
janpeter:feat/story-ot7dymrf
janpeter:feat/story-2ap9tf9y
janpeter:feat/story-c9enpvfa
janpeter:feat/story-hlautjjp
janpeter:feat/story-x35n155c
janpeter:docs/dialog-pattern
janpeter:fix/sse-pg-cleanup-leak
janpeter:feat/story-liq2tae9
janpeter:feat/job-mgskzyvx
janpeter:feat/plan-snapshot-claude-job
janpeter:feat/split-pane-n-pane
janpeter:feat/M14-task-dialog
janpeter:chore/debug-realtime-tooling
janpeter:feat/M12-demo-readonly
janpeter:feat/M12-pbi-status
janpeter:chore/m12-docs-sync
janpeter:docs/cleanup-claude-md
janpeter:feat/M11-claude-questions
janpeter:feat/M10-qr-login
janpeter:feat/ST-1001-qr-login-milestone-plan
janpeter:feat/M9-active-product-backlog
janpeter:feat/ST-801-realtime-triggers
janpeter:tooling/insert-milestone-script
janpeter:feat/m8-realtime-solo-backlog
janpeter:docs/workflow-update-2026-04-27
janpeter:v1.0.0
janpeter:v0.9.0
Sign in to create a new pull request.

2 commits
main ... feat/story

Author SHA1 Message Date
Scrum4Me Agent
c0ded1f482 feat(ST-nma6ylbl): requireAdmin() guard + /admin layout-shell + tests 
- lib/auth-guard.ts: requireAdmin() toegevoegd — redirect /dashboard bij !userId of !isAdmin
- app/(app)/admin/layout.tsx: admin-sidebar met links naar /admin/users, /admin/jobs, /admin/products
- app/(app)/admin/page.tsx: redirect-stub naar /admin/users
- __tests__/lib/auth-guard.test.ts: 3 tests voor requireAdmin() (geen userId, isAdmin=false, isAdmin=true)
 2026-05-05 14:26:03 +02:00
Scrum4Me Agent
8af5354f22 feat(ST-nma6ylbl): SessionData isAdmin + loginAction admin-redirect + must_reset_password-interceptie 
- SessionData: isAdmin: boolean toegevoegd (na isDemo)
- loginAction: UserRole-query voor ADMIN, session.isAdmin gezet, redirect-volgorde:
  must_reset_password → /reset-password, adminRole → /admin, phone-UA, dashboard
- registerAction: session.isAdmin = false
- pair/claim route: session.isAdmin = false (QR-pairing is geen admin-flow)
 2026-05-05 14:22:04 +02:00
7 changed files with 79 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

35
__tests__/lib/auth-guard.test.ts
View file

@ -8,6 +8,41 @@ vi.mock('@/lib/auth', () => ({ getSession: getSessionMock }))
vi.mock('@/lib/auth/pairing', () => ({ isPairedSessionExpired: isPairedSessionExpiredMock }))
vi.mock('next/navigation', () => ({ redirect: redirectMock }))
describe('requireAdmin', () => {
beforeEach(() => {
getSessionMock.mockReset()
isPairedSessionExpiredMock.mockReset()
redirectMock.mockClear()
})
afterEach(() => {
vi.resetModules()
})
it('redirect /dashboard als userId ontbreekt', async () => {
getSessionMock.mockResolvedValue({ userId: undefined, isAdmin: false })
const { requireAdmin } = await import('@/lib/auth-guard')
await expect(requireAdmin()).rejects.toThrow('REDIRECT_CALLED')
expect(redirectMock).toHaveBeenCalledWith('/dashboard')
})
it('redirect /dashboard als isAdmin false is', async () => {
getSessionMock.mockResolvedValue({ userId: 'u1', isAdmin: false })
const { requireAdmin } = await import('@/lib/auth-guard')
await expect(requireAdmin()).rejects.toThrow('REDIRECT_CALLED')
expect(redirectMock).toHaveBeenCalledWith('/dashboard')
})
it('geeft sessie terug als isAdmin true is', async () => {
const sess = { userId: 'u1', isAdmin: true }
getSessionMock.mockResolvedValue(sess)
const { requireAdmin } = await import('@/lib/auth-guard')
const result = await requireAdmin()
expect(result).toBe(sess)
expect(redirectMock).not.toHaveBeenCalled()
})
})
describe('requireSession', () => {
beforeEach(() => {
getSessionMock.mockReset()

13
actions/auth.ts
View file

@ -4,6 +4,7 @@ import { redirect } from 'next/navigation'
import { cookies, headers } from 'next/headers'
import { getIronSession } from 'iron-session'
import { z } from 'zod'
import { prisma } from '@/lib/prisma'
import { registerUser, verifyUser } from '@/lib/auth'
import { SessionData, sessionOptions } from '@/lib/session'
import { checkRateLimit } from '@/lib/rate-limit'
@ -45,6 +46,7 @@ export async function registerAction(_prevState: unknown, formData: FormData) {
const session = await getIronSession<SessionData>(await cookies(), sessionOptions)
session.userId = result.user!.id
session.isDemo = false
session.isAdmin = false
await session.save()
redirect('/dashboard')
@ -70,11 +72,22 @@ export async function loginAction(_prevState: unknown, formData: FormData) {
return { error: 'Onjuiste gebruikersnaam of wachtwoord' }
}
const adminRole = await prisma.userRole.findFirst({
where: { user_id: user.id, role: 'ADMIN' },
})
const session = await getIronSession<SessionData>(await cookies(), sessionOptions)
session.userId = user.id
session.isDemo = user.is_demo
session.isAdmin = !!adminRole
await session.save()
if (user.must_reset_password) {
redirect('/reset-password')
} else if (adminRole) {
redirect('/admin')
}
// PBI-11 / ST-1135: telefoon-UA's krijgen de mobile-shell.
// Tablets en desktop volgen het bestaande /dashboard-pad.
const ua = (await headers()).get('user-agent')

16
app/(app)/admin/layout.tsx Normal file
View file

@ -0,0 +1,16 @@
import { requireAdmin } from '@/lib/auth-guard'
import Link from 'next/link'
export default async function AdminLayout({ children }: { children: React.ReactNode }) {
await requireAdmin()
return (
<div className="flex min-h-screen">
<nav className="w-48 border-r p-4 flex flex-col gap-2">
<Link href="/admin/users">Gebruikers</Link>
<Link href="/admin/jobs">Claude Jobs</Link>
<Link href="/admin/products">Producten</Link>
</nav>
<main className="flex-1 p-6">{children}</main>
</div>
)
}

5
app/(app)/admin/page.tsx Normal file
View file

@ -0,0 +1,5 @@
import { redirect } from 'next/navigation'
export default function AdminPage() {
redirect('/admin/users')
}

1
app/api/auth/pair/claim/route.ts
View file

@ -88,6 +88,7 @@ export async function POST(request: Request) {
const session = await getIronSession<SessionData>(await cookies(), sessionOptions)
session.userId = pairing.user_id
session.isDemo = pairing.user?.is_demo ?? false
session.isAdmin = false
session.paired = true
session.pairedExpiresAt = Date.now() + PAIRED_TTL_MS
await session.save()

8
lib/auth-guard.ts
View file

@ -22,3 +22,11 @@ export async function requireSession() {
return session
}
export async function requireAdmin() {
const session = await getSession()
if (!session.userId || !session.isAdmin) {
redirect('/dashboard')
}
return session
}

1
lib/session.ts
View file

@ -3,6 +3,7 @@ import { SessionOptions } from 'iron-session'
export interface SessionData {
userId: string
isDemo: boolean
isAdmin: boolean
// ST-1002 (M10) — gezet door /api/auth/pair/claim na een succesvolle QR-pairing.
// Beide velden zijn optioneel zodat bestaande wachtwoord-sessies onveranderd blijven.
paired?: boolean