janpeter/Scrum4Me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Scrum4Me/app/(app)/layout.tsx
Madhura68 b4813e6e54 feat(ST-1002): add pairing helpers, pre-auth cookie + paired-session guard 
lib/auth/pairing.ts: pure crypto-helpers voor de QR-pairing flow.
- generateMobileSecret() / generateDesktopToken() — beide 32 bytes base64url, los
  zodat ze elkaar niet onthullen
- hashToken(t) — sha256-hex
- verifyToken(t, hash) — timingSafeEqual met length-guard
- isPairedSessionExpired(session) — geëxtraheerde helper zodat de Server-
  Component-render Date.now() niet rechtstreeks aanroept (React Compiler-flag)

lib/auth/pair-cookie.ts: HttpOnly pre-auth cookie helpers (s4m_pair).
- Path=/api/auth/pair, Max-Age=120s (gelijk aan pending-TTL pairing),
  SameSite=Lax, Secure in productie

lib/session.ts: SessionData uitgebreid met optionele paired + pairedExpiresAt.

app/(app)/layout.tsx: guard die paired-sessies vernietigt zodra
pairedExpiresAt verstreken is en redirect naar /login.

Tests: 14 unit-tests in __tests__/lib/auth/pairing.test.ts dekken hash-
determinisme, timing-safe verify (true/false/length-mismatch), generator-
uniciteit en vier expiry-scenario's voor isPairedSessionExpired.

Quality gates: npm run lint (0 errors), tsc --noEmit clean, vitest 111/111.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 22:23:00 +02:00

100 lines
3.4 KiB
TypeScript
Raw Blame History

import { redirect } from 'next/navigation'
import { cookies } from 'next/headers'
import { getIronSession } from 'iron-session'
import { SessionData, sessionOptions } from '@/lib/session'
import { isPairedSessionExpired } from '@/lib/auth/pairing'
import { prisma } from '@/lib/prisma'
import { productAccessFilter } from '@/lib/product-access'
import { NavBar } from '@/components/shared/nav-bar'
import { MinWidthBanner } from '@/components/shared/min-width-banner'
import { StatusBar } from '@/components/shared/status-bar'
import { SoloRealtimeBridge } from '@/components/solo/realtime-bridge'
import { AlertToast } from '@/components/shared/alert-toast'
import { Suspense } from 'react'
export default async function AppLayout({ children }: { children: React.ReactNode }) {
const session = await getIronSession<SessionData>(await cookies(), sessionOptions)
if (!session.userId) {
redirect('/login')
}
// ST-1002 (M10): paired-sessies (via QR-pairing) hebben een eigen kortere TTL.
// Vervallen → vernietig en stuur naar /login.
if (isPairedSessionExpired(session)) {
session.destroy()
redirect('/login')
}
const [user, userRoles, accessibleProducts] = await Promise.all([
prisma.user.findUnique({
where: { id: session.userId },
select: { username: true, email: true, active_product_id: true },
}),
prisma.userRole.findMany({
where: { user_id: session.userId },
select: { role: true },
}),
prisma.product.findMany({
where: { archived: false, ...productAccessFilter(session.userId) },
orderBy: { name: 'asc' },
select: { id: true, name: true },
}),
])
const roles = userRoles.map(r => r.role as string)
if (!user) {
redirect('/login')
}
// Resolve active product — clear stale reference if archived or inaccessible
let activeProduct: { id: string; name: string } | null = null
let hasActiveSprint = false
if (user.active_product_id) {
const product = await prisma.product.findFirst({
where: { id: user.active_product_id, archived: false, ...productAccessFilter(session.userId) },
select: { id: true, name: true },
})
if (product) {
activeProduct = product
const sprint = await prisma.sprint.findFirst({
where: { product_id: product.id, status: 'ACTIVE' },
select: { id: true },
})
hasActiveSprint = !!sprint
} else {
await prisma.user.update({
where: { id: session.userId },
data: { active_product_id: null },
})
redirect('/dashboard?alert=product_unavailable')
}
}
return (
<div className="h-screen bg-background flex flex-col overflow-hidden">
<a href="#main-content" className="sr-only focus:not-sr-only focus:fixed focus:top-2 focus:left-2 focus:z-50 focus:px-4 focus:py-2 focus:bg-primary focus:text-primary-foreground focus:rounded-md focus:text-sm">
Ga naar inhoud
</a>
<NavBar
isDemo={session.isDemo}
roles={roles}
userId={session.userId}
username={user.username}
email={user.email}
activeProduct={activeProduct}
products={accessibleProducts}
hasActiveSprint={hasActiveSprint}
/>
<MinWidthBanner />
<main id="main-content" className="flex-1 flex flex-col overflow-y-auto min-h-0">
{children}
</main>
<StatusBar />
<SoloRealtimeBridge />
<Suspense>
<AlertToast />
</Suspense>
</div>
)
}
Reference in a new issue View git blame Copy permalink