전체 코드, 구조 검토 - P2 코드 수정 진행
This commit is contained in:
@@ -30,6 +30,8 @@ Admin panel for the chocomae service (mouse-typing), extracted into a standalone
|
||||
- Config lives in `auth.ts` (project root), not inside `app/`.
|
||||
- Unauthenticated requests are caught by `proxy.ts` (middleware) and redirected to `/login`.
|
||||
- API routes must call `auth()` and return 401 if no session.
|
||||
- Session `maxAge` is 8 hours — do not lengthen without review.
|
||||
- `auth.ts` tracks failed login attempts per admin name in an in-memory `Map`. After 5 consecutive failures the account is locked out for 15 minutes. Counter clears on success.
|
||||
|
||||
## Key files
|
||||
|
||||
@@ -85,6 +87,15 @@ Always record a log entry after a successful DB change. Use these `Type` values:
|
||||
- P0-1: `getActionTarget` in `lib/extension-requests.ts` replaced with inline `select` (no `include: { maestro: true }`) — prevents `Password` from appearing in debug result logs.
|
||||
- P0-2: Approve/cancel/reject flows in both `lib/extension-requests.ts` and `lib/upgrade-requests.ts` now use an atomic `updateMany({ Status: REQUESTED → target })` guard; `count === 0` triggers 404/409 — eliminates concurrent double-processing.
|
||||
- P0-3: `docker-compose.yml` and `docker-compose.stage.yml` now set `TZ: Asia/Seoul`; `lib/maestros.ts` date-change log remark uses `formatDate()` instead of `toISOString().slice(0,10)` for KST consistency.
|
||||
- P1-1/P1-2: `createExtensionRequest` and `approveExtensionRequest` require `ActivateStatus === ACTIVE`; `UpgradeRequestsSection` and `createUpgradeRequest` allow TRIAL same-tier upgrade.
|
||||
- P1-3: `approveUpgradeRequest` re-verifies upgrade direction against maestro's current `AccountType` at approval time.
|
||||
- P1-4/P1-5: `createExtensionRequest` wrapped in `db.$transaction`; both create functions write `request_extension_maestro` / `request_upgrade_maestro` log entries.
|
||||
- P1-6: Extension/upgrade approval routes now `await` email send and include `emailSent: boolean` in response; table UI shows inline amber warning when `emailSent === false`.
|
||||
- P2-2: `updateMaestro` now returns 400 instead of silently skipping when `availableActivateDateTime` cannot be parsed.
|
||||
- P2-5: `withApiHandler` catch block returns `{ message: "Internal server error" }` JSON 500 instead of re-throwing (which produced HTML responses).
|
||||
- P2-6: NextAuth session `maxAge` set to 8 hours (`auth.ts`).
|
||||
- P2-7: In-memory brute-force protection added to `auth.ts` — 5 failures → 15-minute lockout per admin name.
|
||||
- P2-8: Default `status` filter for extension/upgrade request lists changed from `undefined` (all) to `REQUEST_STATUSES.REQUESTED`; reset links updated to `?status=1`.
|
||||
|
||||
## Planned phases (not yet implemented)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user