admin/estimation-flow
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

no, I meant when it comes to security.. stck code..

Browse Source 
are we using resen
This commit is contained in:
Leon Serfaty G
2025-12-26 02:22:08 +00:00
parent a36df80cd4
commit dd3cb8ffcf
5 changed files with 964 additions and 5064 deletions
Download Patch File Download Diff File Expand all files Collapse all files
package-lock.json
Generated
+928 -5047
View File
File diff suppressed because it is too large Load Diff
package.json
+2 -1
View File
@@ -13,7 +13,6 @@
}, },
"dependencies": { "dependencies": {
"@hookform/resolvers": "^3.4.2", "@hookform/resolvers": "^3.4.2",
"@next-auth/better-sqlite3-adapter": "^0.3.1",
"@radix-ui/react-accordion": "^1.2.0", "@radix-ui/react-accordion": "^1.2.0",
"@radix-ui/react-alert-dialog": "^1.1.1", "@radix-ui/react-alert-dialog": "^1.1.1",
"@radix-ui/react-avatar": "^1.1.0", "@radix-ui/react-avatar": "^1.1.0",
@@ -36,6 +35,7 @@
"@radix-ui/react-toast": "^1.2.1", "@radix-ui/react-toast": "^1.2.1",
"@radix-ui/react-tooltip": "^1.1.2", "@radix-ui/react-tooltip": "^1.1.2",
"better-sqlite3": "^9.6.0", "better-sqlite3": "^9.6.0",
"bcrypt": "^5.1.1",
"class-variance-authority": "^0.7.0", "class-variance-authority": "^0.7.0",
"clsx": "^2.1.1", "clsx": "^2.1.1",
"date-fns": "^3.6.0", "date-fns": "^3.6.0",
@@ -58,6 +58,7 @@
"zod": "^3.23.8" "zod": "^3.23.8"
}, },
"devDependencies": { "devDependencies": {
"@types/bcrypt": "^5.0.2",
"@types/better-sqlite3": "^7.6.10", "@types/better-sqlite3": "^7.6.10",
"@types/node": "^20.14.2", "@types/node": "^20.14.2",
"@types/nodemailer": "^6.4.14", "@types/nodemailer": "^6.4.14",
scripts/seed.ts
+27 -9
View File
@@ -1,9 +1,10 @@
import Database from 'better-sqlite3'; import Database from 'better-sqlite3';
import bcrypt from 'bcrypt';
const db = new Database('local.db'); const db = new Database('local.db');
function seed() { async function seed() {
console.log('Seeding database with settings and email templates...'); console.log('Seeding database with settings and email templates...');
// Create settings table if it doesn't exist // Create settings table if it doesn't exist
@@ -98,15 +99,32 @@ function seed() {
console.log('Default email template updated.'); console.log('Default email template updated.');
} }
// Hash password for default user
const userStmt = db.prepare('SELECT id, password FROM users WHERE email = ?');
const defaultUser = userStmt.get('admin@example.com') as { id: string, password?: string };
if (defaultUser && (!defaultUser.password || !defaultUser.password.startsWith('$2b$'))) {
console.log('Default user has plain text password. Hashing now...');
const hashedPassword = await bcrypt.hash('password', 10);
const updateUser = db.prepare('UPDATE users SET password = ? WHERE id = ?');
updateUser.run(hashedPassword, defaultUser.id);
console.log('Default user password has been hashed.');
}
console.log('Seeding complete.'); console.log('Seeding complete.');
} }
try { async function runSeed() {
seed(); try {
} catch (e) { await seed();
console.error('Seeding failed:'); } catch (e) {
console.error(e); console.error('Seeding failed:');
process.exit(1); console.error(e);
} finally { process.exit(1);
db.close(); } finally {
db.close();
}
} }
runSeed();
src/auth.ts
+3 -4
View File
@@ -5,6 +5,7 @@ import { z } from 'zod';
import { getUserByEmail } from '@/lib/actions/user'; import { getUserByEmail } from '@/lib/actions/user';
import getDb from './lib/db'; import getDb from './lib/db';
import { BetterSqlite3Adapter } from '@next-auth/better-sqlite3-adapter'; import { BetterSqlite3Adapter } from '@next-auth/better-sqlite3-adapter';
import bcrypt from 'bcrypt';
const db = getDb(); const db = getDb();
@@ -28,9 +29,7 @@ export const authOptions: NextAuthOptions = {
const user = await getUserByEmail(email); const user = await getUserByEmail(email);
if (!user || !user.password) return null; if (!user || !user.password) return null;
// This is a temporary solution for the demo. const passwordsMatch = await bcrypt.compare(password, user.password);
// In a real application, you should hash and compare passwords securely.
const passwordsMatch = password === user.password;
if (passwordsMatch) { if (passwordsMatch) {
return { id: user.id, name: user.name, email: user.email }; return { id: user.id, name: user.name, email: user.email };
@@ -64,4 +63,4 @@ export const authOptions: NextAuthOptions = {
} }
}; };
export const { handlers, auth, signIn, signOut } = NextAuth(authOptions); export const { handlers, auth, signIn, signOut } = NextAuth(authOptions);
src/lib/actions/user.ts
+4 -3
View File
@@ -5,6 +5,7 @@ import { z } from 'zod';
import getDb from '@/lib/db'; import getDb from '@/lib/db';
import { revalidatePath } from 'next/cache'; import { revalidatePath } from 'next/cache';
import { auth } from '@/auth'; import { auth } from '@/auth';
import bcrypt from 'bcrypt';
const formSchema = z.object({ const formSchema = z.object({
name: z.string().min(1, 'Name is required'), name: z.string().min(1, 'Name is required'),
@@ -78,10 +79,10 @@ export async function updateUser(data: UserFormValues): Promise<{ success: boole
} }
if (password && password.length > 0) { if (password && password.length > 0) {
// If a new password is provided, update it along with name and email // If a new password is provided, hash it and update it along with name and email
const hashedPassword = await bcrypt.hash(password, 10);
const stmt = db.prepare('UPDATE users SET name = ?, email = ?, password = ? WHERE id = ?'); const stmt = db.prepare('UPDATE users SET name = ?, email = ?, password = ? WHERE id = ?');
// In a real app, hash the password! For this example, we store it as plain text. stmt.run(name, email, hashedPassword, userId);
stmt.run(name, email, password, userId);
} else { } else {
// If no new password, only update name and email // If no new password, only update name and email
const stmt = db.prepare('UPDATE users SET name = ?, email = ? WHERE id = ?'); const stmt = db.prepare('UPDATE users SET name = ?, email = ? WHERE id = ?');