a75731a902e8c0b7f0c5569d6bfd229fbc08a95c
7 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
m
|
3da11bd798 |
chore(t-paliad-081): doc + dead-code batch (F-5/F-10/F-11/F-15/F-16/F-17/F-18)
Bundle of small audit findings, all doc-only or dead-code: - F-5: refresh stale escalation-contact comment in models.User — Settings UI dropdown shipped 2026-04-29 (t-paliad-066). - F-10: add "OBSOLETED by migration 018" note to migrations 004/005/006 so readers stop hunting for the live shape in obsolete files. - F-11: document the data-loss semantics of dropping paliad.partner_unit_events on the 027 down — audit rows are append-only telemetry, accepted loss on rollback. - F-15: drop the patholo_session / patholo_refresh cookie fallback added during the 2026-04-16 rebrand. Active users have long since been re-authed through the upgrade path; inactive users hit the normal /login flow. - F-16: refresh stale /api/departments comment in team_pages.go to /api/partner-units (renamed in t-paliad-070). - F-17: move internal/db/migrations/_dev/mock_supabase_auth.sql to internal/db/devtools/ so a future loosening of the //go:embed pattern can't accidentally ship the dev-only fixture. - F-18: update docs/project-status.md "Audit polish-2" entry — the batch shipped via t-paliad-067 / 068 / 073, follow-ups are now tracked under the 2026-04-30 re-audit + t-paliad-074. go build / vet / test clean. |
||
|
m
|
c697fe3418 |
feat(admin): /admin/team page + admin-only user CRUD (t-paliad-050)
- New auth.RequireAdmin middleware (gates by paliad.users.role='admin')
with API/browser-aware reject paths and a fail-closed lookup-error 500.
- Service: AdminCreateUser (onboard from existing auth.users), AdminUpdate
(full profile fields incl. additional_offices), AdminDeleteUser (also
removes project_teams + department_members memberships and clears any
led-Dezernat seat — auth.users is left intact), ListUnonboardedAuthUsers,
IsAdmin (implements auth.AdminLookup).
- Handlers: GET/POST /api/admin/users, GET /api/admin/users/unonboarded,
PATCH/DELETE /api/admin/users/{id}, plus GET /admin/team for the page.
All registered through RequireAdminFunc so non-admins get 403/302.
- Refuses to delete the last remaining admin and rejects role='admin'
assignment via the admin UI (still SQL-only) — same rules as PATCH /api/me.
- /admin/team page: full users table with inline edit (display_name, office,
role, dezernat, additional_offices, lang), trash with confirm, search +
office filters, "Onboard existing account" modal driven by
/api/admin/users/unonboarded, and an Invite button that re-opens the
shared sidebar invite modal.
- Sidebar gains a hidden Admin section that sidebar.ts reveals after a
successful /api/me lookup confirms role='admin' (fails closed on error).
- DE+EN i18n strings for the page, modal and table.
- Tests: require_admin_test.go covers admin-allowed, non-admin 403/302,
unauthenticated 401 and lookup-error fail-closed paths.
|
||
|
m
|
b8f95f5d7a |
feat: user onboarding flow — first-login profile capture (t-paliad-019)
New users were stuck on the dashboard with a dead-end "Bitte schließen Sie das Onboarding ab" message because nothing created the paliad.users row that all matter-management features depend on. This adds the missing Phase D flow. Backend - UserService.Create: validates display_name / office / role, inserts the paliad.users row with (id, email) from the verified JWT claims (never from the request body — prevents onboarding as someone else). - Admin bootstrap: only the very first paliad.users row may self-assign role='admin'; subsequent requests get ErrAdminBootstrapOnly (403). Guarded by pg_advisory_xact_lock so two concurrent first-logins can't race past the count=0 check under READ COMMITTED. - POST /api/onboarding + GET /onboarding; the page is authenticated but NOT behind the onboarding gate (it's the one page users without a paliad.users row may reach). - gateOnboarded middleware wraps the matter-management pages (Dashboard, Akten, Fristen, Termine, Einstellungen/CalDAV) and 302s to /onboarding when the caller has no paliad.users row. Knowledge-platform pages (Kostenrechner, Glossar, Links, Downloads, Gerichte, Gebührentabellen, Checklisten, Fristenrechner) stay ungated. - auth.VerifiedClaims now carries the email claim; auth.ClaimsFromContext exposes it to handlers. GET /api/me includes the email in the 404 body so the onboarding form can pre-fill the display name from the local-part. Frontend - frontend/src/onboarding.tsx + src/client/onboarding.ts: centred card on the existing .login-card styling. Fields: display_name (required, pre-filled from email local-part), office (dropdown from /api/offices), role (dropdown, default associate), practice_group (optional). - Dashboard client: toggleOnboardingHint now redirects to /onboarding instead of showing the dead-end hint — belt-and-braces behind the server gate in case the DB lookup fell through. - DE + EN i18n keys for every label, placeholder, and error. - Added onboarding to build.ts. Tests: internal/services/user_service_test.go covers the valid path, per-field validation, duplicate (ErrUserAlreadyOnboarded), and the admin-bootstrap gate. Follows the existing TEST_DATABASE_URL skip pattern. |
||
|
m
|
0cdc644b50 |
fix: audit medium items — Verlauf pagination, patholo→paliad rename, offices (t-paliad-018)
Three items from docs/improvement-audit.md §2: I-5 Verlauf pagination - AkteService.ListEvents now accepts a (before *uuid.UUID, limit int) cursor - SQL uses a composite (created_at, id) cursor subquery — stable across rows written in the same microsecond - Handler parses ?before=<uuid>&limit=<n>, service clamps to 200 - Frontend fetches first page (50) on init and exposes a "Mehr laden" / "Load more" button that keeps paging until the tail returns < page size - i18n keys akten.detail.verlauf.loadMore / .loadingMore in DE + EN I-8 patholo → paliad client-side rename with migrations - i18n.ts: STORAGE_KEY is now paliad-lang; one-shot migration reads the old patholo-lang value, writes the new key, deletes the old - sidebar.ts: same pattern for paliad-sidebar-pinned - Cookie rename with dual-read grace period: SessionCookieName is paliad_session, LegacySessionCookieName keeps patholo_session as read-only fallback. Requests using the legacy cookie get upgraded to paliad_session in the response; legacy cookie is expired in the same response. ClearAuthCookies clears both names to prevent stale-cookie resurrection. Remove the legacy fallback after 2026-05-18 (30d cookie max age). - handlers/links.go:extractEmailFromCookie reads either cookie name via auth.SessionCookieName / auth.LegacySessionCookieName P-6 Single source of truth for offices - New internal/offices package: Office struct + All + IsValid + Keys - akte_service.go switched from inline isValidOffice to offices.IsValid - GET /api/offices returns the list with DE + EN labels - Akte create form (akten-neu.tsx) has an empty <select>; the client TS fetches /api/offices and populates options, re-rendering on lang change Tests: - internal/offices/offices_test.go covers IsValid + Keys + label coverage - internal/auth: three new Middleware tests — legacy cookie still authenticates + upgrades the browser, new cookie wins when both are present (no clobber), missing cookie returns 401 on API paths Build: go build ./... + go vet ./... + go test ./... + bun run build all clean. Known out-of-scope: handlers/links.go still POSTs to public.patholo_link_* via PostgREST; migration 011 created fresh paliad.link_* tables but the handler refactor (move to direct DB, copy data, drop public tables) is a separate phase documented in that migration's header. |
||
|
m
|
3e20806aee |
fix(security): verify JWT signatures + plug 4 other critical gaps (t-paliad-016)
C-1. Session JWT signature verification (authZ bypass fix) - Add SUPABASE_JWT_SECRET env var; fail-fast at startup if unset. - auth.Client.VerifyToken uses github.com/golang-jwt/jwt/v5 to verify HS256 signatures, reject alg=none, enforce exp/nbf/iat. - Middleware stores verified claims in request context; WithUserID reads only verified claims (no more raw-cookie sub decoding). - API requests get 401 on missing/invalid token (was 302 redirect). - Refresh flow only runs on expiry; other signature failures reject outright and clear cookies. C-2. Dashboard Termine cross-user privacy leak - dashboard_service.loadUpcomingAppointments now mirrors TerminService.canSee: personal Termine (akte_id IS NULL) are creator-only; admins do NOT see other users' personal Termine. C-3. Role gate on Parteien + Termine mutations - ParteienService.Delete now partner/admin only (matches FristService). - TerminService.Update / Delete on Akte-linked Termine now require partner/admin (or the original creator). Personal Termine stay creator-only. C-4. Email gate → ALLOWED_EMAIL_DOMAINS whitelist - isHoganLovellsEmail → isAllowedEmailDomain reading the env var (default: hoganlovells.com,hlc.com,hlc.de). Case-insensitive, whitespace-tolerant. - login.tsx placeholder: name@hoganlovells.com → name@hlc.com - Error strings + login.hint (de/en) rewritten for HLC branding. C-5. Docker compose env wiring - docker-compose.yml gains SUPABASE_JWT_SECRET, CALDAV_ENCRYPTION_KEY, and ALLOWED_EMAIL_DOMAINS passthrough; commented-out ANTHROPIC_API_KEY line for Phase H readiness. Tests - auth_test.go: valid/wrong-secret/expired/alg-none/missing-sub/garbage token cases for VerifyToken. - handlers/auth_test.go: default + env-override cases for the email whitelist. - go build ./..., go vet ./..., go test ./... all clean. |
||
|
m
|
bcc4939af2 |
feat(services): Phase B — sqlx pool, services, Akten/Frist endpoints
Implements docs/design-kanzlai-integration.md §8 Phase B.
Pool & infrastructure:
- internal/db/pool.go — sqlx connection pool via DATABASE_URL
(lazy, sync.Once, returns nil if unset)
- cmd/server/main.go wires pool + services on startup; skips gracefully
if DATABASE_URL unset (existing endpoints still work)
Services (internal/services/):
- holidays.go — ported from KanzlAI. Audit §1.6 fix: replaces unguarded
map with sync.Map of *yearEntry (sync.Once per year), race-safe under
concurrent readers.
- deadline_calculator.go — ported. days/weeks/months + before/after
timing + holiday/weekend adjustment via HolidayService.
- deadline_rule_service.go — ported, DB-backed. List, GetRuleTree,
GetFullTimeline (recursive CTE for cross-type spawns), GetByIDs,
ListProceedingTypes.
- user_service.go — reads paliad.users; GetByID returns (nil, nil) for
users who haven't onboarded yet (safe default = no visibility).
- akte_service.go — new. Office-scoped visibility enforced at the app
layer (defense-in-depth alongside RLS). ListVisibleForUser uses the
visibility predicate directly in SQL so indexes can drive the query.
Create/Update/Delete enforce role gates:
* associates can only create in their own office
* only admins can move an Akte between offices
* only partners/admins can toggle firm_wide_visible
* only partners/admins can delete (soft, status='archived')
Writes an akten_events row on create, status change, firm-wide toggle,
collaborator change.
- parteien_service.go — ported. Visibility inherited from the parent
Akte via AkteService.GetByID gate.
Sentinel errors:
- services.ErrNotVisible → handlers return 404 (never leak existence)
- services.ErrForbidden → 403
- services.ErrInvalidInput → 400
Auth context:
- internal/auth/user.go — WithUserID middleware extracts the `sub` claim
from the Supabase JWT session cookie and injects uuid.UUID into the
request context. Runs after Client.Middleware (which already validated
the cookie expiry). Handlers use auth.UserIDFromContext().
Handlers (internal/handlers/):
- akten.go — full CRUD for /api/akten + /api/akten/{id}/parteien.
All require DB configured (503 otherwise) and authenticated user
(401 otherwise). Returns 404 for non-visible IDs.
- deadline_rules_db.go — GET /api/deadline-rules, GET
/api/proceeding-types-db, POST /api/deadlines/calculate.
The /api/deadlines/calculate endpoint lives alongside the existing
in-memory /api/tools/fristenrechner; Phase C swaps the UI over and
deletes the in-memory rule tree.
- handlers.Register now takes an optional *Services bundle; when
DATABASE_URL unset the DB-backed endpoints return 503 with a clear
error message.
Tests (internal/services/):
- holidays_test.go — Easter algorithm (5 years spot-checked), German
federal holidays, weekend + Neujahr adjustment, concurrent cache
reads under -race.
- deadline_calculator_test.go — days/weeks/months calc, before timing,
Karfreitag→Ostermontag skip (lands on Tue 2026-04-07), batch with
zero-duration rule.
- akte_service_test.go — live DB test behind `TEST_DATABASE_URL` (skip
otherwise). Verifies 4-Akte × 3-user visibility model AND role
enforcement (associate can't delete, can't cross-office-create,
invalid office rejected).
Manual verification:
- `go build ./...` + `go vet ./...` clean
- `go test ./internal/services/ -race` passes (DB tests skip without URL)
- With TEST_DATABASE_URL set, all visibility + role tests pass
- Live HTTP smoke test with forged JWT cookie:
* /api/deadline-rules returns 40 rules
* /api/proceeding-types-db returns 7 types
* /api/deadlines/calculate INF + 2026-04-15 returns calculated deadlines
* /api/akten returns [] (user has no paliad.users row yet — safe default)
* /login, / still work (no regressions)
|
||
|
m
|
21bf56dc20 |
feat: add Supabase password auth with @hoganlovells.com restriction
Go server authenticates against Supabase GoTrue (youpc instance) using email+password. Login page with login/register tabs, domain restricted to @hoganlovells.com. Auth middleware protects all routes, refreshes expired tokens via refresh_token cookie. Lime green branding. - internal/auth: Supabase client (sign in, sign up, refresh, sign out), JWT expiry decode, auth middleware, cookie management - internal/handlers: login/register/logout handlers, per-page template parsing to avoid content block collisions - templates/login.html: tabbed login/register form - 30-day HTTP-only session cookies with SameSite=Lax - SUPABASE_URL and SUPABASE_ANON_KEY env vars in docker-compose |