senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/apps/web/src/router/routeConfig.tsx
senke a90b584e53 fix(security): protect admin routes with role check 
Previously, any authenticated user could access /admin, /admin/moderation,
/admin/platform, /admin/transfers, and /admin/roles — the ProtectedRoute
only checked isAuthenticated, not role. Exposed the admin Command Center
UI to listeners/creators (critical security flaw).

Changes:
- ProtectedRoute accepts requireAdmin prop; redirects to /dashboard when
  authenticated user lacks admin/super_admin role or is_admin=true
- New wrapAdminProtected() helper in routeConfig
- All /admin/* routes now use wrapAdminProtected

Note: Backend API still enforces admin checks independently — this fix
only prevents the UI from being shown to non-admins.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 16:19:16 +02:00

183 lines
7.1 KiB
TypeScript
Raw Blame History

import React from 'react';
import { Navigate, useNavigate } from 'react-router-dom';
import { ErrorBoundary } from '@/components/ErrorBoundary';
import { ProtectedRoute } from '@/components/auth/ProtectedRoute';
import {
LazySharedPlaylistPage,
LazyLogin,
LazyRegister,
LazyForgotPassword,
LazyVerifyEmail,
LazyResetPassword,
LazyDashboard,
LazyChat,
LazyChatJoin,
LazyLibrary,
LazySettings,
LazySessions,
LazyNotFound,
LazyServerError,
LazyUserProfile,
LazyRoles,
LazyTrackDetail,
LazyPlaylistRoutes,
LazyMarketplace,
LazySearch,
LazyNotifications,
LazyAnalytics,
LazyWebhooks,
LazyAdminDashboard,
LazyAdminModeration,
LazyAdminPlatform,
LazyAdminTransfers,
LazyDesignSystemDemo,
LazySocial,
LazyFeed,
LazyDiscover,
LazySellerDashboard,
LazyWishlist,
LazyPurchases,
LazyProductDetail,
LazyCheckoutComplete,
LazyQueue,
LazyDeveloper,
LazyGear,
LazyLive,
LazyGoLive,
LazyListenTogether,
LazyCloud,
LazySubscription,
LazyDistribution,
LazyEducation,
LazySupport,
LazyLanding,
} from '@/components/ui/LazyComponent';
const LazyPrototype = React.lazy(() => import('@/features/prototype/PrototypePage'));
import { PublicRoute } from './PublicRoute';
import { ProtectedLayoutRoute } from './ProtectedLayoutRoute';
import { useUser } from '@/features/auth/hooks/useUser';
import type { RouteEntry } from './types';
/** Redirects /profile to /u/<current_username> */
function ProfileRedirect() {
const { data: user } = useUser();
const navigate = useNavigate();
React.useEffect(() => {
if (user?.username) {
navigate(`/u/${user.username}`, { replace: true });
}
}, [user?.username, navigate]);
return null;
}
function wrapPublic(element: React.ReactNode): React.ReactNode {
return (
<PublicRoute>
<ErrorBoundary>{element}</ErrorBoundary>
</PublicRoute>
);
}
function wrapProtected(element: React.ReactNode): React.ReactNode {
return (
<ProtectedRoute>
<ProtectedLayoutRoute>
<ErrorBoundary>{element}</ErrorBoundary>
</ProtectedLayoutRoute>
</ProtectedRoute>
);
}
function wrapAdminProtected(element: React.ReactNode): React.ReactNode {
return (
<ProtectedRoute requireAdmin>
<ProtectedLayoutRoute>
<ErrorBoundary>{element}</ErrorBoundary>
</ProtectedLayoutRoute>
</ProtectedRoute>
);
}
export function getPublicRoutes(): RouteEntry[] {
return [
{ path: '/login', element: wrapPublic(<LazyLogin />) },
{ path: '/register', element: wrapPublic(<LazyRegister />) },
{ path: '/forgot-password', element: wrapPublic(<LazyForgotPassword />) },
{ path: '/verify-email', element: wrapPublic(<LazyVerifyEmail />) },
{ path: '/reset-password', element: wrapPublic(<LazyResetPassword />) },
];
}
export function getPublicStandaloneRoutes(): RouteEntry[] {
return [
{ path: '/launch', element: <ErrorBoundary><LazyLanding /></ErrorBoundary> },
{ path: '/design-system', element: <ErrorBoundary><LazyDesignSystemDemo /></ErrorBoundary> },
{ path: '/prototype/*', element: <ErrorBoundary><React.Suspense fallback={null}><LazyPrototype /></React.Suspense></ErrorBoundary> },
{ path: '/u/:username', element: <ErrorBoundary><LazyUserProfile /></ErrorBoundary> },
{ path: '/playlists/shared/:token', element: <ErrorBoundary><LazySharedPlaylistPage /></ErrorBoundary> },
];
}
export function getProtectedRoutes(): RouteEntry[] {
return [
{ path: '/dashboard', element: wrapProtected(<LazyDashboard />) },
{ path: '/marketplace', element: wrapProtected(<LazyMarketplace />) },
{ path: '/marketplace/products/:id', element: wrapProtected(<LazyProductDetail />) },
{ path: '/sell', element: wrapProtected(<LazySellerDashboard onCreateProduct={() => {}} />) },
{ path: '/wishlist', element: wrapProtected(<LazyWishlist />) },
{ path: '/purchases', element: wrapProtected(<LazyPurchases />) },
{ path: '/checkout/complete', element: wrapProtected(<LazyCheckoutComplete />) },
{ path: '/chat/join/:token', element: wrapProtected(<LazyChatJoin />) },
{ path: '/chat', element: wrapProtected(<LazyChat />) },
{ path: '/library', element: wrapProtected(<LazyLibrary />) },
{ path: '/profile', element: wrapProtected(<ProfileRedirect />) },
{ path: '/settings', element: wrapProtected(<LazySettings />) },
{ path: '/settings/sessions', element: wrapProtected(<LazySessions />) },
{ path: '/admin/roles', element: wrapAdminProtected(<LazyRoles />) },
{ path: '/tracks/:id', element: wrapProtected(<LazyTrackDetail />) },
{ path: '/playlists/*', element: wrapProtected(<LazyPlaylistRoutes />) },
{ path: '/search', element: wrapProtected(<LazySearch />) },
{ path: '/notifications', element: wrapProtected(<LazyNotifications />) },
{ path: '/analytics', element: wrapProtected(<LazyAnalytics />) },
{ path: '/webhooks', element: wrapProtected(<LazyWebhooks />) },
{ path: '/admin', element: wrapAdminProtected(<LazyAdminDashboard />) },
{ path: '/admin/moderation', element: wrapAdminProtected(<LazyAdminModeration />) },
{ path: '/admin/platform', element: wrapAdminProtected(<LazyAdminPlatform />) },
{ path: '/admin/transfers', element: wrapAdminProtected(<LazyAdminTransfers />) },
{ path: '/social', element: wrapProtected(<LazySocial />) },
{ path: '/feed', element: wrapProtected(<LazyFeed />) },
{ path: '/discover', element: wrapProtected(<LazyDiscover />) },
{ path: '/queue', element: wrapProtected(<LazyQueue />) },
{ path: '/developer', element: wrapProtected(<LazyDeveloper />) },
// Gear: connected to backend inventory API
{ path: '/gear', element: wrapProtected(<LazyGear />) },
// Live: connected to backend live streams API
{ path: '/live/go-live', element: wrapProtected(<LazyGoLive />) },
{ path: '/live', element: wrapProtected(<LazyLive />) },
// Co-listening (v0.10.7 F481)
{ path: '/listen-together/:sessionId', element: wrapProtected(<LazyListenTogether />) },
// Cloud: connected to backend cloud storage API
{ path: '/cloud', element: wrapProtected(<LazyCloud />) },
// v0.12.1: Subscription Plans & Management
{ path: '/subscription', element: wrapProtected(<LazySubscription />) },
// v0.12.2: Distribution to External Platforms
{ path: '/distribution', element: wrapProtected(<LazyDistribution />) },
// v0.12.3: Formation & Éducation
{ path: '/education', element: wrapProtected(<LazyEducation />) },
// v0.13.5 TASK-MKT-004: Support page
{ path: '/support', element: wrapProtected(<LazySupport />) },
// Redirect aliases — intuitive URLs that map to actual routes
{ path: '/tracks', element: <Navigate to="/library" replace /> },
{ path: '/community', element: <Navigate to="/social" replace /> },
{ path: '/favorites', element: <Navigate to="/playlists/favoris" replace /> },
{ path: '/home', element: <Navigate to="/dashboard" replace /> },
];
}
export function getErrorRoutes(): RouteEntry[] {
return [
{ path: '/404', element: <ErrorBoundary><LazyNotFound /></ErrorBoundary> },
{ path: '/500', element: <ErrorBoundary><LazyServerError /></ErrorBoundary> },
];
}
Reference in a new issue View git blame Copy permalink