Fix multi-tenant data leakage and remove hardcoded storeId in attribute endpoints (#4)

Author: rezwana-karim

prisma/dev.db

@@ -0,0 +1,31 @@
+/*
+  Warnings:
+
+  - Added the required column `storeId` to the `ProductAttribute` table without a default value. This is not possible if the table is not empty.
+
+*/
+-- First, get the first store ID to assign to existing attributes
+-- RedefineTables
+PRAGMA defer_foreign_keys=ON;
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_ProductAttribute" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "storeId" TEXT NOT NULL,
+    "name" TEXT NOT NULL,
+    "values" TEXT NOT NULL,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" DATETIME NOT NULL,
+    CONSTRAINT "ProductAttribute_storeId_fkey" FOREIGN KEY ("storeId") REFERENCES "Store" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+
+-- Copy existing attributes and assign them to the first store
+INSERT INTO "new_ProductAttribute" ("createdAt", "id", "name", "updatedAt", "values", "storeId") 
+SELECT "createdAt", "id", "name", "updatedAt", "values", (SELECT id FROM Store LIMIT 1) FROM "ProductAttribute";
+
+DROP TABLE "ProductAttribute";
+ALTER TABLE "new_ProductAttribute" RENAME TO "ProductAttribute";
+CREATE INDEX "ProductAttribute_storeId_idx" ON "ProductAttribute"("storeId");
+CREATE INDEX "ProductAttribute_name_idx" ON "ProductAttribute"("name");
+CREATE UNIQUE INDEX "ProductAttribute_storeId_name_key" ON "ProductAttribute"("storeId", "name");
+PRAGMA foreign_keys=ON;
+PRAGMA defer_foreign_keys=OFF;

prisma/migrations/20251120013130_add_storeid_to_product_attributes/migration.sql

@@ -251,6 +251,7 @@ model Store {
   brands         Brand[]
   orders         Order[]
   customers      Customer[]
+  attributes     ProductAttribute[]
   
   createdAt      DateTime @default(now())
   updatedAt      DateTime @updatedAt
@@ -412,6 +413,9 @@ model Brand {
 
 model ProductAttribute {
   id        String   @id @default(cuid())
+  storeId   String
+  store     Store    @relation(fields: [storeId], references: [id], onDelete: Cascade)
+  
   name      String
   values    String   // JSON array of possible values
   
@@ -420,6 +424,8 @@ model ProductAttribute {
   createdAt DateTime @default(now())
   updatedAt DateTime @updatedAt
   
+  @@unique([storeId, name])
+  @@index([storeId])
   @@index([name])
 }
 

prisma/schema.sqlite.prisma

@@ -13,7 +13,7 @@ const updateAttributeSchema = z.object({
 });
 
 // GET /api/attributes/[id] - Get attribute by ID
-export async function GET(request: NextRequest, { params }: { params: { id: string } }) {
+export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
   try {
     const session = await getServerSession(authOptions);
     if (!session?.user) {
@@ -23,7 +23,7 @@ export async function GET(request: NextRequest, { params }: { params: { id: stri
       );
     }
 
-    const id = params?.id ?? request.nextUrl.pathname.split('/').pop();
+    const { id } = await params;
     if (!id) {
       return NextResponse.json(
         { error: 'Invalid request: missing id' },
@@ -44,7 +44,7 @@ export async function GET(request: NextRequest, { params }: { params: { id: stri
 
     return NextResponse.json({ data: attribute });
   } catch (error: unknown) {
-    console.error(`GET /api/attributes/${params?.id} error:`, error);
+    console.error('GET /api/attributes/[id] error:', error);
     return NextResponse.json(
       { error: 'Failed to fetch attribute', details: error instanceof Error ? error.message : String(error) },
       { status: 500 }
@@ -53,7 +53,7 @@ export async function GET(request: NextRequest, { params }: { params: { id: stri
 }
 
 // PATCH /api/attributes/[id] - Update attribute
-export async function PATCH(request: NextRequest, { params }: { params: { id: string } }) {
+export async function PATCH(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
   try {
     const session = await getServerSession(authOptions);
     if (!session?.user) {
@@ -66,7 +66,7 @@ export async function PATCH(request: NextRequest, { params }: { params: { id: st
     const body = await request.json();
     const validatedData = updateAttributeSchema.parse(body);
 
-    const id = params?.id ?? request.nextUrl.pathname.split('/').pop();
+    const { id } = await params;
     if (!id) {
       return NextResponse.json(
         { error: 'Invalid request: missing id' },
@@ -85,7 +85,7 @@ export async function PATCH(request: NextRequest, { params }: { params: { id: st
       message: 'Attribute updated successfully',
     });
   } catch (error: unknown) {
-    console.error(`PATCH /api/attributes/${params?.id} error:`, error);
+    console.error('PATCH /api/attributes/[id] error:', error);
 
     if (error instanceof z.ZodError) {
       return NextResponse.json(
@@ -117,7 +117,7 @@ export async function PATCH(request: NextRequest, { params }: { params: { id: st
 }
 
 // DELETE /api/attributes/[id] - Delete attribute
-export async function DELETE(request: NextRequest, { params }: { params: { id: string } }) {
+export async function DELETE(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
   try {
     const session = await getServerSession(authOptions);
     if (!session?.user) {
@@ -127,7 +127,7 @@ export async function DELETE(request: NextRequest, { params }: { params: { id: s
       );
     }
 
-    const id = params?.id ?? request.nextUrl.pathname.split('/').pop();
+    const { id } = await params;
     if (!id) {
       return NextResponse.json(
         { error: 'Invalid request: missing id' },
@@ -142,7 +142,7 @@ export async function DELETE(request: NextRequest, { params }: { params: { id: s
       message: 'Attribute deleted successfully',
     });
   } catch (error: unknown) {
-    console.error(`DELETE /api/attributes/${params?.id} error:`, error);
+    console.error('DELETE /api/attributes/[id] error:', error);
 
     if (error instanceof Error) {
       if (error.message.includes('not found')) {

src/app/api/attributes/[id]/route.ts

@@ -9,7 +9,7 @@ import { z } from 'zod';
 
 // Validation schemas
 const listAttributesSchema = z.object({
-  storeId: z.string().optional(),
+  storeId: z.string().min(1, 'Store ID is required'),
   search: z.string().optional(),
   sortBy: z.enum(['name', 'createdAt', 'updatedAt']).optional(),
   sortOrder: z.enum(['asc', 'desc']).optional(),
@@ -47,14 +47,8 @@ export async function GET(request: NextRequest) {
     // Validate params
     const validatedParams = listAttributesSchema.parse(params);
 
-    // Default storeId to demo store if not provided
-    const storeId = validatedParams.storeId || 'clqm1j4k00000l8dw8z8r8z8r';
-
     const attributeService = AttributeService.getInstance();
-    const result = await attributeService.listAttributes({
-      ...validatedParams,
-      storeId,
-    });
+    const result = await attributeService.listAttributes(validatedParams);
 
     return NextResponse.json(result);
   } catch (error) {

src/app/api/attributes/route.ts

@@ -2,18 +2,15 @@
 // Edit Attribute Page
 
 import { getServerSession } from 'next-auth/next';
-import { redirect, notFound } from 'next/navigation';
+import { redirect } from 'next/navigation';
 import { authOptions } from '@/lib/auth';
-import { AttributeForm } from '@/components/attribute-form';
 import { AttributeEditClient } from '@/components/attribute-edit-client';
 
 export const metadata = {
   title: 'Edit Attribute | Dashboard | StormCom',
   description: 'Edit product attribute',
 };
 
-// No SSR data fetching to avoid Prisma runtime constraints; client layer will fetch
-
 export default async function EditAttributePage({
   params,
 }: {
@@ -27,8 +24,6 @@ export default async function EditAttributePage({
 
   const { id } = await params;
 
-  const storeId = 'clqm1j4k00000l8dw8z8r8z8r';
-
   return (
     <div className="flex flex-col gap-4 p-4 md:p-6">
       <div>
@@ -38,7 +33,7 @@ export default async function EditAttributePage({
         </p>
       </div>
 
-      <AttributeEditClient id={id} storeId={storeId} />
+      <AttributeEditClient id={id} />
     </div>
   );
 }

src/app/dashboard/attributes/[id]/page.tsx

@@ -4,7 +4,7 @@
 import { getServerSession } from 'next-auth/next';
 import { redirect } from 'next/navigation';
 import { authOptions } from '@/lib/auth';
-import { AttributeForm } from '@/components/attribute-form';
+import { AttributeNewClient } from '@/components/attribute-new-client';
 
 export const metadata = {
   title: 'New Attribute | Dashboard | StormCom',
@@ -18,9 +18,6 @@ export default async function NewAttributePage() {
     redirect('/login');
   }
 
-  // Use demo store ID for now
-  const storeId = 'clqm1j4k00000l8dw8z8r8z8r';
-
   return (
     <div className="flex flex-col gap-4 p-4 md:p-6">
       <div>
@@ -30,7 +27,7 @@ export default async function NewAttributePage() {
         </p>
       </div>
 
-      <AttributeForm storeId={storeId} />
+      <AttributeNewClient />
     </div>
   );
 }

src/app/dashboard/attributes/new/page.tsx

@@ -5,7 +5,7 @@ import { Suspense } from 'react';
 import { getServerSession } from 'next-auth/next';
 import { redirect } from 'next/navigation';
 import { authOptions } from '@/lib/auth';
-import { AttributesTable } from '@/components/attributes-table';
+import { AttributesPageClient } from '@/components/attributes-page-client';
 import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@/components/ui/card';
 
 export const metadata = {
@@ -20,9 +20,6 @@ export default async function AttributesPage() {
     redirect('/login');
   }
 
-  // Use demo store ID for now
-  const storeId = 'clqm1j4k00000l8dw8z8r8z8r';
-
   return (
     <div className="flex flex-col gap-4 p-4 md:p-6">
       <div>
@@ -41,7 +38,7 @@ export default async function AttributesPage() {
         </CardHeader>
         <CardContent>
           <Suspense fallback={<div>Loading...</div>}>
-            <AttributesTable storeId={storeId} />
+            <AttributesPageClient />
           </Suspense>
         </CardContent>
       </Card>

src/app/dashboard/attributes/page.tsx

@@ -3,19 +3,21 @@
 
 import * as React from 'react';
 import { AttributeForm } from '@/components/attribute-form';
+import { StoreSelector } from '@/components/store-selector';
 import { toast } from 'sonner';
 
 interface AttributeEditClientProps {
   id: string;
-  storeId: string;
 }
 
-export function AttributeEditClient({ id, storeId }: AttributeEditClientProps) {
+export function AttributeEditClient({ id }: AttributeEditClientProps) {
+  const [storeId, setStoreId] = React.useState<string>('');
   const [loading, setLoading] = React.useState(true);
   const [error, setError] = React.useState<string | null>(null);
   const [data, setData] = React.useState<{ name: string; values: string[] } | null>(null);
 
   React.useEffect(() => {
+    if (!storeId) return;
     let active = true;
     (async () => {
       try {
@@ -37,20 +39,32 @@ export function AttributeEditClient({ id, storeId }: AttributeEditClientProps) {
       }
     })();
     return () => { active = false; };
-  }, [id]);
-
-  if (loading) {
-    return <p className="text-muted-foreground">Loading attribute...</p>;
-  }
-  if (error || !data) {
-    return <p className="text-red-600">{error ?? 'Attribute not found'}</p>;
-  }
+  }, [id, storeId]);
 
   return (
-    <AttributeForm
-      attributeId={id}
-      initialData={data}
-      storeId={storeId}
-    />
+    <div className="space-y-6">
+      <div className="flex items-center gap-4">
+        <label className="text-sm font-medium">Store:</label>
+        <StoreSelector onStoreChange={setStoreId} />
+      </div>
+
+      {!storeId ? (
+        <div className="rounded-lg border bg-card p-12 text-center">
+          <p className="text-sm text-muted-foreground">
+            Select a store to edit the attribute
+          </p>
+        </div>
+      ) : loading ? (
+        <p className="text-muted-foreground">Loading attribute...</p>
+      ) : error || !data ? (
+        <p className="text-red-600">{error ?? 'Attribute not found'}</p>
+      ) : (
+        <AttributeForm
+          attributeId={id}
+          initialData={data}
+          storeId={storeId}
+        />
+      )}
+    </div>
   );
 }

src/components/attribute-edit-client.tsx

@@ -0,0 +1,31 @@
+"use client";
+
+// src/components/attribute-new-client.tsx
+// Client component for creating new attribute with store selection
+
+import { useState } from 'react';
+import { StoreSelector } from '@/components/store-selector';
+import { AttributeForm } from '@/components/attribute-form';
+
+export function AttributeNewClient() {
+  const [storeId, setStoreId] = useState<string>('');
+
+  return (
+    <div className="space-y-6">
+      <div className="flex items-center gap-4">
+        <label className="text-sm font-medium">Store:</label>
+        <StoreSelector onStoreChange={setStoreId} />
+      </div>
+
+      {storeId ? (
+        <AttributeForm storeId={storeId} />
+      ) : (
+        <div className="rounded-lg border bg-card p-12 text-center">
+          <p className="text-sm text-muted-foreground">
+            Select a store to create an attribute
+          </p>
+        </div>
+      )}
+    </div>
+  );
+}