Merge pull request #55 from ITSEC-Research/yoko-dev

refactor auth/sidebar and add feed management feature

Author: yokokho

app/api/auth/login/route.ts

@@ -117,6 +117,17 @@ export async function POST(request: NextRequest) {
 
     response.cookies.set("auth", token, getSecureCookieOptions(request))
 
+    // UI hint cookie: allows sidebar to render correct menu items immediately
+    // without waiting for async /api/auth/get-user call.
+    // Not httpOnly so client JS can read it. Not used for authorization.
+    response.cookies.set("user_role", userRole, {
+      httpOnly: false,
+      secure: isRequestSecure(request),
+      sameSite: 'strict',
+      maxAge: 24 * 60 * 60,
+      path: '/',
+    })
+
     return response
   } catch (err) {
     console.error("Login error:", err)

app/api/auth/logout/route.ts

@@ -1,5 +1,5 @@
 import { NextRequest, NextResponse } from "next/server";
-import { getSecureCookieOptions } from "@/lib/auth";
+import { getSecureCookieOptions, isRequestSecure } from "@/lib/auth";
 
 export async function POST(request: NextRequest) {
   const response = NextResponse.json({ success: true });
@@ -10,5 +10,14 @@ export async function POST(request: NextRequest) {
     maxAge: 0,
   });
 
+  // Clear the UI hint cookie
+  response.cookies.set("user_role", "", {
+    httpOnly: false,
+    secure: isRequestSecure(request),
+    sameSite: 'strict',
+    maxAge: 0,
+    path: '/',
+  });
+
   return response;
 }

app/api/auth/verify-totp/route.ts

@@ -128,6 +128,17 @@ export async function POST(request: NextRequest) {
 
     response.cookies.set("auth", token, getSecureCookieOptions(request))
 
+    // UI hint cookie: allows sidebar to render correct menu items immediately
+    // without waiting for async /api/auth/get-user call.
+    // Not httpOnly so client JS can read it. Not used for authorization.
+    response.cookies.set("user_role", userRole, {
+      httpOnly: false,
+      secure: isRequestSecure(request),
+      sameSite: 'strict',
+      maxAge: 24 * 60 * 60,
+      path: '/',
+    })
+
     // SECURITY: Clear the pending_2fa cookie after successful verification
     response.cookies.set("pending_2fa", "", {
       httpOnly: true,

app/api/db-sync/route.ts

@@ -355,7 +355,7 @@ async function checkSchema(): Promise<SchemaCheckResult> {
   const warnings = differences.filter(d => d.severity === 'warning').length
 
   return {
-    isValid: criticalIssues === 0 && missingTables.length === 0,
+    isValid: criticalIssues === 0 && missingTables.length === 0 && warnings === 0,
     schemaVersion: SCHEMA_VERSION,
     differences,
     missingTables,

app/api/feeds/articles/route.ts

@@ -0,0 +1,86 @@
+export const dynamic = 'force-dynamic'
+import { NextRequest, NextResponse } from "next/server"
+import { validateRequest } from "@/lib/auth"
+import { executeQuery } from "@/lib/mysql"
+import { triggerBackgroundSyncIfNeeded } from "@/lib/feed-sync"
+
+export async function GET(request: NextRequest) {
+  const user = await validateRequest(request)
+  if (!user) {
+    return NextResponse.json({ success: false, error: "Unauthorized" }, { status: 401 })
+  }
+
+  try {
+    // 1. SWR: Perform a non-blocking check to see if feeds need a background sync
+    // This function will spawn a background promise and return immediately
+    triggerBackgroundSyncIfNeeded()
+
+    const { searchParams } = new URL(request.url)
+    const category_slug = searchParams.get('category_slug')
+    const source_id = searchParams.get('source_id')
+    const search = searchParams.get('q')
+    const startDate = searchParams.get('startDate')
+    const endDate = searchParams.get('endDate')
+    const page = parseInt(searchParams.get('page') || '1')
+    const limit = parseInt(searchParams.get('limit') || '20')
+    const offset = (page - 1) * limit
+
+    let query = `
+      SELECT a.*, s.name as source_name, c.name as category_name
+      FROM feed_articles a
+      JOIN feed_sources s ON a.source_id = s.id
+      JOIN feed_categories c ON s.category_id = c.id
+      WHERE 1=1
+    `
+    const params: any[] = []
+
+    if (category_slug && category_slug !== 'all') {
+      query += ` AND c.slug = ?`
+      params.push(category_slug)
+    }
+
+    if (source_id) {
+      query += ` AND s.id = ?`
+      params.push(source_id)
+    }
+
+    if (search) {
+      query += ` AND (a.title LIKE ? OR a.description LIKE ?)`
+      params.push(`%${search}%`, `%${search}%`)
+    }
+
+    if (startDate) {
+      query += ` AND DATE(COALESCE(a.pub_date, a.created_at)) >= ?`
+      params.push(startDate)
+    }
+
+    if (endDate) {
+      query += ` AND DATE(COALESCE(a.pub_date, a.created_at)) <= ?`
+      params.push(endDate)
+    }
+
+    // Get total count
+    const countQuery = query.replace('SELECT a.*, s.name as source_name, c.name as category_name', 'SELECT COUNT(*) as total')
+    const [countResult]: any = await executeQuery(countQuery, params)
+    const total = countResult?.total || 0
+
+    // Get paginated data
+    query += ` ORDER BY COALESCE(a.pub_date, a.created_at) DESC LIMIT ${Number(limit)} OFFSET ${Number(offset)}`
+    
+    const articles = await executeQuery(query, params)
+
+    return NextResponse.json({ 
+      success: true, 
+      articles,
+      pagination: {
+        page,
+        limit,
+        total,
+        totalPages: Math.ceil(total / limit)
+      }
+    })
+  } catch (error) {
+    console.error("[NewsFeed] Error getting articles:", error)
+    return NextResponse.json({ success: false, error: "Failed to fetch articles" }, { status: 500 })
+  }
+}

app/api/feeds/categories/route.ts

@@ -0,0 +1,122 @@
+import { NextRequest, NextResponse } from "next/server"
+import { validateRequest, requireAdminRole } from "@/lib/auth"
+import { executeQuery } from "@/lib/mysql"
+
+export async function GET(request: NextRequest) {
+  const user = await validateRequest(request)
+  if (!user) {
+    return NextResponse.json({ success: false, error: "Unauthorized" }, { status: 401 })
+  }
+
+  try {
+    const categories = await executeQuery(`SELECT * FROM feed_categories ORDER BY display_order ASC, name ASC`)
+    return NextResponse.json({ success: true, categories })
+  } catch (error) {
+    console.error("[NewsFeed] Error getting categories:", error)
+    return NextResponse.json({ success: false, error: "Failed to get categories" }, { status: 500 })
+  }
+}
+
+export async function POST(request: NextRequest) {
+  const user = await validateRequest(request)
+  if (!user) {
+    return NextResponse.json({ success: false, error: "Unauthorized" }, { status: 401 })
+  }
+
+  const roleError = requireAdminRole(user)
+  if (roleError) return roleError
+
+  try {
+    const body = await request.json()
+    const { name, slug, display_order = 0 } = body
+
+    if (!name || !slug) {
+      return NextResponse.json({ success: false, error: "Name and slug are required" }, { status: 400 })
+    }
+
+    const result = await executeQuery(
+      `INSERT INTO feed_categories (name, slug, display_order) VALUES (?, ?, ?)`,
+      [name, slug, display_order]
+    )
+
+    return NextResponse.json({ 
+      success: true, 
+      message: "Category created", 
+      id: (result as any).insertId 
+    })
+  } catch (error: any) {
+    console.error("[NewsFeed] Error creating category:", error)
+    if (error.code === 'ER_DUP_ENTRY') {
+      return NextResponse.json({ success: false, error: "A category with this slug already exists" }, { status: 400 })
+    }
+    return NextResponse.json({ success: false, error: "Failed to create category" }, { status: 500 })
+  }
+}
+
+export async function PUT(request: NextRequest) {
+  const user = await validateRequest(request)
+  if (!user) {
+    return NextResponse.json({ success: false, error: "Unauthorized" }, { status: 401 })
+  }
+
+  const roleError = requireAdminRole(user)
+  if (roleError) return roleError
+
+  try {
+    const body = await request.json()
+    const { id, name, slug, display_order } = body
+
+    if (!id || (!name && !slug && display_order === undefined)) {
+      return NextResponse.json({ success: false, error: "ID and at least one field to update are required" }, { status: 400 })
+    }
+
+    // Build dynamic update
+    const updates: string[] = []
+    const values: any[] = []
+
+    if (name) { updates.push('name = ?'); values.push(name) }
+    if (slug) { updates.push('slug = ?'); values.push(slug) }
+    if (display_order !== undefined) { updates.push('display_order = ?'); values.push(display_order) }
+
+    values.push(id)
+
+    await executeQuery(
+      `UPDATE feed_categories SET ${updates.join(', ')} WHERE id = ?`,
+      values
+    )
+
+    return NextResponse.json({ success: true, message: "Category updated" })
+  } catch (error: any) {
+    console.error("[NewsFeed] Error updating category:", error)
+    if (error.code === 'ER_DUP_ENTRY') {
+      return NextResponse.json({ success: false, error: "A category with this slug already exists" }, { status: 400 })
+    }
+    return NextResponse.json({ success: false, error: "Failed to update category" }, { status: 500 })
+  }
+}
+
+export async function DELETE(request: NextRequest) {
+  const user = await validateRequest(request)
+  if (!user) {
+    return NextResponse.json({ success: false, error: "Unauthorized" }, { status: 401 })
+  }
+
+  const roleError = requireAdminRole(user)
+  if (roleError) return roleError
+
+  try {
+    const { searchParams } = new URL(request.url)
+    const id = searchParams.get('id')
+
+    if (!id) {
+      return NextResponse.json({ success: false, error: "ID is required" }, { status: 400 })
+    }
+
+    await executeQuery(`DELETE FROM feed_categories WHERE id = ?`, [id])
+
+    return NextResponse.json({ success: true, message: "Category deleted" })
+  } catch (error) {
+    console.error("[NewsFeed] Error deleting category:", error)
+    return NextResponse.json({ success: false, error: "Failed to delete category" }, { status: 500 })
+  }
+}

app/api/feeds/debug-fetch/route.ts

@@ -0,0 +1,31 @@
+export const dynamic = 'force-dynamic'
+import { NextResponse } from "next/server"
+import { executeQuery } from "@/lib/mysql"
+
+export async function GET() {
+  try {
+    const rawJoin = await executeQuery(`
+      SELECT a.*, s.name as source_name, c.name as category_name 
+      FROM feed_articles a
+      JOIN feed_sources s ON a.source_id = s.id
+      JOIN feed_categories c ON s.category_id = c.id
+      LIMIT 5
+    `)
+    
+    // Explicitly test JSON serialization
+    const testJson = JSON.stringify(rawJoin)
+
+    return NextResponse.json({
+      success: true,
+      data: JSON.parse(testJson), // If it serialized properly, this works
+      count: (rawJoin as any[]).length
+    })
+  } catch (error: any) {
+    return NextResponse.json({ 
+      success: false, 
+      error_message: error.message, 
+      error_name: error.name,
+      stack: error.stack
+    }, { status: 500 })
+  }
+}

app/api/feeds/debug/route.ts

@@ -0,0 +1,27 @@
+export const dynamic = 'force-dynamic'
+import { NextResponse } from "next/server"
+import { executeQuery } from "@/lib/mysql"
+
+export async function GET() {
+  try {
+    const cats = await executeQuery("SELECT * FROM feed_categories")
+    const sources = await executeQuery("SELECT * FROM feed_sources")
+    const articlesQuery = "SELECT COUNT(*) as c FROM feed_articles"
+    const [articles]: any = await executeQuery(articlesQuery)
+    const joinRaw = await executeQuery(`
+      SELECT a.id, a.title, c.slug 
+      FROM feed_articles a
+      JOIN feed_sources s ON a.source_id = s.id
+      JOIN feed_categories c ON s.category_id = c.id
+      LIMIT 5
+    `)
+    return NextResponse.json({
+      cats,
+      sources,
+      article_count: articles?.c || 0,
+      joinRaw,
+    })
+  } catch (error: any) {
+    return NextResponse.json({ error: error.message }, { status: 500 })
+  }
+}