shad0w/pelagia-portal
1
0
Fork 0
Code Issues 11 Pull requests 2 Projects Releases 2 Packages Wiki Activity Actions
pelagia-portal/App/lib
History
Hardik d1af1e6b12
All checks were successful
PR checks / checks (pull_request) Successful in 49s
Details
PR checks / integration (pull_request) Successful in 31s
Details
fix(pdf): let PdfService reach the PO export route past auth middleware 
"Email PO to vendor" (issue #14) relies on PdfService fetching
/api/po/<id>/export?...&svc=<token> WITHOUT a user session, authenticating
with a `svc` token that matches PDF_SERVICE_TOKEN. The route handler validates
that token, but the auth middleware runs first and its matcher doesn't exempt
the export route — so every unauthenticated fetch was redirected to /login
(307) and the svc bypass never executed. Net effect: the feature could never
render a real PDF on any deployed env, even with the service configured.

Fix: middleware now lets exactly `/api/po/<id>/export` through when its `svc`
query param matches `process.env.PDF_SERVICE_TOKEN` (the route handler still
re-validates it — defense in depth). Everything else stays auth-gated. The
match lives in a dependency-free, edge-safe, unit-tested helper
(lib/pdf-export-auth.ts); middleware already reads server env at runtime via
auth()/NEXTAUTH_SECRET, so reading PDF_SERVICE_TOKEN there is consistent.

Verified on a running build: correct svc + real PO -> 200, correct svc + bogus
PO -> 404 (handler ran), wrong/no svc -> 307 (still gated). 324 unit tests
green; tsc clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 14:55:40 +05:30
..
validations feat(po): manager sets advance payment on approval (issue #92) 2026-06-24 01:40:20 +05:30
application-pipeline.ts feat(crewing): Phase 3b — recruitment pipeline (flagged) 2026-06-22 18:49:12 +05:30
appraisal-state-machine.ts feat(crewing): Phase 5b — appraisal (flagged) 2026-06-22 22:09:32 +05:30
attachments.ts fix(po): show all attachments grouped by type on PO details 2026-06-19 04:43:44 +05:30
cancelled-watermark.ts fix(po): size XLSX export images by pixels (aspect preserved) 2026-06-21 13:27:15 +05:30
cart.ts chore: restructure repo — flatten App/pelagia-portal to App, rename Prototype→Wireframe and Spec→Design 2026-05-18 23:18:58 +05:30
cost-centre-groups.ts refactor: revert cost centre to vessels only, remove vessel-site link 2026-05-30 18:14:24 +05:30
crew-login.ts feat(crewing): resolve self-contained deferred follow-ups (flagged) 2026-06-22 22:28:23 +05:30
crew-pii.ts fix(crewing): mask Aadhaar/PAN document numbers server-side 2026-06-22 23:29:11 +05:30
db.ts chore: restructure repo — flatten App/pelagia-portal to App, rename Prototype→Wireframe and Spec→Design 2026-05-18 23:18:58 +05:30
delivery-location.ts feat(po): admin-managed delivery locations + Place of Delivery dropdown (#19) 2026-06-24 02:08:59 +05:30
employee-number.ts feat(crewing): Phase 3c — onboarding (flagged) 2026-06-22 19:12:53 +05:30
feature-flags.ts Merge remote-tracking branch 'origin/master' into feat/submitter-view-all 2026-06-23 21:50:08 +05:30
forgejo.ts feat(automation): issue-to-deploy pipeline — Report Issue button, Claude watcher, tag-triggered deploy 2026-06-11 16:39:43 +05:30
geo.ts chore: restructure repo — flatten App/pelagia-portal to App, rename Prototype→Wireframe and Spec→Design 2026-05-18 23:18:58 +05:30
id-generators.ts feat(crewing): foundations — SITE_STAFF role, ranks reference data + admin (flagged) 2026-06-22 13:26:04 +05:30
image-size.ts fix(po): size XLSX export images by pixels (aspect preserved) 2026-06-21 13:27:15 +05:30
leave-clash.ts feat(crewing): clash detection by required strength (Option A) 2026-06-22 21:14:21 +05:30
notifier.ts feat(crewing): Phase 5b — appraisal (flagged) 2026-06-22 22:09:32 +05:30
pagination.ts feat(history): paginate PO history with items-per-page control 2026-06-24 03:26:47 +05:30
pdf-export-auth.ts fix(pdf): let PdfService reach the PO export route past auth middleware 2026-06-24 14:55:40 +05:30
pdf-service.ts feat(po): email PO to vendor — PDF link in an Outlook draft (#14) 2026-06-24 02:45:48 +05:30
permissions.ts feat(po): admin-managed Terms & Conditions catalogue + PO dropdowns (#11) 2026-06-24 03:38:32 +05:30
po-export-layout.ts fix(po): keep the export stamp clear of the signature (no overlap) 2026-06-21 15:35:09 +05:30
po-import-parser.ts feat: structured PO numbers, import closed, auto-vendor/product, company code, inventory flag 2026-05-31 01:56:33 +05:30
po-number.ts fix(po-number): floor at 9000, imported POs keep original PO number 2026-05-31 02:33:42 +05:30
po-state-machine.ts feat(po): cancel POs (manager/superuser) + optional supersede link (#53) 2026-06-21 12:20:54 +05:30
product-catalog.ts refactor(routes): move /inventory/{items,vendors} → /catalogue/{items,vendors} 2026-06-24 05:04:29 +05:30
report-colors.ts fix(reports): chart series all rendered one colour (RSC boundary bug) 2026-06-24 12:31:40 +05:30
reports.ts feat(reports): weekly granularity, custom compare, line-item allocation 2026-06-24 11:25:05 +05:30
requisition-number.ts feat(crewing): Phase 2 — requisitions + relief requests (flagged) 2026-06-22 18:22:59 +05:30
requisition-service.ts refactor(crewing): correct audit action types + atomic auto-raise backfills 2026-06-22 23:46:23 +05:30
requisition-state-machine.ts feat(crewing): Phase 2 — requisitions + relief requests (flagged) 2026-06-22 18:22:59 +05:30
storage.ts feat(po): email PO to vendor — PDF link in an Outlook draft (#14) 2026-06-24 02:45:48 +05:30
terms-data.ts feat(po): user-defined T&C categories + dynamic PO terms editor (#11) 2026-06-24 04:43:24 +05:30
terms.ts feat(po): user-defined T&C categories + dynamic PO terms editor (#11) 2026-06-24 04:43:24 +05:30
upload-files.ts chore: restructure repo — flatten App/pelagia-portal to App, rename Prototype→Wireframe and Spec→Design 2026-05-18 23:18:58 +05:30
utils.ts feat(po): cancel POs (manager/superuser) + optional supersede link (#53) 2026-06-21 12:20:54 +05:30