Fix period editing and harden app with Next.js security upgrade

2026-04-20 00:02:46 +02:00
parent 5a8b0871a0
commit f947908f0e
14 changed files with 2595 additions and 51 deletions
--- a/next-env.d.ts
+++ b/next-env.d.ts
@@ -1,5 +1,6 @@
 /// <reference types="next" />
 /// <reference types="next/image-types/global" />
 /// <reference path="./.next/types/routes.d.ts" />
-// This file is auto-generated by Next.js.
+// NOTE: This file should not be edited
-
+// see https://nextjs.org/docs/app/api-reference/config/typescript for more information.
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -20,7 +20,7 @@
    "@mui/material": "^6.1.3",
    "@prisma/client": "^5.20.0",
    "bcryptjs": "^2.4.3",
-    "next": "^14.2.14",
+    "next": "^15.5.15",
    "next-auth": "^4.24.8",
    "react": "^18.3.1",
    "react-dom": "^18.3.1",
--- a/src/app/api/audit-logs/[id]/restore/route.ts
+++ b/src/app/api/audit-logs/[id]/restore/route.ts
@@ -6,9 +6,9 @@ import prisma from "@/lib/prisma";
 import { getCurrentViewer } from "@/lib/session";
 type Context = {
-  params: {
+  params: Promise<{
    id: string;
-  };
+  }>;
 };
 function asRecord(value: unknown, label: string) {
@@ -65,6 +65,7 @@ function asApprovalPermissions(value: unknown) {
 }
 export async function POST(_: Request, { params }: Context) {
  const { id } = await params;
  const viewer = await getCurrentViewer();
  if (!viewer) {
@@ -77,7 +78,7 @@ export async function POST(_: Request, { params }: Context) {
  const auditLog = await prisma.auditLog.findUnique({
    where: {
-      id: params.id
+      id
    }
  });
@@ -297,6 +298,22 @@ export async function POST(_: Request, { params }: Context) {
          break;
        }
        case "period.update": {
          const previous = asRecord(rollback.previous, "Zeitraum");
          await tx.accountingPeriod.update({
            where: {
              id: asString(previous.id, "Zeitraum-ID")
            },
            data: {
              name: asString(previous.name, "Zeitraumname"),
              startsAt: asDate(previous.startsAt, "Zeitraumstart") ?? new Date(),
              endsAt: asDate(previous.endsAt, "Zeitraumende") ?? new Date()
            }
          });
          break;
        }
        case "period.setCurrent": {
          const previousCurrentPeriodId = asNullableString(rollback.previousCurrentPeriodId);
--- a/src/app/api/budgets/[id]/route.ts
+++ b/src/app/api/budgets/[id]/route.ts
@@ -26,12 +26,13 @@ const updateBudgetSchema = z
  });
 type Context = {
-  params: {
+  params: Promise<{
    id: string;
-  };
+  }>;
 };
 export async function PATCH(request: Request, { params }: Context) {
  const { id } = await params;
  const viewer = await getCurrentViewer();
  if (!viewer) {
@@ -43,7 +44,7 @@ export async function PATCH(request: Request, { params }: Context) {
  }
  const budget = await prisma.budget.findUnique({
-    where: { id: params.id }
+    where: { id }
  });
  if (!budget) {
@@ -61,7 +62,7 @@ export async function PATCH(request: Request, { params }: Context) {
    const previousBudget = budget;
    const nextReleasedAmount = parsed.data.releasedAmount ?? Number(previousBudget.releasedAmount);
    const updatedBudget = await prisma.budget.update({
-      where: { id: params.id },
+      where: { id },
      data: {
        name: parsed.data.name,
        totalBudget: parsed.data.totalBudget,
@@ -106,6 +107,7 @@ export async function PATCH(request: Request, { params }: Context) {
 }
 export async function DELETE(_: Request, { params }: Context) {
  const { id } = await params;
  const viewer = await getCurrentViewer();
  if (!viewer) {
@@ -117,7 +119,7 @@ export async function DELETE(_: Request, { params }: Context) {
  }
  const budget = await prisma.budget.findUnique({
-    where: { id: params.id },
+    where: { id },
    include: {
      _count: {
        select: {
@@ -139,7 +141,7 @@ export async function DELETE(_: Request, { params }: Context) {
  }
  await prisma.budget.delete({
-    where: { id: params.id }
+    where: { id }
  });
  await createAuditLog(prisma, {
--- a/src/app/api/expenses/[id]/approve/route.ts
+++ b/src/app/api/expenses/[id]/approve/route.ts
@@ -18,12 +18,13 @@ const approvalSchema = z.object({
 });
 type Context = {
-  params: {
+  params: Promise<{
    id: string;
-  };
+  }>;
 };
 export async function POST(request: Request, { params }: Context) {
  const { id } = await params;
  const viewer = await getCurrentViewer();
  if (!viewer) {
@@ -32,7 +33,7 @@ export async function POST(request: Request, { params }: Context) {
  const [expense, appSettings] = await Promise.all([
    prisma.expense.findUnique({
-      where: { id: params.id },
+      where: { id },
      include: {
        approvals: true
      }
--- a/src/app/api/expenses/[id]/documented/route.ts
+++ b/src/app/api/expenses/[id]/documented/route.ts
@@ -13,12 +13,13 @@ const documentedSchema = z.object({
 });
 type Context = {
-  params: {
+  params: Promise<{
    id: string;
-  };
+  }>;
 };
 export async function POST(request: Request, { params }: Context) {
  const { id } = await params;
  const viewer = await getCurrentViewer();
  if (!viewer) {
@@ -30,7 +31,7 @@ export async function POST(request: Request, { params }: Context) {
  }
  const expense = await prisma.expense.findUnique({
-    where: { id: params.id }
+    where: { id }
  });
  if (!expense) {
@@ -53,7 +54,7 @@ export async function POST(request: Request, { params }: Context) {
  }
  const updatedExpense = await prisma.expense.update({
-    where: { id: params.id },
+    where: { id },
    data: {
      proofUrl: parsed.data.proofUrl ?? expense.proofUrl,
      documentedAt: expense.documentedAt ?? new Date()
--- a/src/app/api/expenses/[id]/paid/route.ts
+++ b/src/app/api/expenses/[id]/paid/route.ts
@@ -6,12 +6,13 @@ import prisma from "@/lib/prisma";
 import { getCurrentViewer } from "@/lib/session";
 type Context = {
-  params: {
+  params: Promise<{
    id: string;
-  };
+  }>;
 };
 export async function POST(_: Request, { params }: Context) {
  const { id } = await params;
  const viewer = await getCurrentViewer();
  if (!viewer) {
@@ -23,7 +24,7 @@ export async function POST(_: Request, { params }: Context) {
  }
  const expense = await prisma.expense.findUnique({
-    where: { id: params.id }
+    where: { id }
  });
  if (!expense) {
@@ -35,7 +36,7 @@ export async function POST(_: Request, { params }: Context) {
  }
  const updatedExpense = await prisma.expense.update({
-    where: { id: params.id },
+    where: { id },
    data: {
      paidAt: expense.paidAt ?? new Date()
    }
--- a/src/app/api/expenses/[id]/route.ts
+++ b/src/app/api/expenses/[id]/route.ts
@@ -6,12 +6,13 @@ import prisma from "@/lib/prisma";
 import { getCurrentViewer } from "@/lib/session";
 type Context = {
-  params: {
+  params: Promise<{
    id: string;
-  };
+  }>;
 };
 export async function DELETE(_: Request, { params }: Context) {
  const { id } = await params;
  const viewer = await getCurrentViewer();
  if (!viewer) {
@@ -19,7 +20,7 @@ export async function DELETE(_: Request, { params }: Context) {
  }
  const expense = await prisma.expense.findUnique({
-    where: { id: params.id }
+    where: { id }
  });
  if (!expense) {
@@ -41,7 +42,7 @@ export async function DELETE(_: Request, { params }: Context) {
  }
  await prisma.expense.delete({
-    where: { id: params.id }
+    where: { id }
  });
  await createAuditLog(prisma, {
--- a/src/app/api/periods/[id]/route.ts
+++ b/src/app/api/periods/[id]/route.ts
@@ -1,4 +1,5 @@
 import { NextResponse } from "next/server";
 import { z } from "zod";
 import { snapshotPeriod } from "@/lib/audit-snapshots";
 import { createAuditLog } from "@/lib/audit-log";
@@ -7,12 +8,101 @@ import prisma from "@/lib/prisma";
 import { getCurrentViewer } from "@/lib/session";
 type Context = {
-  params: {
+  params: Promise<{
    id: string;
-  };
+  }>;
 };
 const periodSchema = z.object({
  name: z.string().trim().min(2).max(80),
  startsAt: z.coerce.date(),
  endsAt: z.coerce.date()
 });
 export async function PATCH(request: Request, { params }: Context) {
  const { id } = await params;
  const viewer = await getCurrentViewer();
  if (!viewer) {
    return NextResponse.json({ error: "Nicht angemeldet." }, { status: 401 });
  }
  if (!canManageBudgets(viewer.role)) {
    return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen Zeiträume bearbeiten." }, { status: 403 });
  }
  const body = await request.json().catch(() => null);
  const parsed = periodSchema.safeParse(body);
  if (!parsed.success) {
    return NextResponse.json({ error: "Bitte Zeitraumname sowie Start- und Enddatum korrekt angeben." }, { status: 400 });
  }
  if (parsed.data.endsAt < parsed.data.startsAt) {
    return NextResponse.json({ error: "Das Enddatum muss nach dem Startdatum liegen." }, { status: 400 });
  }
  const period = await prisma.accountingPeriod.findUnique({
    where: { id }
  });
  if (!period) {
    return NextResponse.json({ error: "Zeitraum nicht gefunden." }, { status: 404 });
  }
  const existingPeriod = await prisma.accountingPeriod.findFirst({
    where: {
      id: {
        not: id
      },
      name: {
        equals: parsed.data.name,
        mode: "insensitive"
      }
    }
  });
  if (existingPeriod) {
    return NextResponse.json({ error: "Diesen Zeitraumnamen gibt es bereits." }, { status: 409 });
  }
  const updatedPeriod = await prisma.accountingPeriod.update({
    where: {
      id
    },
    data: {
      name: parsed.data.name,
      startsAt: parsed.data.startsAt,
      endsAt: parsed.data.endsAt
    }
  });
  await createAuditLog(prisma, {
    actorId: viewer.id,
    action: "period.update",
    entityType: "period",
    entityId: updatedPeriod.id,
    entityLabel: updatedPeriod.name,
    summary:
      period.name !== updatedPeriod.name
        ? `Zeitraum ${period.name} wurde auf ${updatedPeriod.name} aktualisiert.`
        : `Zeitraum ${period.name} wurde aktualisiert.`,
    metadata: {
      startsAt: updatedPeriod.startsAt.toISOString(),
      endsAt: updatedPeriod.endsAt.toISOString(),
      rollback: {
        kind: "period.update",
        previous: snapshotPeriod(period),
        next: snapshotPeriod(updatedPeriod)
      }
    }
  });
  return NextResponse.json({ period: updatedPeriod });
 }
 export async function DELETE(_: Request, { params }: Context) {
  const { id } = await params;
  const viewer = await getCurrentViewer();
  if (!viewer) {
@@ -24,7 +114,7 @@ export async function DELETE(_: Request, { params }: Context) {
  }
  const period = await prisma.accountingPeriod.findUnique({
-    where: { id: params.id },
+    where: { id },
    include: {
      _count: {
        select: {
@@ -51,7 +141,7 @@ export async function DELETE(_: Request, { params }: Context) {
  }
  await prisma.accountingPeriod.delete({
-    where: { id: params.id }
+    where: { id }
  });
  await createAuditLog(prisma, {
--- a/src/app/api/users/[id]/password/route.ts
+++ b/src/app/api/users/[id]/password/route.ts
@@ -12,12 +12,13 @@ const passwordSchema = z.object({
 });
 type Context = {
-  params: {
+  params: Promise<{
    id: string;
-  };
+  }>;
 };
 export async function POST(request: Request, { params }: Context) {
  const { id } = await params;
  const viewer = await getCurrentViewer();
  if (!viewer) {
@@ -36,7 +37,7 @@ export async function POST(request: Request, { params }: Context) {
  }
  const user = await prisma.user.findUnique({
-    where: { id: params.id },
+    where: { id },
    select: { id: true, username: true, passwordHash: true }
  });
@@ -47,7 +48,7 @@ export async function POST(request: Request, { params }: Context) {
  const passwordHash = await bcrypt.hash(parsed.data.password, 12);
  await prisma.user.update({
-    where: { id: params.id },
+    where: { id },
    data: {
      passwordHash
    }
--- a/src/app/api/users/[id]/route.ts
+++ b/src/app/api/users/[id]/route.ts
@@ -49,12 +49,13 @@ function serializeManagedUser(user: {
 }
 type Context = {
-  params: {
+  params: Promise<{
    id: string;
-  };
+  }>;
 };
 export async function PATCH(request: Request, { params }: Context) {
  const { id } = await params;
  const viewer = await getCurrentViewer();
  if (!viewer) {
@@ -73,7 +74,7 @@ export async function PATCH(request: Request, { params }: Context) {
  }
  const user = await prisma.user.findUnique({
-    where: { id: params.id }
+    where: { id }
  });
  if (!user) {
@@ -113,7 +114,7 @@ export async function PATCH(request: Request, { params }: Context) {
  const previousSnapshot = snapshotUser(user);
  const updatedUser = await prisma.user.update({
-    where: { id: params.id },
+    where: { id },
    data: {
      role: parsed.data.role,
      workingGroupId,
@@ -163,6 +164,7 @@ export async function PATCH(request: Request, { params }: Context) {
 }
 export async function DELETE(_: Request, { params }: Context) {
  const { id } = await params;
  const viewer = await getCurrentViewer();
  if (!viewer) {
@@ -173,12 +175,12 @@ export async function DELETE(_: Request, { params }: Context) {
    return NextResponse.json({ error: "Nur Vorstand oder Finanz-AG dürfen Nutzer löschen." }, { status: 403 });
  }
-  if (viewer.id === params.id) {
+  if (viewer.id === id) {
    return NextResponse.json({ error: "Du kannst dein eigenes Konto hier nicht löschen." }, { status: 400 });
  }
  const user = await prisma.user.findUnique({
-    where: { id: params.id },
+    where: { id },
    include: {
      _count: {
        select: {
@@ -211,7 +213,7 @@ export async function DELETE(_: Request, { params }: Context) {
  }
  await prisma.user.delete({
-    where: { id: params.id }
+    where: { id }
  });
  await createAuditLog(prisma, {
--- a/src/app/api/working-groups/[id]/route.ts
+++ b/src/app/api/working-groups/[id]/route.ts
@@ -8,9 +8,9 @@ import prisma from "@/lib/prisma";
 import { getCurrentViewer } from "@/lib/session";
 type Context = {
-  params: {
+  params: Promise<{
    id: string;
-  };
+  }>;
 };
 const workingGroupSchema = z.object({
@@ -18,6 +18,7 @@ const workingGroupSchema = z.object({
 });
 export async function PATCH(request: Request, { params }: Context) {
  const { id } = await params;
  const viewer = await getCurrentViewer();
  if (!viewer) {
@@ -36,7 +37,7 @@ export async function PATCH(request: Request, { params }: Context) {
  }
  const workingGroup = await prisma.workingGroup.findUnique({
-    where: { id: params.id }
+    where: { id }
  });
  if (!workingGroup) {
@@ -46,7 +47,7 @@ export async function PATCH(request: Request, { params }: Context) {
  const existingWorkingGroup = await prisma.workingGroup.findFirst({
    where: {
      id: {
-        not: params.id
+        not: id
      },
      name: {
        equals: parsed.data.name,
@@ -61,7 +62,7 @@ export async function PATCH(request: Request, { params }: Context) {
  const updatedWorkingGroup = await prisma.workingGroup.update({
    where: {
-      id: params.id
+      id
    },
    data: {
      name: parsed.data.name
@@ -88,6 +89,7 @@ export async function PATCH(request: Request, { params }: Context) {
 }
 export async function DELETE(_: Request, { params }: Context) {
  const { id } = await params;
  const viewer = await getCurrentViewer();
  if (!viewer) {
@@ -99,7 +101,7 @@ export async function DELETE(_: Request, { params }: Context) {
  }
  const workingGroup = await prisma.workingGroup.findUnique({
-    where: { id: params.id },
+    where: { id },
    include: {
      _count: {
        select: {
@@ -126,7 +128,7 @@ export async function DELETE(_: Request, { params }: Context) {
  }
  await prisma.workingGroup.delete({
-    where: { id: params.id }
+    where: { id }
  });
  await createAuditLog(prisma, {
--- a/src/components/dashboard/dashboard-shell.tsx
+++ b/src/components/dashboard/dashboard-shell.tsx
@@ -110,6 +110,12 @@ type PeriodFormState = {
  copyBudgetsFromPeriodId: string;
 };
 type PeriodEditFormState = {
  name: string;
  startsAt: string;
  endsAt: string;
 };
 type DashboardMessage = {
  type: "success" | "error";
  text: string;
@@ -191,6 +197,22 @@ function getSuggestedPeriodDraft(currentPeriod: DashboardAccountingPeriod | unde
  };
 }
 function getPeriodEditDraft(period: DashboardAccountingPeriod | null | undefined): PeriodEditFormState {
  if (!period) {
    return {
      name: "",
      startsAt: "",
      endsAt: ""
    };
  }
  return {
    name: period.name,
    startsAt: toDateInputValue(period.startsAt),
    endsAt: toDateInputValue(period.endsAt)
  };
 }
 function generatePassword(length = 14) {
  const alphabet = "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz23456789!@$%";
  const cryptoSource = globalThis.crypto;
@@ -297,6 +319,7 @@ export function DashboardShell({
  const [userDrafts, setUserDrafts] = useState<Record<string, ManagedUserDraft>>({});
  const [approvalThresholdDraft, setApprovalThresholdDraft] = useState(approvalThreshold.toFixed(2));
  const [periodForm, setPeriodForm] = useState<PeriodFormState>(getSuggestedPeriodDraft(currentPeriod));
  const [periodEditForm, setPeriodEditForm] = useState<PeriodEditFormState>(getPeriodEditDraft(currentPeriod));
  useEffect(() => {
    if (visibleGroups.length === 0) {
      setSelectedMobileGroupId("");
@@ -314,6 +337,11 @@ export function DashboardShell({
    setPeriodForm(getSuggestedPeriodDraft(currentPeriod));
  }, [currentPeriod, currentPeriodId]);
  useEffect(() => {
    const selectedPeriod = accountingPeriods.find((period) => period.id === selectedCurrentPeriodId) ?? currentPeriod ?? null;
    setPeriodEditForm(getPeriodEditDraft(selectedPeriod));
  }, [accountingPeriods, currentPeriod, selectedCurrentPeriodId]);
  useEffect(() => {
    if (!desktopSections.some((section) => section.value === desktopSection)) {
      setDesktopSection("overview");
@@ -468,6 +496,11 @@ export function DashboardShell({
    ) ?? 0;
  const selectedPeriodForManagement =
    accountingPeriods.find((period) => period.id === selectedCurrentPeriodId) ?? currentPeriod ?? null;
  const periodEditDirty =
    selectedPeriodForManagement !== null &&
    (periodEditForm.name.trim() !== selectedPeriodForManagement.name ||
      periodEditForm.startsAt !== toDateInputValue(selectedPeriodForManagement.startsAt) ||
      periodEditForm.endsAt !== toDateInputValue(selectedPeriodForManagement.endsAt));
  function getManagedUserDraft(user: DashboardManagedUser): ManagedUserDraft {
    return userDrafts[user.id] ?? {
@@ -810,6 +843,27 @@ export function DashboardShell({
    }, "Neuer Abrechnungszeitraum wurde angelegt.");
  }
  async function handleSavePeriod(event: FormEvent<HTMLFormElement>) {
    event.preventDefault();
    if (!selectedPeriodForManagement) {
      setMessage({ type: "error", text: "Bitte zuerst einen Zeitraum auswählen." });
      return;
    }
    await runAction(async () => {
      await parseResponse(
        await fetch(`/api/periods/${selectedPeriodForManagement.id}`, {
          method: "PATCH",
          headers: {
            "Content-Type": "application/json"
          },
          body: JSON.stringify(periodEditForm)
        })
      );
    }, `Zeitraum ${periodEditForm.name.trim() || selectedPeriodForManagement.name} wurde aktualisiert.`);
  }
  async function handleDeletePeriod(periodId: string, periodName: string) {
    await runAction(async () => {
      await parseResponse(
@@ -1222,6 +1276,55 @@ export function DashboardShell({
          : "Leere, nicht aktive Zeiträume lassen sich hier wieder entfernen."}
      </Typography>
      <Box component="form" onSubmit={handleSavePeriod} sx={nestedPanelSx}>
        <Stack spacing={1.4}>
          <Typography variant="subtitle1" sx={{ fontWeight: 700 }}>
            Ausgewählten Zeitraum bearbeiten
          </Typography>
          <TextField
            label="Zeitraum-Name"
            value={periodEditForm.name}
            onChange={(event) => setPeriodEditForm((current) => ({ ...current, name: event.target.value }))}
            required
            fullWidth
            disabled={!selectedPeriodForManagement}
          />
          <Stack direction={{ xs: "column", sm: "row" }} gap={1.2}>
            <TextField
              label="Von"
              type="date"
              value={periodEditForm.startsAt}
              onChange={(event) => setPeriodEditForm((current) => ({ ...current, startsAt: event.target.value }))}
              InputLabelProps={{ shrink: true }}
              required
              fullWidth
              disabled={!selectedPeriodForManagement}
            />
            <TextField
              label="Bis"
              type="date"
              value={periodEditForm.endsAt}
              onChange={(event) => setPeriodEditForm((current) => ({ ...current, endsAt: event.target.value }))}
              InputLabelProps={{ shrink: true }}
              required
              fullWidth
              disabled={!selectedPeriodForManagement}
            />
          </Stack>
          <Typography variant="body2" color="text.secondary">
            {"Abo-Berechnungen nutzen danach direkt den neuen Zeitraum."}
          </Typography>
          <Button
            type="submit"
            variant="outlined"
            startIcon={<EditRoundedIcon />}
            disabled={busy || !selectedPeriodForManagement || !periodEditDirty}
          >
            Zeitraum speichern
          </Button>
        </Stack>
      </Box>
      <Box component="form" onSubmit={handleCreatePeriod} sx={nestedPanelSx}>
        <Stack spacing={1.4}>
          <Typography variant="subtitle1" sx={{ fontWeight: 700 }}>
@@ -2412,5 +2515,3 @@ export function DashboardShell({
    </Box>
  );
 }