Skip to Content
Code ReviewsCode Review — Manage App (apps/manage)

Code Review — Manage App (apps/manage)

Date: 2025-07
Reviewer: GitHub Copilot
Scope: Full source review of apps/manage/src/
Stack: Next.js 15.3, React 19, TypeScript, Socket.IO, Prisma, Zod (Better Auth removed April 2026 — now uses Fastify JWT via @leadmetrics/middleware)
Status: 9/11 findings resolved — 2 deferred (require backend changes)

Open — Deferred

M-1 — JWT Exposed in GET /api/socket-token Response Body

File: src/app/api/socket-token/route.ts

The /api/socket-token route still returns the manage_access_token JWT in the response body. Any JavaScript on the page can fetch this endpoint and read the token, defeating the purpose of httpOnly.

The preferred fix is to authenticate the Socket.IO handshake server-side by forwarding the httpOnly cookie directly:

// socket.ts — pass credentials instead of a bearer token
socket = io(SOCKET_URL + "/manage", {
  withCredentials: true,
  autoConnect: false,
});

Requires changes to the socket server’s auth middleware in apps/api to read and verify manage_access_token from socket.handshake.headers.cookie. Remove GET /api/socket-token once done.

MOD-1 — Logout Does Not Invalidate Token Server-Side

Files: src/app/actions/auth.ts, src/app/api/auth/logout/route.ts

Both logoutAction() and the logout route handler only delete cookies. A captured JWT remains valid until its 15-minute TTL expires. Mitigated by the short TTL; full fix requires calling POST /auth/v1/logout on the backend to blacklist the token.

Strengths

  • requireSuperAdmin() is consistently used — all server actions call it as their first line; the layout also enforces it
  • adminFetch() helper in tenant actions — centralises error handling across subscription/tenant API calls
  • audit-log on invoice status changes — full operational traceability with actorId, actorName, actorRole, previous/new status
  • generateInvoiceNumber() race protectionpg_advisory_xact_lock correctly serialises concurrent calls
  • PresenceProvider cleanup is thorough — removes all socket event listeners before destroySocket(), uses cancelled flag
  • RAG config save via server action — token never leaves the server; internal API URL not exposed to browser
  • Better Auth sign-up endpoint removed — eliminated unexpected account creation via [...all] route
Code Duplication & Inefficiency Audit v2 — Leadmetrics v3Next.js Apps Security Hardening — May 2026

© 2026 Leadmetrics — Internal use only