Apply tech debt fixes: middleware rename, React.cache, file size limits, remove dead deps

- Rename proxy.ts → middleware.ts, export proxy() → middleware() so Next.js edge protection actually activates (F001) - Add PUBLIC_ROUTES entries for /forgot-password and /reset-password - Wrap getSettings() in React.cache() to eliminate duplicate DB call in root layout (F003) - Remove 4 console.log calls from saveLesson Server Action, keep console.error (F005) - Add 50 MB file size guard to all 6 upload routes before arrayBuffer() read (F004) - Remove unused deps: @tailwindcss/typography, shadcn, tw-animate-css (F008) - Update CLAUDE.md: Prisma version 6.x → 7.x - Add TECH_DEBT_AUDIT.md with 14 findings across 9 dimensions Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-09 19:35:05 +05:00
parent 5547b427bb
commit 444b9c0faf
13 changed files with 273 additions and 3052 deletions
@@ -22,6 +22,9 @@ export async function POST(req: NextRequest) {
  const label = (form.get("label") as string | null)?.trim() || null;
  if (!file || !lessonId) return NextResponse.json({ error: "Missing fields" }, { status: 400 });

+  const MAX_BYTES = 50 * 1024 * 1024;
+  if (file.size > MAX_BYTES) return NextResponse.json({ error: "Файл слишком большой" }, { status: 413 });
+
  const name = label ?? file.name;
  const existing = await prisma.lessonFile.findFirst({ where: { lessonId, name } });

@@ -14,6 +14,9 @@ export async function POST(req: NextRequest) {
  const file = form.get("file") as File | null;
  if (!file) return NextResponse.json({ error: "No file" }, { status: 400 });

+  const MAX_BYTES = 50 * 1024 * 1024;
+  if (file.size > MAX_BYTES) return NextResponse.json({ error: "Файл слишком большой" }, { status: 413 });
+
  const ext = file.name.split(".").pop() ?? "bin";
  const key = `uploads/${randomUUID()}.${ext}`;
  const buffer = Buffer.from(await file.arrayBuffer());
@@ -14,6 +14,9 @@ export async function POST(req: NextRequest) {
  const file = form.get("file") as File | null;
  if (!file) return NextResponse.json({ error: "Missing file" }, { status: 400 });

+  const MAX_BYTES = 50 * 1024 * 1024;
+  if (file.size > MAX_BYTES) return NextResponse.json({ error: "Файл слишком большой" }, { status: 413 });
+
  const ext = file.type.includes("ogg") ? "ogg" : file.type.includes("wav") ? "wav" : "webm";
  const key = `feedback-audio/${session.user.id}/${randomUUID()}.${ext}`;
  const buffer = Buffer.from(await file.arrayBuffer());
@@ -14,6 +14,9 @@ export async function POST(req: NextRequest) {
  const file = form.get("file") as File | null;
  if (!file) return NextResponse.json({ error: "Missing file" }, { status: 400 });

+  const MAX_BYTES = 50 * 1024 * 1024;
+  if (file.size > MAX_BYTES) return NextResponse.json({ error: "Файл слишком большой" }, { status: 413 });
+
  const ext = file.name.split(".").pop() ?? "bin";
  const key = `feedback/${session.user.id}/${randomUUID()}.${ext}`;
  const buffer = Buffer.from(await file.arrayBuffer());
@@ -12,6 +12,9 @@ export async function POST(req: NextRequest) {
  const file = form.get("file") as File | null;
  if (!file) return NextResponse.json({ error: "Missing file" }, { status: 400 });

+  const MAX_BYTES = 50 * 1024 * 1024;
+  if (file.size > MAX_BYTES) return NextResponse.json({ error: "Файл слишком большой" }, { status: 413 });
+
  const ext = file.type.includes("ogg") ? "ogg" : file.type.includes("wav") ? "wav" : "webm";
  const key = `homework-audio/${session.user.id}/${randomUUID()}.${ext}`;
  const buffer = Buffer.from(await file.arrayBuffer());
@@ -12,6 +12,9 @@ export async function POST(req: NextRequest) {
  const file = form.get("file") as File | null;
  if (!file) return NextResponse.json({ error: "Missing file" }, { status: 400 });

+  const MAX_BYTES = 50 * 1024 * 1024;
+  if (file.size > MAX_BYTES) return NextResponse.json({ error: "Файл слишком большой" }, { status: 413 });
+
  const ext = file.name.split(".").pop() ?? "bin";
  const key = `homework/${session.user.id}/${randomUUID()}.${ext}`;
  const buffer = Buffer.from(await file.arrayBuffer());
@@ -21,10 +21,8 @@ export async function saveLesson(
    published: boolean;
  }
 ) {
-  console.log("[saveLesson] start", lessonId);
  try {
    await requireAdmin();
-    console.log("[saveLesson] auth ok");
  } catch (e) {
    console.error("[saveLesson] auth failed:", e);
    throw e;
@@ -39,11 +37,9 @@ export async function saveLesson(
        published: data.published,
      },
    });
-    console.log("[saveLesson] db update ok");
  } catch (e) {
    console.error("[saveLesson] db update failed:", e);
    throw e;
  }
  revalidatePath(`/admin/courses/${courseId}/modules/${moduleId}`);
-  console.log("[saveLesson] done");
 }
@@ -1,3 +1,4 @@
+import { cache } from "react";
 import { prisma } from "./prisma";

 // ── Defaults ──────────────────────────────────────────────────────────────────
@@ -52,7 +53,7 @@ export type Settings = Record<SettingsKey, string>;

 // ── Getters ───────────────────────────────────────────────────────────────────

-export async function getSettings(): Promise<Settings> {
+export const getSettings = cache(async (): Promise<Settings> => {
  try {
    const rows = await prisma.settings.findMany();
    const stored: Record<string, string> = {};
@@ -64,7 +65,7 @@ export async function getSettings(): Promise<Settings> {
    // DB unavailable at build time — return defaults
    return { ...SETTINGS_DEFAULTS } as Settings;
  }
-}
+});

 export async function getSetting(key: SettingsKey): Promise<string> {
  try {
@@ -1,9 +1,9 @@
 import { NextRequest, NextResponse } from "next/server";
 import { getSessionCookie } from "better-auth/cookies";

-const PUBLIC_ROUTES = ["/login", "/register", "/verify-email", "/api/auth", "/maintenance"];
+const PUBLIC_ROUTES = ["/login", "/register", "/verify-email", "/forgot-password", "/reset-password", "/api/auth", "/maintenance"];

-export function proxy(request: NextRequest) {
+export function middleware(request: NextRequest) {
  const { pathname } = request.nextUrl;

  if (