10 Commits

Author	SHA1	Message	Date
ilia	b39242c571	Merge main into dev: resolve all conflicts, keep dev improvements	2026-01-04 22:52:53 -05:00
ilia	df9e61554a	Mark additional API routes as dynamic to prevent build-time data collection	2026-01-04 22:05:26 -05:00
ilia	da4d7e6f6e	Mark reset-password and photo routes as dynamic to prevent build-time data collection	2026-01-04 22:02:30 -05:00
ilia	08914dc469	Implements a comprehensive structured logging system to replace verbose console.* calls throughout the codebase, addressing all cleanup tasks from CLEANUP.md. (#4) ... # Structured Logging System Implementation ## Summary Implements a comprehensive structured logging system to replace verbose console.* calls throughout the codebase, addressing all cleanup tasks from CLEANUP.md. ## What Changed ### Core Features - ✅ **Structured Logging System** - New `lib/logger.ts` with DEBUG, INFO, WARN, ERROR levels - ✅ **Environment-Based Control** - `LOG_LEVEL` env var controls verbosity (DEBUG/INFO/WARN/ERROR/NONE) - ✅ **JSON Logging Option** - `LOG_FORMAT=json` for structured JSON output - ✅ **Shared Constants** - Extracted session cookie name to `lib/constants.ts` ### Code Refactoring - ✅ Replaced all `console.*` calls in API routes with structured logger - ✅ Refactored `activity-log.ts` to use new logger system - ✅ Reduced verbose logging in auth, photos page, and upload routes - ✅ Updated proxy.ts to use structured logging - ✅ Removed unused legacy `/api/photos` route (replaced by `/api/photos/upload`) ### Security Improvements - ✅ Protected `/api/debug/session` endpoint with admin-only access - ✅ Added proper error logging with structured context ### Documentation - ✅ Documented multiple upload routes usage - ✅ Enhanced watch-activity.sh script documentation - ✅ Updated README.md with upload endpoint information - ✅ Added configuration documentation to next.config.ts ### Testing - ✅ Added 23 tests for logger system - ✅ Added 8 tests for refactored activity-log - ✅ All 43 tests passing ## Benefits 1. **Production-Ready Logging** - Environment-based control, defaults to INFO in production 2. **Reduced Verbosity** - DEBUG logs only show in development or when explicitly enabled 3. **Structured Output** - JSON format option for log aggregation tools 4. **Better Organization** - Shared constants, consistent logging patterns 5. **Improved Security** - Debug endpoint now requires admin access ## Testing ### Manual Testing - ✅ Server builds successfully - ✅ All tests pass (43/43) - ✅ Type checking passes - ✅ Linting passes - ✅ Production server runs with logs visible - ✅ Log levels work correctly (DEBUG shows all, INFO shows activity, etc.) ### Test Coverage - Logger system: 100% coverage - Activity log: 100% coverage - All existing tests still pass ## Configuration ### Environment Variables ```bash # Control log verbosity (DEBUG, INFO, WARN, ERROR, NONE) LOG_LEVEL=INFO # Use structured JSON logging LOG_FORMAT=json ``` ### Defaults - Development: `LOG_LEVEL=DEBUG` (shows all logs) - Production: `LOG_LEVEL=INFO` (shows activity and above) ## Migration Notes - No breaking changes (legacy route was unused) - All existing functionality preserved - Logs are now structured and filterable - Debug endpoint now requires admin authentication - Legacy `/api/photos` endpoint removed (use `/api/photos/upload` instead) ## Checklist - [x] All console.* calls replaced in API routes - [x] Logger system implemented with tests - [x] Activity logging refactored - [x] Debug endpoint protected - [x] Documentation updated - [x] All tests passing - [x] Type checking passes - [x] Linting passes - [x] Build succeeds - [x] Manual testing completed ## Related Issues Addresses cleanup tasks from CLEANUP.md: - Task 1: Verbose logging in production ✅ - Task 2: Activity logging optimization ✅ - Task 3: Upload verification logging ✅ - Task 4: Middleware debug logging ✅ - Task 5: Legacy upload route documentation ✅ - Task 6: Multiple upload routes documentation ✅ - Task 7: Cookie name constant extraction ✅ - Task 8: Next.js config documentation ✅ - Task 9: ARCHITECTURE.md (already correct) ✅ - Task 10: Watch activity script documentation ✅ Reviewed-on: #4	2026-01-04 19:42:49 -05:00
ilia	dfc2ee978d	Production Deployment Fixes and Enhancements (#3) ... # Merge Request: Production Deployment Fixes and Enhancements ## Summary This MR includes critical fixes for production deployment, authentication improvements, file upload serving, and monitoring capabilities. All changes have been tested and are ready for production. ## 🐛 Critical Fixes ### 1. Authentication & Session Management - **Fixed TypeScript error in session callback** (`lib/auth.ts`) - Removed `return null` that caused build failures - Session callback now always returns a valid session object - **Fixed login redirect loop** (`app/login/page.tsx`) - Changed from `router.push()` to `window.location.href` for full page reload - Ensures session cookie is available before middleware checks - **Created proper middleware** (`proxy.ts`) - Next.js 16 requires `proxy.ts` instead of `middleware.ts` - Fixed authentication checks in Edge runtime - Explicitly specifies cookie name for `getToken` ### 2. Build & Deployment - **Fixed Prisma initialization** (`lib/prisma.ts`) - Made Prisma client initialization lazy to fix build without DATABASE_URL - Uses Proxy pattern for on-demand initialization - Prevents build failures when DATABASE_URL not set ### 3. File Upload & Serving - **Fixed photo upload serving** (`app/api/uploads/[filename]/route.ts`) - Created dedicated API route to serve uploaded files - Files now served via `/api/uploads/[filename]` instead of static `/uploads/` - Ensures files are accessible regardless of filesystem location - Added file existence verification and proper error handling - **Updated upload routes** to use new API endpoint - `app/api/photos/upload/route.ts` - Updated to use `/api/uploads/` URLs - `app/api/photos/upload-multiple/route.ts` - Updated to use `/api/uploads/` URLs - **Fixed photo display components** - `components/PhotoThumbnail.tsx` - Uses regular `img` tag for uploads - `components/PhotoImage.tsx` - Uses regular `img` tag for uploads - Avoids Next.js Image component issues with dynamically uploaded files ### 4. Middleware & Route Protection - **Updated proxy middleware** (`proxy.ts`) - Added `/uploads` and `/api/uploads` to public routes - Added comprehensive activity logging - Improved error handling and logging ## ✨ New Features ### Activity Logging - **Created activity logging utility** (`lib/activity-log.ts`) - Structured logging for user actions - Tracks: page visits, photo uploads, guess submissions - Includes user info, IP, timestamps, and action details - **Added activity logging to key routes** - `proxy.ts` - Logs all page visits and API calls - `app/api/photos/upload/route.ts` - Logs photo uploads - `app/api/photos/[photoId]/guess/route.ts` - Logs guess submissions ### Monitoring - **Activity monitoring commands** - Watch logs: `sudo journalctl -u app-backend -f | grep -E "\[ACTIVITY\]|\[PHOTO_UPLOAD\]|\[GUESS_SUBMIT\]"` - Filter by user, action type, or time range ## 📝 Documentation Updates - **README.md** - Added deployment notes section - Added file upload details and troubleshooting - Added activity monitoring commands - Added database query examples - Updated troubleshooting section - **ARCHITECTURE.md** - Updated middleware references (proxy.ts instead of middleware.ts) - Added activity logging documentation - Updated photo upload flow with file upload details - Added file serving architecture - Updated guess submission flow - **CLEANUP.md** (new) - Created cleanup checklist for future improvements - Documents debug code and verbose logging - Provides recommendations for optimization ## 🔧 Technical Changes ### Files Modified - `lib/auth.ts` - Fixed session callback return type - `app/login/page.tsx` - Fixed redirect to use full page reload - `proxy.ts` - Created/updated middleware with activity logging - `lib/prisma.ts` - Made initialization lazy - `app/api/photos/upload/route.ts` - Updated file serving, added logging - `app/api/photos/upload-multiple/route.ts` - Updated file serving - `components/PhotoThumbnail.tsx` - Fixed image display - `components/PhotoImage.tsx` - Fixed image display ### Files Created - `app/api/uploads/[filename]/route.ts` - File serving API route - `lib/activity-log.ts` - Activity logging utility - `CLEANUP.md` - Cleanup checklist ## ✅ Testing - [x] Authentication flow tested (login, session persistence) - [x] Photo upload tested (file and URL uploads) - [x] Photo display tested (uploaded files visible to all users) - [x] Guess submission tested - [x] Build tested (no TypeScript errors) - [x] Middleware tested (route protection working) - [x] Activity logging verified ## 🚀 Deployment Notes ### Environment Variables Required - `NODE_ENV=production` - `NEXTAUTH_URL` - Production domain - `NEXTAUTH_SECRET` - Secret key - `AUTH_TRUST_HOST=true` (if using reverse proxy) - `DATABASE_URL` - Production database connection ### Post-Deployment 1. Verify `public/uploads/` directory exists and has write permissions 2. Test photo upload and verify files are accessible 3. Monitor activity logs to ensure logging is working 4. Verify authentication flow works correctly ### Monitoring - Watch activity logs: `sudo journalctl -u app-backend -f | grep -E "\[ACTIVITY\]|\[PHOTO_UPLOAD\]|\[GUESS_SUBMIT\]"` - Check for errors: `sudo journalctl -u app-backend --since "1 hour ago" | grep -i error` ## 🔄 Breaking Changes **None** - All changes are backward compatible. Existing photos with `/uploads/` URLs may need to be updated to `/api/uploads/` if files are not accessible, but the system will continue to work. ## 📋 Migration Notes ### For Existing Photos - Photos uploaded before this change use `/uploads/` URLs - New photos use `/api/uploads/` URLs - Old photos will continue to work if files exist in `public/uploads/` - Consider migrating old photo URLs if needed (optional) ## 🎯 Next Steps (Future) See `CLEANUP.md` for recommended cleanup tasks: - Reduce verbose logging in production - Add log levels (DEBUG, INFO, WARN, ERROR) - Protect debug endpoints - Optimize activity logging --- **Ready for Production:** ✅ Yes **Breaking Changes:** ❌ No **Requires Migration:** ⚠️ Optional (old photo URLs) Reviewed-on: #3	2026-01-04 16:37:34 -05:00
ilia	91adbab487	feat: Implement user activity logging and upload handling ... - Enhanced the proxy function to log user activity for both authenticated and unauthenticated requests, capturing details such as IP address, user agent, and referer. - Introduced a new utility for logging activities, allowing for structured tracking of user actions across various routes. - Updated photo upload and guess submission routes to log relevant user activity, improving visibility into user interactions. - Added a script to watch user activity logs in real-time for easier monitoring.	2026-01-04 14:29:17 -05:00
ilia	a8548bddcf	This PR adds comprehensive photo management features, duplicate detection, attempt limits, penalty system improvements, and admin photo deletion capabilities to the MirrorMatch application. (#1) ... # Photo Management and Game Features ## Summary This PR adds comprehensive photo management features, duplicate detection, attempt limits, penalty system improvements, and admin photo deletion capabilities to the MirrorMatch application. ## Features Added ### 1. Duplicate Photo Detection - **File-based duplicates**: Calculates SHA256 hash of uploaded files to detect duplicate content - **URL-based duplicates**: Checks for duplicate photo URLs - Prevents users from uploading the same photo multiple times - Returns HTTP 409 (Conflict) with clear error messages ### 2. Maximum Attempts Per Photo - Uploaders can set a maximum number of guesses allowed per user for each photo - Default: unlimited (null or 0) - UI displays remaining attempts counter - API enforces attempt limits before allowing guesses - Shows warning message when max attempts reached ### 3. Penalty System Improvements - **Simplified UI**: Removed checkbox - penalty automatically enabled when penalty points > 0 - **Score protection**: Scores cannot go below 0, even with large penalties - If penalty would result in negative score, only deducts available points and sets to 0 ### 4. Admin Photo Deletion - Admins can delete photos from: - Photos list page (hover to reveal delete icon) - Individual photo detail page (delete button in header) - Deletes associated guesses automatically - Deletes local uploaded files from filesystem - Confirmation dialog before deletion - Proper error handling and user feedback ### 5. Navigation Improvements - Logout button always visible in side menu (hamburger menu) - Improved side menu layout with fixed footer for logout button - Better mobile responsiveness ### 6. Self-Guess Prevention - Users cannot guess on their own uploaded photos - Shows informative message with answer for photo owners ## Technical Changes ### Database Schema - Added `fileHash` field (String?) to Photo model for duplicate detection - Added `maxAttempts` field (Int?) to Photo model for attempt limits - Added indexes on `url` and `fileHash` for performance ### API Routes - `POST /api/photos/upload-multiple`: Enhanced with duplicate checking and maxAttempts - `POST /api/photos/[photoId]/guess`: Added maxAttempts enforcement and score floor protection - `DELETE /api/photos/[photoId]`: New route for admin photo deletion ### Components - `DeletePhotoButton`: New reusable component for photo deletion - Updated upload form to remove penalty checkbox - Enhanced photo display pages with attempt counters and admin controls ## Database Migrations - Run `npm run db:push` to apply schema changes - Run `npm run db:generate` to regenerate Prisma client ## Testing - Test duplicate detection with same file and different filenames - Test duplicate detection with same URL - Test max attempts enforcement - Test penalty system with various point values - Test score floor (cannot go below 0) - Test admin photo deletion - Test self-guess prevention ## Breaking Changes None - all changes are backward compatible. Existing photos will have `null` for `maxAttempts` (unlimited) and `fileHash` (for URL uploads). Reviewed-on: #1	2026-01-03 10:19:59 -05:00
ilia	f4461b277c	fix: Resolve TypeScript and linting errors for CI ... - Remove Prisma namespace imports (not available in Prisma 7) - Use type assertions with eslint-disable for Prisma type issues - Fix console.error calls to avoid format string warnings - Sanitize file extensions to address path traversal warnings - Add comments explaining server-side filename generation safety	2026-01-02 15:29:57 -05:00
ilia	90c5a9a4df	fix: Resolve linting and TypeScript errors ... - Replace 'any' types with proper Prisma types - Use PhotoUncheckedCreateInput for photo creation - Use Prisma.PhotoWhereInput for where clauses - Add proper type assertions for photo fields - Fix Photo import error by using Prisma namespace	2026-01-02 15:15:23 -05:00
ilia	9640627972	feat: Add photo management features, duplicate detection, attempt limits, and admin deletion ... - Add duplicate photo detection (file hash and URL checking) - Add max attempts per photo with UI counter - Simplify penalty system (auto-enable when points > 0) - Prevent scores from going below 0 - Add admin photo deletion functionality - Improve navigation with always-visible logout - Prevent users from guessing their own photos	2026-01-02 14:57:30 -05:00