Harden auth flows and add backend quality gate

2026-03-04 12:57:42 +13:00
parent 1ad4823830
commit c6bc31f27e
24 changed files with 811 additions and 137 deletions
--- a/frontend/app/admin/invites/page.tsx
+++ b/frontend/app/admin/invites/page.tsx
@@ -156,6 +156,8 @@ const formatDate = (value?: string | null) => {
  return date.toLocaleString()
 }

+const isValidEmail = (value: string) => /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(value.trim())
+
 const isInviteTraceRowInvited = (row: InviteTraceRow) =>
  Boolean(String(row.inviterUsername || '').trim() || String(row.inviteCode || '').trim())

@@ -349,6 +351,17 @@ export default function AdminInviteManagementPage() {

  const saveInvite = async (event: React.FormEvent) => {
    event.preventDefault()
+    const recipientEmail = inviteForm.recipient_email.trim()
+    if (!recipientEmail) {
+      setError('Recipient email is required.')
+      setStatus(null)
+      return
+    }
+    if (!isValidEmail(recipientEmail)) {
+      setError('Recipient email must be valid.')
+      setStatus(null)
+      return
+    }
    setInviteSaving(true)
    setError(null)
    setStatus(null)
@@ -363,7 +376,7 @@ export default function AdminInviteManagementPage() {
        max_uses: inviteForm.max_uses || null,
        enabled: inviteForm.enabled,
        expires_at: inviteForm.expires_at || null,
-        recipient_email: inviteForm.recipient_email || null,
+        recipient_email: recipientEmail,
        send_email: inviteForm.send_email,
        message: inviteForm.message || null,
      }
@@ -1607,18 +1620,19 @@ export default function AdminInviteManagementPage() {
              <div className="invite-form-row">
                <div className="invite-form-row-label">
                  <span>Delivery</span>
-                  <small>Save a recipient email and optionally send the invite immediately.</small>
+                  <small>Recipient email is required. You can optionally send the invite immediately after saving.</small>
                </div>
                <div className="invite-form-row-control invite-form-row-control--stacked">
                  <label>
-                    <span>Recipient email</span>
+                    <span>Recipient email (required)</span>
                    <input
                      type="email"
+                      required
                      value={inviteForm.recipient_email}
                      onChange={(e) =>
                        setInviteForm((current) => ({ ...current, recipient_email: e.target.value }))
                      }
-                      placeholder="person@example.com"
+                      placeholder="Required recipient email"
                    />
                  </label>
                  <label>