fix: address PR review — fail-closed auth, input validation, rendering stage

- All API routes now fail closed (503 if Supabase not configured)
- Settings PUT validates and whitelists fields (videosPerWeek, publishDays,
  contentCategories, rateCardTiers) with type checking
- Uses createIfNotExists with deterministic ID for singleton safety
- Added missing 'rendering' pipeline stage (8 stages total)
- Consolidated GROQ queries (7 parallel calls → 1 query)
- Added AbortController cleanup to pipeline polling
- Use shared POLL_INTERVAL_MS constant

Co-authored-by: dashboard <dashboard@miriad.systems>

Author: Miriad

app/api/dashboard/activity/route.ts

@@ -10,14 +10,17 @@ export async function GET() {
 		process.env.NEXT_PUBLIC_SUPABASE_URL &&
 		process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
 
-	if (hasSupabase) {
-		const supabase = await createClient();
-		const {
-			data: { user },
-		} = await supabase.auth.getUser();
-		if (!user) {
-			return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-		}
+	if (!hasSupabase) {
+		return NextResponse.json({ error: "Auth not configured" }, { status: 503 });
+	}
+
+	const supabase = await createClient();
+	const {
+		data: { user },
+	} = await supabase.auth.getUser();
+
+	if (!user) {
+		return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
 	}
 
 	try {

app/api/dashboard/metrics/route.ts

@@ -10,37 +10,31 @@ export async function GET() {
 		process.env.NEXT_PUBLIC_SUPABASE_URL &&
 		process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
 
-	if (hasSupabase) {
-		const supabase = await createClient();
-		const {
-			data: { user },
-		} = await supabase.auth.getUser();
-		if (!user) {
-			return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-		}
+	if (!hasSupabase) {
+		return NextResponse.json({ error: "Auth not configured" }, { status: 503 });
+	}
+
+	const supabase = await createClient();
+	const {
+		data: { user },
+	} = await supabase.auth.getUser();
+
+	if (!user) {
+		return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
 	}
 
 	try {
-		const [videosPublished, flaggedVideos, newIdeas, sponsorPipeline] =
-			await Promise.all([
-				dashboardQuery<number>(
-					`count(*[_type == "automatedVideo" && status == "published"])`,
-				),
-				dashboardQuery<number>(
-					`count(*[_type == "automatedVideo" && status == "flagged"])`,
-				),
-				dashboardQuery<number>(
-					`count(*[_type == "contentIdea" && status == "new"])`,
-				),
-				dashboardQuery<number>(
-					`count(*[_type == "sponsorLead" && status != "paid"])`,
-				),
-			]);
+		const counts = await dashboardQuery<Record<string, number>>(`{
+			"videosPublished": count(*[_type == "automatedVideo" && status == "published"]),
+			"flaggedVideos": count(*[_type == "automatedVideo" && status == "flagged"]),
+			"newIdeas": count(*[_type == "contentIdea" && status == "new"]),
+			"sponsorPipeline": count(*[_type == "sponsorLead" && status != "paid"])
+		}`);
 
 		const metrics: DashboardMetrics = {
-			videosPublished: videosPublished ?? 0,
-			flaggedForReview: (flaggedVideos ?? 0) + (newIdeas ?? 0),
-			sponsorPipeline: sponsorPipeline ?? 0,
+			videosPublished: counts?.videosPublished ?? 0,
+			flaggedForReview: (counts?.flaggedVideos ?? 0) + (counts?.newIdeas ?? 0),
+			sponsorPipeline: counts?.sponsorPipeline ?? 0,
 			revenue: null,
 		};
 

app/api/dashboard/pipeline/route.ts

@@ -5,33 +5,41 @@ import { dashboardQuery } from "@/lib/sanity/dashboard";
 export const dynamic = "force-dynamic";
 
 export async function GET() {
-	const hasSupabase = process.env.NEXT_PUBLIC_SUPABASE_URL && process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
-	if (hasSupabase) {
-		const supabase = await createClient();
-		const { data: { user } } = await supabase.auth.getUser();
-		if (!user) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+	const hasSupabase =
+		process.env.NEXT_PUBLIC_SUPABASE_URL &&
+		process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
+
+	if (!hasSupabase) {
+		return NextResponse.json({ error: "Auth not configured" }, { status: 503 });
+	}
+
+	const supabase = await createClient();
+	const {
+		data: { user },
+	} = await supabase.auth.getUser();
+
+	if (!user) {
+		return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
 	}
 
 	try {
-		const [draft, scriptReady, audioGen, videoGen, flagged, uploading, published] = await Promise.all([
-			dashboardQuery<number>(`count(*[_type == "automatedVideo" && status == "draft"])`),
-			dashboardQuery<number>(`count(*[_type == "automatedVideo" && status == "script_ready"])`),
-			dashboardQuery<number>(`count(*[_type == "automatedVideo" && status == "audio_gen"])`),
-			dashboardQuery<number>(`count(*[_type == "automatedVideo" && status == "video_gen"])`),
-			dashboardQuery<number>(`count(*[_type == "automatedVideo" && status == "flagged"])`),
-			dashboardQuery<number>(`count(*[_type == "automatedVideo" && status == "uploading"])`),
-			dashboardQuery<number>(`count(*[_type == "automatedVideo" && status == "published"])`),
-		]);
+		// Single consolidated GROQ query for all pipeline stages
+		const counts = await dashboardQuery<Record<string, number>>(`{
+			"draft": count(*[_type == "automatedVideo" && status == "draft"]),
+			"scriptReady": count(*[_type == "automatedVideo" && status == "script_ready"]),
+			"audioGen": count(*[_type == "automatedVideo" && status == "audio_gen"]),
+			"rendering": count(*[_type == "automatedVideo" && status == "rendering"]),
+			"videoGen": count(*[_type == "automatedVideo" && status == "video_gen"]),
+			"flagged": count(*[_type == "automatedVideo" && status == "flagged"]),
+			"uploading": count(*[_type == "automatedVideo" && status == "uploading"]),
+			"published": count(*[_type == "automatedVideo" && status == "published"])
+		}`);
+
+		const total = Object.values(counts ?? {}).reduce((sum, n) => sum + (n ?? 0), 0);
 
 		return NextResponse.json({
-			draft: draft ?? 0,
-			scriptReady: scriptReady ?? 0,
-			audioGen: audioGen ?? 0,
-			videoGen: videoGen ?? 0,
-			flagged: flagged ?? 0,
-			uploading: uploading ?? 0,
-			published: published ?? 0,
-			total: (draft ?? 0) + (scriptReady ?? 0) + (audioGen ?? 0) + (videoGen ?? 0) + (flagged ?? 0) + (uploading ?? 0) + (published ?? 0),
+			...counts,
+			total,
 		});
 	} catch (error) {
 		console.error("Failed to fetch pipeline status:", error);

app/api/dashboard/settings/route.ts

@@ -4,15 +4,105 @@ import { dashboardQuery, dashboardClient } from "@/lib/sanity/dashboard";
 
 export const dynamic = "force-dynamic";
 
-export async function GET() {
-	// Auth check (skip if Supabase not configured)
-	const hasSupabase = process.env.NEXT_PUBLIC_SUPABASE_URL && process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
-	if (hasSupabase) {
-		const supabase = await createClient();
-		const { data: { user } } = await supabase.auth.getUser();
-		if (!user) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+const SETTINGS_DOC_ID = "dashboardSettings";
+
+const DEFAULT_SETTINGS = {
+	videosPerWeek: 3,
+	publishDays: ["Mon", "Wed", "Fri"],
+	contentCategories: [
+		"JavaScript", "TypeScript", "React", "Next.js", "Angular",
+		"Svelte", "Node.js", "CSS", "DevOps", "AI / ML",
+		"Web Performance", "Tooling",
+	],
+	rateCardTiers: [
+		{ name: "Pre-roll Mention", description: "15-second sponsor mention", price: 200 },
+		{ name: "Mid-roll Segment", description: "60-second dedicated segment", price: 500 },
+		{ name: "Dedicated Video", description: "Full sponsored video", price: 1500 },
+	],
+};
+
+async function requireAuth() {
+	const hasSupabase =
+		process.env.NEXT_PUBLIC_SUPABASE_URL &&
+		process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
+
+	if (!hasSupabase) {
+		return { error: NextResponse.json({ error: "Auth not configured" }, { status: 503 }) };
+	}
+
+	const supabase = await createClient();
+	const {
+		data: { user },
+	} = await supabase.auth.getUser();
+
+	if (!user) {
+		return { error: NextResponse.json({ error: "Unauthorized" }, { status: 401 }) };
+	}
+
+	return { user };
+}
+
+const VALID_DAYS = ["Mon", "Tue", "Wed", "Thu", "Fri", "Sat", "Sun"];
+
+function validateSettings(body: unknown): { valid: boolean; data?: Record<string, unknown>; error?: string } {
+	if (!body || typeof body !== "object") {
+		return { valid: false, error: "Invalid request body" };
+	}
+
+	const input = body as Record<string, unknown>;
+	const sanitized: Record<string, unknown> = {};
+
+	if ("videosPerWeek" in input) {
+		const v = Number(input.videosPerWeek);
+		if (!Number.isInteger(v) || v < 1 || v > 14) {
+			return { valid: false, error: "videosPerWeek must be an integer between 1 and 14" };
+		}
+		sanitized.videosPerWeek = v;
+	}
+
+	if ("publishDays" in input) {
+		if (!Array.isArray(input.publishDays) || !input.publishDays.every((d: unknown) => typeof d === "string" && VALID_DAYS.includes(d as string))) {
+			return { valid: false, error: "publishDays must be an array of valid day abbreviations" };
+		}
+		sanitized.publishDays = input.publishDays;
 	}
 
+	if ("contentCategories" in input) {
+		if (!Array.isArray(input.contentCategories) || !input.contentCategories.every((c: unknown) => typeof c === "string" && (c as string).length <= 50)) {
+			return { valid: false, error: "contentCategories must be an array of strings (max 50 chars each)" };
+		}
+		sanitized.contentCategories = input.contentCategories;
+	}
+
+	if ("rateCardTiers" in input) {
+		if (!Array.isArray(input.rateCardTiers)) {
+			return { valid: false, error: "rateCardTiers must be an array" };
+		}
+		for (const tier of input.rateCardTiers as Record<string, unknown>[]) {
+			if (typeof tier.name !== "string" || typeof tier.description !== "string" || typeof tier.price !== "number") {
+				return { valid: false, error: "Each rate card tier must have name (string), description (string), and price (number)" };
+			}
+		}
+		sanitized.rateCardTiers = (input.rateCardTiers as Record<string, unknown>[]).map((t) => ({
+			_type: "object",
+			_key: crypto.randomUUID().slice(0, 8),
+			name: t.name,
+			description: t.description,
+			price: t.price,
+		}));
+	}
+
+	if (Object.keys(sanitized).length === 0) {
+		return { valid: false, error: "No valid fields provided" };
+	}
+
+	return { valid: true, data: sanitized };
+}
+
+export async function GET() {
+	const auth = await requireAuth();
+	if (auth.error) return auth.error;
+
 	try {
 		const settings = await dashboardQuery(
 			`*[_type == "dashboardSettings"][0] {
@@ -22,49 +112,38 @@ export async function GET() {
 				rateCardTiers[] { name, description, price }
 			}`
 		);
-		return NextResponse.json(settings ?? {
-			videosPerWeek: 3,
-			publishDays: ["Mon", "Wed", "Fri"],
-			contentCategories: ["JavaScript", "TypeScript", "React", "Next.js", "Angular", "Svelte", "Node.js", "CSS", "DevOps", "AI / ML", "Web Performance", "Tooling"],
-			rateCardTiers: [
-				{ name: "Pre-roll Mention", description: "15-second sponsor mention", price: 200 },
-				{ name: "Mid-roll Segment", description: "60-second dedicated segment", price: 500 },
-				{ name: "Dedicated Video", description: "Full sponsored video", price: 1500 },
-			],
-		});
+		return NextResponse.json(settings ?? DEFAULT_SETTINGS);
 	} catch (error) {
 		console.error("Failed to fetch settings:", error);
 		return NextResponse.json({ error: "Failed to fetch settings" }, { status: 500 });
 	}
 }
 
 export async function PUT(request: Request) {
-	const hasSupabase = process.env.NEXT_PUBLIC_SUPABASE_URL && process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
-	if (hasSupabase) {
-		const supabase = await createClient();
-		const { data: { user } } = await supabase.auth.getUser();
-		if (!user) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-	}
+	const auth = await requireAuth();
+	if (auth.error) return auth.error;
 
 	if (!dashboardClient) {
 		return NextResponse.json({ error: "Sanity client not available" }, { status: 503 });
 	}
 
 	try {
 		const body = await request.json();
+		const validation = validateSettings(body);
 
-		// Find or create the settings document
-		const existing = await dashboardQuery(`*[_type == "dashboardSettings"][0]{ _id }`);
-
-		if (existing?._id) {
-			await dashboardClient.patch(existing._id).set(body).commit();
-		} else {
-			await dashboardClient.create({
-				_type: "dashboardSettings",
-				...body,
-			});
+		if (!validation.valid) {
+			return NextResponse.json({ error: validation.error }, { status: 400 });
 		}
 
+		// Use createIfNotExists with deterministic ID to prevent race conditions
+		await dashboardClient.createIfNotExists({
+			_id: SETTINGS_DOC_ID,
+			_type: "dashboardSettings",
+			...DEFAULT_SETTINGS,
+		});
+
+		await dashboardClient.patch(SETTINGS_DOC_ID).set(validation.data!).commit();
+
 		return NextResponse.json({ success: true });
 	} catch (error) {
 		console.error("Failed to update settings:", error);

components/pipeline-status.tsx

@@ -1,14 +1,14 @@
 "use client";
 
-import { useCallback, useEffect, useState } from "react";
+import { useCallback, useEffect, useRef, useState } from "react";
 import { Loader2 } from "lucide-react";
-
-const POLL_INTERVAL_MS = 30_000;
+import { POLL_INTERVAL_MS } from "@/lib/types/dashboard";
 
 interface PipelineData {
 	draft: number;
 	scriptReady: number;
 	audioGen: number;
+	rendering: number;
 	videoGen: number;
 	flagged: number;
 	uploading: number;
@@ -26,6 +26,7 @@ const STAGES: {
 	{ key: "draft", label: "Draft", color: "text-gray-700 dark:text-gray-300", bg: "bg-gray-200 dark:bg-gray-700", ring: "ring-gray-300 dark:ring-gray-600" },
 	{ key: "scriptReady", label: "Script", color: "text-yellow-700 dark:text-yellow-300", bg: "bg-yellow-200 dark:bg-yellow-800", ring: "ring-yellow-300 dark:ring-yellow-600" },
 	{ key: "audioGen", label: "Audio", color: "text-orange-700 dark:text-orange-300", bg: "bg-orange-200 dark:bg-orange-800", ring: "ring-orange-300 dark:ring-orange-600" },
+	{ key: "rendering", label: "Render", color: "text-cyan-700 dark:text-cyan-300", bg: "bg-cyan-200 dark:bg-cyan-800", ring: "ring-cyan-300 dark:ring-cyan-600" },
 	{ key: "videoGen", label: "Video", color: "text-blue-700 dark:text-blue-300", bg: "bg-blue-200 dark:bg-blue-800", ring: "ring-blue-300 dark:ring-blue-600" },
 	{ key: "flagged", label: "Flagged", color: "text-red-700 dark:text-red-300", bg: "bg-red-200 dark:bg-red-800", ring: "ring-red-300 dark:ring-red-600" },
 	{ key: "uploading", label: "Upload", color: "text-purple-700 dark:text-purple-300", bg: "bg-purple-200 dark:bg-purple-800", ring: "ring-purple-300 dark:ring-purple-600" },
@@ -35,14 +36,22 @@ const STAGES: {
 export function PipelineStatus() {
 	const [data, setData] = useState<PipelineData | null>(null);
 	const [loading, setLoading] = useState(true);
+	const abortRef = useRef<AbortController | null>(null);
 
 	const fetchPipeline = useCallback(async () => {
+		abortRef.current?.abort();
+		const controller = new AbortController();
+		abortRef.current = controller;
+
 		try {
-			const res = await fetch("/api/dashboard/pipeline");
+			const res = await fetch("/api/dashboard/pipeline", {
+				signal: controller.signal,
+			});
 			if (res.ok) {
 				setData(await res.json());
 			}
-		} catch {
+		} catch (error) {
+			if (error instanceof DOMException && error.name === "AbortError") return;
 			// Silently fail — will retry on next poll
 		} finally {
 			setLoading(false);
@@ -52,7 +61,10 @@ export function PipelineStatus() {
 	useEffect(() => {
 		fetchPipeline();
 		const interval = setInterval(fetchPipeline, POLL_INTERVAL_MS);
-		return () => clearInterval(interval);
+		return () => {
+			clearInterval(interval);
+			abortRef.current?.abort();
+		};
 	}, [fetchPipeline]);
 
 	if (loading) {
@@ -111,7 +123,7 @@ export function PipelineStatus() {
 					<div key={stage.key} className="flex flex-1 items-center">
 						<div className={`h-0.5 flex-1 ${stage.bg}`} />
 						{i < STAGES.length - 1 && (
-							<span className="text-[10px] text-muted-foreground">→</span>
+							<span className="text-[10px] text-muted-foreground">\u2192</span>
 						)}
 					</div>
 				))}