Full deployment history for this project.
Merge pull request #29 from mbarbine/copilot/merge-all-pull-requests Consolidate all open PR branches into one merge-ready integration branch
Consolidate open PR branches and resolve merge artifacts Agent-Logs-Url: https://github.com/mbarbine/robot-clothing-marketplace/sessions/5ddc72a2-9c77-40f6-bd09-e23483008873 Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
fix: prevent information leakage in error handling Updated error handling in `app/actions/create-product.ts`, `app/auth/login/page.tsx`, and `app/auth/sign-up/page.tsx` to prevent returning raw database or authentication error messages to the client. The actual errors are now logged internally for debugging, while generic, secure error messages are presented to the user. Added an entry to `.jules/sentinel.md` documenting this security pattern.
🛡️ Sentinel: [HIGH] Secure error handling and add input validation in create-product action
🛡️ Sentinel: [MEDIUM] Add input validation and secure error handling to createProduct - Added server-side validation for title, description, price, and image URL in `app/actions/create-product.ts` to prevent invalid or excessively large inputs. - Prevented potential info leakage by catching database errors internally and returning generic error messages to the client instead of raw Supabase `error.message` strings.
I've updated the Palette to include loading spinners on the form buttons.
⚡ Bolt: Batch database queries in dashboard page Batches sequential Supabase queries for `profiles` and `products` using `Promise.all` in `app/dashboard/page.tsx` to eliminate a database waterfall and reduce Time To First Byte (TTFB).
Merge pull request #23 from mbarbine/fix/open-redirect-login-4507972402495396683 🛡️ Sentinel: [HIGH] Fix Open Redirect in login flow
🛡️ Sentinel: [HIGH] Fix Open Redirect in login flow Added validation to ensure the 'redirect' URL parameter is strictly relative and not an external URL (such as a protocol-relative '//') before passing it to router.push.
⚡ Bolt: Refactor dashboard db queries to run concurrently
🛡️ Sentinel: [HIGH] Fix Open Redirect in login routing
🛡️ Sentinel: [HIGH] Fix Open Redirect vulnerability in login
I have added loading spinners to the async form buttons. Here is a summary of the changes: - Added the Spinner component to the Login form button. - Added the Spinner component to the Sign Up form button. - Added the Spinner component to the Listing form button. - Updated my journal to record this learning. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
I have added loading spinners to the async form buttons. Here is a summary of the changes: - Added the Spinner component to the Login form button. - Added the Spinner component to the Sign Up form button. - Added the Spinner component to the Listing form button. - Updated my journal to record this learning. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Merge pull request #11 from mbarbine/palette/ux-a11y-improvements-18213783761222221137 🎨 Palette: Add ARIA labels to icon-only buttons and inputs
Merge branch 'main' into palette/ux-a11y-improvements-18213783761222221137
I have added the aria-labels to the marketplace search input and the search button. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [HIGH] Fix Open Redirect vulnerability in login page 🚨 Severity: HIGH 💡 Vulnerability: The login page used `router.push(redirect)` directly with user-provided `redirect` parameter, which could be an external protocol-relative domain (e.g., //evil.com). 🎯 Impact: Attackers could create malicious links to steal credentials or perform phishing via the open redirect. 🔧 Fix: Added validation to ensure the redirect path is strictly relative (starts with / but not //) and defaults to /dashboard otherwise. ✅ Verification: Ensure npm run build passes successfully without errors. Updated the Sentinel security journal. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [HIGH] Fix Open Redirect in login page - Validates that `redirect` parameter from URL is strictly relative (e.g. starts with `/` and not `//`) before passing it to `router.push()`. - Defaults to `/dashboard` if validation fails to prevent attackers from redirecting users to arbitrary external domains after login. - Added journal entry to `.jules/sentinel.md` recording this vulnerability and its prevention. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [HIGH] Fix open redirect vulnerability in login - Validated user-provided `redirect` search params to ensure strict relative paths. - Appended incident details to Sentinel journal. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
⚡ Bolt: Eliminate database query waterfall in marketplace Refactors the marketplace database query to eliminate a sequential N+1 query waterfall. Instead of making an initial DB request to fetch a category ID by its slug, the query now uses Supabase's `!inner` join modifier on the category relation to filter products in a single database roundtrip. This reduces Time To First Byte (TTFB). Also journaled the performance learning in `.jules/bolt.md`. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [HIGH] Fix Open Redirect in login page - Fixed an Open Redirect vulnerability in `app/auth/login/page.tsx` where user-provided `redirect` params were passed directly to `router.push()`. - Validated that the path is strictly relative (starts with `/` and not `//`). - Updated Sentinel journal with the learning and prevention strategy. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [HIGH] Fix Open Redirect in login page In `app/auth/login/page.tsx`, the `redirect` query parameter was used directly in `router.push(redirect)` after successful login without validation. An attacker could craft a link with `?redirect=https://malicious-site.com` or `?redirect=//malicious-site.com`, tricking a user into logging in and then redirecting them to a malicious site. This commit adds validation to ensure the redirect parameter starts with `/` and does not start with `//` (protocol-relative absolute URL). If validation fails, it falls back to the default `/dashboard` route. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🎨 Palette: Add ARIA labels to icon-only buttons and inputs Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [HIGH] Fix XSS vulnerability in JSON-LD script tags Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Merge pull request #3 from mbarbine/sentinel-fix-idor-create-product-13283831811111064119
Merge pull request #2 from mbarbine/copilot/update-nextjs-version Bump Next.js 16.0.0 → 16.1.6 to resolve CVE-2025-66478