fix(audit): mobile critique + sécurité mobile + verifyMobileToken async
Mobile fixes (CRITIQUE): - theme.ts: C.surface + emerald/blue/amber/purple ajoutés (crash Révision fix) - note/[id].tsx: édition préserve le HTML (titre seulement, contenu read-only) + message explicatif 'utilisez la version web' - store.ts: logout appelle POST /api/mobile/auth/logout avant clearToken Mobile auth (SÉCURITÉ): - Nouvelle route /api/mobile/auth/logout — blacklist Redis du token (TTL 90j) - verifyMobileToken devient async + check Redis blacklist - getMobileUserId devient async Note: Publication IA mode + templates déjà dans note-editor-toolbar.tsx (pas manquant) Note: Structured Views Wizard déjà branché via StructuredViewsIntro (pas orphelin)
This commit is contained in:
@@ -158,7 +158,6 @@ export default function NoteScreen() {
|
||||
const handleEdit = () => {
|
||||
if (!note) return
|
||||
setEditTitle(note.title)
|
||||
setEditContent(htmlToPlainText(note.content ?? ''))
|
||||
setEditMode(true)
|
||||
}
|
||||
|
||||
@@ -168,10 +167,10 @@ export default function NoteScreen() {
|
||||
try {
|
||||
const res = await apiFetch(ENDPOINTS.note(note.id), {
|
||||
method: 'PUT',
|
||||
body: JSON.stringify({ title: editTitle.trim(), content: editContent }),
|
||||
body: JSON.stringify({ title: editTitle.trim() }),
|
||||
})
|
||||
if (!res.ok) throw new Error('Erreur de sauvegarde')
|
||||
setNote((prev) => prev ? { ...prev, title: editTitle.trim(), content: editContent } : prev)
|
||||
setNote((prev) => prev ? { ...prev, title: editTitle.trim() } : prev)
|
||||
setEditMode(false)
|
||||
} catch (e: any) {
|
||||
Alert.alert('Erreur', e.message)
|
||||
@@ -257,20 +256,21 @@ export default function NoteScreen() {
|
||||
/>
|
||||
)}
|
||||
|
||||
{/* Mode édition */}
|
||||
{/* Mode édition — titre uniquement, contenu preserve HTML */}
|
||||
{note && editMode && (
|
||||
<View style={{ flex: 1 }}>
|
||||
<TextInput value={editTitle} onChangeText={setEditTitle} style={s.editTitle} placeholder="Titre…" placeholderTextColor={C.border} />
|
||||
<TextInput value={editTitle} onChangeText={setEditTitle} style={s.editTitle} placeholder="Titre…" placeholderTextColor={C.border} autoFocus />
|
||||
<View style={s.editDivider} />
|
||||
<TextInput value={editContent} onChangeText={setEditContent} style={s.editContent} placeholder="Contenu…" placeholderTextColor={C.concrete} multiline textAlignVertical="top" scrollEnabled />
|
||||
<View style={{ flex: 1, justifyContent: 'center', alignItems: 'center', paddingHorizontal: 20 }}>
|
||||
<Text style={{ fontSize: 14, color: C.concrete, textAlign: 'center', lineHeight: 22 }}>
|
||||
Le contenu enrichi ne peut pas être édité depuis mobile.{`\n\n`}Utilisez la version web pour modifier le texte.
|
||||
</Text>
|
||||
</View>
|
||||
{/* Barre outils */}
|
||||
<View style={s.toolbar}>
|
||||
<MicButton state={audioState} onPress={handleMic} />
|
||||
{audioState === 'recording'
|
||||
? <Text style={s.recordHint}>● Enregistrement… Appuyez pour arrêter</Text>
|
||||
: <TouchableOpacity onPress={() => setAiSheetOpen(true)} disabled={!editContent.trim()} style={[s.aiBtn, !editContent.trim() && { opacity: 0.35 }]} activeOpacity={0.8}>
|
||||
<Text style={s.aiBtnText}>✨ Améliorer avec l'IA</Text>
|
||||
</TouchableOpacity>}
|
||||
<TouchableOpacity onPress={handleSave} disabled={saving} style={[s.aiBtn, { flex: 1, justifyContent: 'center' }]} activeOpacity={0.8}>
|
||||
<Text style={s.aiBtnText}>{saving ? 'Sauvegarde…' : 'Enregistrer le titre'}</Text>
|
||||
</TouchableOpacity>
|
||||
</View>
|
||||
</View>
|
||||
)}
|
||||
|
||||
@@ -43,6 +43,7 @@ export const useAuthStore = create<AuthState>((set) => ({
|
||||
},
|
||||
|
||||
logout: async () => {
|
||||
try { await apiFetch(ENDPOINTS.logout, { method: 'POST' }) } catch {}
|
||||
await clearToken()
|
||||
set({ user: null })
|
||||
},
|
||||
|
||||
@@ -6,7 +6,13 @@ export const C = {
|
||||
concrete: '#8A8A82',
|
||||
border: '#E8E6E0',
|
||||
white: '#FFFFFF',
|
||||
surface: '#F5F4F0',
|
||||
rose: '#e11d48',
|
||||
roseBg: '#fff1f2',
|
||||
roseBorder: '#fecdd3',
|
||||
emerald: '#10b981',
|
||||
emeraldBg: '#ecfdf5',
|
||||
blue: '#3b82f6',
|
||||
amber: '#f59e0b',
|
||||
purple: '#8b5cf6',
|
||||
}
|
||||
|
||||
19
memento-note/app/api/mobile/auth/logout/route.ts
Normal file
19
memento-note/app/api/mobile/auth/logout/route.ts
Normal file
@@ -0,0 +1,19 @@
|
||||
import { NextResponse } from 'next/server'
|
||||
import { getMobileUserId } from '@/lib/mobile-auth'
|
||||
import { redis } from '@/lib/redis'
|
||||
|
||||
export async function POST(req: Request) {
|
||||
const userId = getMobileUserId(req)
|
||||
if (!userId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||
|
||||
const auth = req.headers.get('Authorization') ?? ''
|
||||
const token = auth.startsWith('Bearer ') ? auth.slice(7) : ''
|
||||
|
||||
if (token) {
|
||||
try {
|
||||
await redis.setex(`mobile:revoked:${token}`, 90 * 24 * 60 * 60, '1')
|
||||
} catch {}
|
||||
}
|
||||
|
||||
return NextResponse.json({ success: true })
|
||||
}
|
||||
@@ -19,8 +19,15 @@ export function createMobileToken(userId: string): string {
|
||||
return Buffer.from(`${payload}:${sig}`).toString('base64url')
|
||||
}
|
||||
|
||||
export function verifyMobileToken(token: string): string | null {
|
||||
export async function verifyMobileToken(token: string): Promise<string | null> {
|
||||
try {
|
||||
// Check Redis blacklist first (non-blocking — if Redis is down, allow)
|
||||
try {
|
||||
const { redis } = await import('@/lib/redis')
|
||||
const revoked = await redis.get(`mobile:revoked:${token}`)
|
||||
if (revoked) return null
|
||||
} catch {}
|
||||
|
||||
const decoded = Buffer.from(token, 'base64url').toString('utf-8')
|
||||
const lastColon = decoded.lastIndexOf(':')
|
||||
if (lastColon === -1) return null
|
||||
@@ -41,7 +48,7 @@ export function verifyMobileToken(token: string): string | null {
|
||||
}
|
||||
}
|
||||
|
||||
export function getMobileUserId(request: Request): string | null {
|
||||
export async function getMobileUserId(request: Request): Promise<string | null> {
|
||||
const auth = request.headers.get('Authorization')
|
||||
if (!auth?.startsWith('Bearer ')) return null
|
||||
return verifyMobileToken(auth.slice(7))
|
||||
|
||||
Reference in New Issue
Block a user