Open
Conversation
#VERCEL_SKIP
Files now automatically pushed to GitHub after Publish to prevent loss.
Integrate Supabase auth, Pi Network payments, and GitHub publishing
Change background to beige, text to black, and add real-time online user count.
Integrate authentication, Pi Network payments, and chat UI updates
Update header to display clickable online user list and add dropdown panel for online users. Change username color in messages and reply preview from orange to red.
Enhance chat with authentication, Pi payments, and online user list
Introduce free donation option with preset amounts and custom input.
Add flexible donation amounts and custom input option
Revise donation page title and description for clarity.
Add custom donation amounts and update page content
… non-Pi browsers Create new policy pages and enhance login with username support.
Enhance donation options, legal documentation, and login compatibility
Add login support for non-Pi browsers
Add bilingual Terms of Service, guest login, and update login links.
Expand login options and add bilingual legal documentation
Remove guest access entirely from both login and API.
Restrict login to Pi Browser and add bilingual legal documentation
## Vercel Speed Insights Integration
Successfully installed and configured Vercel Speed Insights for the Next.js 16.1.6 application.
### Changes Made:
1. **Package Installation**
- Added `@vercel/speed-insights` version ^1.3.1 to project dependencies
- Updated `package.json` and `pnpm-lock.yaml` accordingly
- Used pnpm as the project's package manager
2. **Code Implementation**
- Modified `app/layout.tsx` to integrate Speed Insights
- Imported `SpeedInsights` component from `@vercel/speed-insights/next`
- Added `<SpeedInsights />` component inside the `<body>` tag after `{children}`
- This follows the recommended approach for Next.js 13.5+ with App Router
3. **Verification**
- Build completed successfully with no errors
- TypeScript validation passed (Next.js validates types during build)
- No breaking changes introduced to existing functionality
### Implementation Details:
The project uses:
- Next.js 16.1.6 with App Router
- TypeScript
- pnpm as package manager
Since the Next.js version is 16.1.6 (which is > 13.5), the Speed Insights component was imported from `@vercel/speed-insights/next` and added directly to the root layout without requiring a client component or manual route handling.
The component placement after `{children}` in the body ensures it loads after the main content, following Vercel's best practices for performance monitoring.
### Files Modified:
- `app/layout.tsx` - Added SpeedInsights import and component
- `package.json` - Added @vercel/speed-insights dependency
- `pnpm-lock.yaml` - Updated lockfile with new dependency
Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
## Vercel Speed Insights Implementation
Successfully installed and configured Vercel Speed Insights for this Next.js App Router project.
### Changes Made:
#### 1. Package Installation
- **File Modified**: `package.json`, `pnpm-lock.yaml`
- Installed `@vercel/speed-insights@1.3.1` using pnpm
- Updated dependencies and lock file accordingly
#### 2. Component Integration
- **File Modified**: `app/layout.tsx`
- Added import: `import { SpeedInsights } from "@vercel/speed-insights/next"`
- Added `<SpeedInsights />` component inside the `<body>` tag, after `{children}`
- This follows the recommended Next.js 13.5+ App Router implementation pattern
### Implementation Details:
The project uses:
- **Next.js Version**: 16.1.6 (App Router)
- **Package Manager**: pnpm
- **Router Type**: App Router with `app/layout.tsx`
The implementation follows Vercel's official documentation for Next.js 13.5+ with App Router:
- Imported from `@vercel/speed-insights/next` (optimized for Next.js App Router)
- Component placed in root layout to track all pages automatically
- No additional configuration needed - Speed Insights will automatically collect and report performance metrics
### Verification:
✅ **Build Status**: Build completed successfully with no errors
✅ **Production Build**: All routes generated correctly (13 routes)
✅ **Dependencies**: All dependencies installed and lock file updated
✅ **Code Quality**: No TypeScript errors (build uses type checking)
### Notes:
- The Speed Insights component is non-blocking and will only send data when deployed to Vercel
- In development, it won't affect performance or send any data
- The component automatically tracks Web Vitals (LCP, FID, CLS, FCP, TTFB)
- No additional configuration is required for basic functionality
Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
Improve logging and error management for API responses; enhance frontend to show detailed error messages.
Restrict login to Pi Browser and improve payment error reporting
…o chat Update legal documents and add photo upload feature in chat.
Add chat photo uploads and update Pi Browser login requirements
Add audio_url to API, chat message interface, and chat room.
Enable photo and audio uploads in chat and update login requirements
Include audio recording features and microphone button.
Enable audio recording and photo uploads in chat
Enhance error messages for clearer user guidance and add support for multiple audio formats.
Enable audio recording and photo uploads in chat
Switch to file upload for audio instead of live recording.
Enable photo and audio file uploads in chat
…-6931-b88f2cf9 Enable audio recording and photo uploads in chat
Enable photo and audio uploads and recording in chat
…-6931-2d35b621 Enable photo and audio file uploads in chat
Enable photo and audio uploads and recording in chat
Create access log table, API, and admin page with login stats.
Enable chat media uploads and access log dashboard
Update login page to reflect provisional KYC acceptance and remove Mainnet migration requirement.
Add back "First Mainnet migration completed" to the list and description.
Enable chat media uploads, access log dashboard, and provisional KYC
Create SQL scripts for 'access_logs', 'pi_users', and 'banned_users'. Fix payment API to save transactions in 'pi_payments'.
Fix SQL script and add media support to chat-room.
…xposes sensitive user activity data to unauthenticated requests
This commit fixes the issue reported at app/api/admin/access-logs/route.ts:4
## Bug Analysis
The `/api/admin/access-logs/route.ts` endpoint is a GET handler that returns sensitive user data including `pi_uid`, `username`, and `created_at` timestamps from the `access_logs` table. Unlike the similar admin endpoint at `/api/admin/ban/route.ts`, this endpoint had **no server-side authorization check**.
While the frontend page (`app/chat/accessi/page.tsx`) does check `isAdmin` from localStorage before displaying the UI, this is purely a client-side check. Anyone could directly call the API endpoint:
```
GET /api/admin/access-logs?date=2024-01-15
```
And receive all user access logs for that date, exposing:
- User Pi UIDs (unique identifiers)
- Usernames
- Access timestamps
This is a classic IDOR/broken access control vulnerability.
## Fix
I implemented the same authorization pattern used by `/api/admin/ban/route.ts`:
1. **API endpoint** (`app/api/admin/access-logs/route.ts`): Added authorization check at the start of the GET handler:
```typescript
const adminUsername = searchParams.get("adminUsername")
if (adminUsername !== "cipollas") return NextResponse.json({ error: "Non autorizzato" }, { status: 403 })
```
2. **Frontend** (`app/chat/accessi/page.tsx`): Updated to:
- Store the admin username from the session in state
- Pass the admin username as a query parameter when calling the API
- Only fetch logs when `adminUsername` is available
This ensures the API now requires the same authorization as the ban endpoint, and only the authorized admin user "cipollas" can access the logs.
Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
Co-authored-by: cipollas <diegogenerali2@gmail.com>
Enable media support in chat and stabilize payment processing
Correct column usage in API and access page for 'user_id' and 'logged_at'.
Enable media support in chat and stabilize payment processing
Add KYC verification and enhance access log recording and disable RLS on access_logs table for inserts.
Enable KYC verification, chat media uploads, and access log dashboard
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.