chore: Apply technical audit fixes (middleware, inventory locking, security headers)

lead-matrix · lead-matrix · commit 2ae773ca6b97 · 2026-03-29T23:34:05.000+06:00
diff --git a/MASTER.sql b/MASTER.sql
@@ -2429,17 +2429,19 @@ VALUES (
         (item_record->>'quantity')::integer,
         (item_record->>'price')::numeric
     );
--- b. Deduct product stock
-UPDATE public.products
-SET stock = GREATEST(0, stock - (item_record->>'quantity')::integer)
-WHERE id = (item_record->>'product_id')::uuid;
--- c. Deduct product_variant stock
-IF (item_record->>'variant_id') IS NOT NULL
-AND (item_record->>'variant_id') != '' THEN
-UPDATE public.product_variants
-SET stock = GREATEST(0, stock - (item_record->>'quantity')::integer)
-WHERE id = (item_record->>'variant_id')::uuid;
-END IF;
+    -- b. Deduct product stock (Atomic lock)
+    PERFORM id FROM public.products WHERE id = (item_record->>'product_id')::uuid FOR UPDATE;
+    UPDATE public.products
+    SET stock = GREATEST(0, stock - (item_record->>'quantity')::integer)
+    WHERE id = (item_record->>'product_id')::uuid;
+    -- c. Deduct product_variant stock (Atomic lock)
+    IF (item_record->>'variant_id') IS NOT NULL
+    AND (item_record->>'variant_id') != '' THEN
+        PERFORM id FROM public.product_variants WHERE id = (item_record->>'variant_id')::uuid FOR UPDATE;
+        UPDATE public.product_variants
+        SET stock = GREATEST(0, stock - (item_record->>'quantity')::integer)
+        WHERE id = (item_record->>'variant_id')::uuid;
+    END IF;
 END LOOP;
 END IF;
 RETURN v_order_id;
diff --git a/lib/supabase/admin.ts b/lib/supabase/admin.ts
@@ -1,3 +1,4 @@
+import 'server-only';
 import { createClient as createSupabaseClient } from "@supabase/supabase-js";
 
 const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
diff --git a/next.config.ts b/next.config.ts
@@ -21,6 +21,31 @@ const nextConfig: NextConfig = {
   compiler: {
     removeConsole: process.env.NODE_ENV === 'production' ? { exclude: ['error', 'warn'] } : false,
   },
+  async headers() {
+    return [
+      {
+        source: '/(.*)',
+        headers: [
+          {
+            key: 'X-Frame-Options',
+            value: 'DENY',
+          },
+          {
+            key: 'X-Content-Type-Options',
+            value: 'nosniff',
+          },
+          {
+            key: 'Referrer-Policy',
+            value: 'strict-origin-when-cross-origin',
+          },
+          {
+            key: 'Permissions-Policy',
+            value: 'camera=(), microphone=(), geolocation=(), interest-cohort=()',
+          },
+        ],
+      },
+    ]
+  },
 }
 
 export default nextConfig
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -43,6 +43,7 @@
     "react-dropzone": "^14.3.5",
     "react-icons": "^5.5.0",
     "resend": "^6.9.3",
+    "server-only": "^0.0.1",
     "shippo": "^2.18.0",
     "sonner": "^2.0.7",
     "stripe": "^20.4.1",

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+import 'server-only';`
`1`	`2`	`import { createClient as createSupabaseClient } from "@supabase/supabase-js";`
`2`	`3`
`3`	`4`	`const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;`