Centralize HTML safety and align admin authorization checks

Add shared HTML/JSON-LD sanitization utilities and apply them to rich text and structured data rendering paths to reduce script injection risk. Standardize admin checks around profiles.is_admin with legacy fallback support, and align schema and seeding scripts with the new admin source of truth.

Author: olyaiy

docker/scripts/seed-admin.sh

@@ -43,6 +43,27 @@ if [ "$HTTP_CODE" = "200" ] || [ "$HTTP_CODE" = "201" ]; then
   USER_ID=$(echo "$BODY" | grep -o '"id":"[^"]*"' | head -1 | cut -d'"' -f4)
   echo "Admin user created successfully (ID: ${USER_ID})"
 
+  if [ -n "$USER_ID" ]; then
+    echo "Marking seeded user as admin..."
+    ADMIN_RESPONSE=$(curl -s -w "\n%{http_code}" "http://kong:8000/rest/v1/profiles" \
+      -H "apikey: ${SUPABASE_SERVICE_KEY}" \
+      -H "Authorization: Bearer ${SUPABASE_SERVICE_KEY}" \
+      -H "Content-Type: application/json" \
+      -H "Prefer: resolution=merge-duplicates" \
+      -d "{
+        \"user_id\": \"${USER_ID}\",
+        \"email\": \"${SEED_ADMIN_EMAIL}\",
+        \"is_admin\": true
+      }")
+
+    ADMIN_HTTP_CODE=$(echo "$ADMIN_RESPONSE" | tail -n1)
+    if [ "$ADMIN_HTTP_CODE" = "200" ] || [ "$ADMIN_HTTP_CODE" = "201" ]; then
+      echo "Admin role granted successfully"
+    else
+      echo "Warning: Failed to grant admin role (HTTP ${ADMIN_HTTP_CODE})"
+    fi
+  fi
+
   # Grant Pro subscription if AUTO_PRO_SUBSCRIPTION is enabled
   if [ "${AUTO_PRO_SUBSCRIPTION:-false}" = "true" ] && [ -n "$USER_ID" ]; then
     echo "Granting Pro subscription to admin user..."

docker/supabase/volumes/db/init/01-app-schema.sql

@@ -128,6 +128,7 @@ CREATE TABLE IF NOT EXISTS public.profiles (
   website text NULL,
   linkedin_url text NULL,
   github_url text NULL,
+  is_admin boolean NOT NULL DEFAULT false,
   work_experience jsonb NULL DEFAULT '[]'::jsonb,
   education jsonb NULL DEFAULT '[]'::jsonb,
   skills jsonb NULL DEFAULT '[]'::jsonb,
@@ -137,6 +138,9 @@ CREATE TABLE IF NOT EXISTS public.profiles (
   CONSTRAINT profiles_user_id_key UNIQUE (user_id)
 ) TABLESPACE pg_default;
 
+ALTER TABLE public.profiles
+  ADD COLUMN IF NOT EXISTS is_admin boolean NOT NULL DEFAULT false;
+
 -- Create updated_at trigger for profiles
 DROP TRIGGER IF EXISTS update_profiles_updated_at ON public.profiles;
 CREATE TRIGGER update_profiles_updated_at BEFORE

schema.sql

@@ -131,6 +131,7 @@ CREATE TABLE IF NOT EXISTS public.profiles (
   website text NULL,
   linkedin_url text NULL,
   github_url text NULL,
+  is_admin boolean NOT NULL DEFAULT false,
   work_experience jsonb NULL DEFAULT '[]'::jsonb,
   education jsonb NULL DEFAULT '[]'::jsonb,
   skills jsonb NULL DEFAULT '[]'::jsonb,
@@ -141,6 +142,9 @@ CREATE TABLE IF NOT EXISTS public.profiles (
   CONSTRAINT profiles_user_id_fkey FOREIGN KEY (user_id) REFERENCES auth.users(id) ON UPDATE CASCADE ON DELETE CASCADE
 ) TABLESPACE pg_default;
 
+ALTER TABLE public.profiles
+  ADD COLUMN IF NOT EXISTS is_admin boolean NOT NULL DEFAULT false;
+
 -- Create updated_at trigger for profiles
 DROP TRIGGER IF EXISTS update_profiles_updated_at ON public.profiles;
 CREATE TRIGGER update_profiles_updated_at BEFORE
@@ -172,4 +176,4 @@ CREATE POLICY jobs_policy ON public.jobs
 ALTER TABLE public.profiles ENABLE ROW LEVEL SECURITY;
 CREATE POLICY profiles_policy ON public.profiles
   USING (user_id = auth.uid())
-  WITH CHECK (user_id = auth.uid());
+  WITH CHECK (user_id = auth.uid());

src/app/admin/actions.ts

@@ -57,26 +57,37 @@ export async function checkAdminStatus(): Promise<boolean> {
   const { data: { user }, error: authError } = await supabase.auth.getUser();
 
   if (authError || !user) {
-    console.error('Admin Check: Error fetching user or user not authenticated.', authError);
+    console.error('Admin check failed to resolve user', authError);
     return false; // Not authenticated, definitely not admin
   }
 
-  // Check the admins table for this user
-  const { data: adminData, error: dbError } = await supabase
+  // Primary source of truth: profiles.is_admin
+  const { data: profileData, error: profileError } = await supabase
+    .from('profiles')
+    .select('is_admin')
+    .eq('user_id', user.id)
+    .maybeSingle();
+
+  if (!profileError) {
+    return profileData?.is_admin === true;
+  }
+
+  // Backward compatibility for older databases still using public.admins
+  const { data: adminData, error: adminError } = await supabase
     .from('admins')
     .select('is_admin')
     .eq('user_id', user.id)
     .maybeSingle();
 
-  // Detailed logging for RLS debugging
-  if (dbError) {
-      console.error(`Admin Check DB Error: Failed to query admins table for user ${user.id}. RLS issue?`, { code: dbError.code, message: dbError.message, details: dbError.details, hint: dbError.hint });
-      return false; // Error occurred, assume not admin for safety
-  } else {
-      console.log(`Admin Check DB Success: Query for user ${user.id} returned:`, adminData);
+  if (adminError) {
+    console.error('Admin check failed for profiles/admins lookup', {
+      userId: user.id,
+      profileError: profileError.message,
+      adminError: adminError.message,
+    });
+    return false;
   }
 
-  // If adminData exists and is_admin is true, return true
   return adminData?.is_admin === true;
 }
 
@@ -582,4 +593,4 @@ export async function updateUserSubscriptionPlan(
       message: `An unexpected error occurred: ${error instanceof Error ? error.message : String(error)}`,
     };
   }
-}
+}

src/app/blog/[slug]/page.tsx

@@ -2,6 +2,7 @@ import { compileMDX } from "next-mdx-remote/rsc";
 import { notFound } from "next/navigation";
 import { Metadata } from "next";
 import { getAllPosts, getPostBySlug } from "@/lib/blog";
+import { toSafeJsonScript } from "@/lib/html-safety";
 import { mdxComponents } from "@/components/blog/mdx-components";
 import { Calendar, ArrowLeft, Clock } from "lucide-react";
 import Link from "next/link";
@@ -90,6 +91,37 @@ export default async function BlogPostPage({ params }: BlogPostPageProps) {
   // Calculate reading time (rough estimate)
   const wordCount = post.content.split(/\s+/).length;
   const readingTime = Math.ceil(wordCount / 200); // Average reading speed
+  const structuredData = {
+    '@context': 'https://schema.org',
+    '@type': 'Article',
+    headline: post.frontMatter.title,
+    description: post.frontMatter.description,
+    image: 'https://resumelm.com/og.webp',
+    datePublished: new Date(post.frontMatter.date).toISOString(),
+    dateModified: new Date(post.frontMatter.date).toISOString(),
+    author: {
+      '@type': 'Organization',
+      name: 'ResumeLM Team',
+      url: 'https://resumelm.com',
+    },
+    publisher: {
+      '@type': 'Organization',
+      name: 'ResumeLM',
+      logo: {
+        '@type': 'ImageObject',
+        url: 'https://resumelm.com/og.webp',
+      },
+      url: 'https://resumelm.com',
+    },
+    mainEntityOfPage: {
+      '@type': 'WebPage',
+      '@id': `https://resumelm.com/blog/${slug}`,
+    },
+    articleSection: 'Career Advice',
+    keywords: 'resume builder, tech jobs, Vancouver tech, career advice, AI resume, job search',
+    wordCount,
+    timeRequired: `PT${readingTime}M`,
+  };
 
   return (
     <main className="min-h-screen relative">
@@ -154,37 +186,7 @@ export default async function BlogPostPage({ params }: BlogPostPageProps) {
           <script
             type="application/ld+json"
             dangerouslySetInnerHTML={{
-              __html: JSON.stringify({
-                '@context': 'https://schema.org',
-                '@type': 'Article',
-                headline: post.frontMatter.title,
-                description: post.frontMatter.description,
-                image: 'https://resumelm.com/og.webp',
-                datePublished: new Date(post.frontMatter.date).toISOString(),
-                dateModified: new Date(post.frontMatter.date).toISOString(),
-                author: {
-                  '@type': 'Organization',
-                  name: 'ResumeLM Team',
-                  url: 'https://resumelm.com',
-                },
-                publisher: {
-                  '@type': 'Organization',
-                  name: 'ResumeLM',
-                  logo: {
-                    '@type': 'ImageObject',
-                    url: 'https://resumelm.com/og.webp',
-                  },
-                  url: 'https://resumelm.com',
-                },
-                mainEntityOfPage: {
-                  '@type': 'WebPage',
-                  '@id': `https://resumelm.com/blog/${slug}`,
-                },
-                articleSection: 'Career Advice',
-                keywords: 'resume builder, tech jobs, Vancouver tech, career advice, AI resume, job search',
-                wordCount: wordCount,
-                timeRequired: `PT${readingTime}M`,
-              }),
+              __html: toSafeJsonScript(structuredData),
             }}
           />
 
@@ -242,4 +244,4 @@ export default async function BlogPostPage({ params }: BlogPostPageProps) {
       </div>
     </main>
   );
-} 
+} 

src/app/page.tsx

@@ -12,6 +12,7 @@ import { createClient } from "@/utils/supabase/server";
 import { redirect } from "next/navigation";
 import { Metadata } from "next";
 import Script from "next/script";
+import { toSafeJsonScript } from "@/lib/html-safety";
 
 // Page-specific metadata that extends the base metadata from layout.tsx
 export const metadata: Metadata = {
@@ -37,6 +38,25 @@ export default async function Page() {
   if (user) {
     redirect("/home");
   }
+
+  const structuredData = {
+    "@context": "https://schema.org",
+    "@type": "SoftwareApplication",
+    "name": "ResumeLM",
+    "applicationCategory": "BusinessApplication",
+    "offers": {
+      "@type": "Offer",
+      "price": "0",
+      "priceCurrency": "USD"
+    },
+    "description": "Create ATS-optimized tech resumes in under 10 minutes. 3x your interview chances with AI-powered resume tailoring.",
+    "operatingSystem": "Web",
+    "aggregateRating": {
+      "@type": "AggregateRating",
+      "ratingValue": "4.8",
+      "ratingCount": "500"
+    }
+  };
 
   return (
     <>
@@ -45,24 +65,7 @@ export default async function Page() {
         id="schema-data"
         type="application/ld+json"
         dangerouslySetInnerHTML={{
-          __html: JSON.stringify({
-            "@context": "https://schema.org",
-            "@type": "SoftwareApplication",
-            "name": "ResumeLM",
-            "applicationCategory": "BusinessApplication",
-            "offers": {
-              "@type": "Offer",
-              "price": "0",
-              "priceCurrency": "USD"
-            },
-            "description": "Create ATS-optimized tech resumes in under 10 minutes. 3x your interview chances with AI-powered resume tailoring.",
-            "operatingSystem": "Web",
-            "aggregateRating": {
-              "@type": "AggregateRating",
-              "ratingValue": "4.8",
-              "ratingCount": "500"
-            }
-          })
+          __html: toSafeJsonScript(structuredData)
         }}
       />
 
@@ -113,4 +116,4 @@ export default async function Page() {
       </main>
     </>
   );
-}
+}

src/components/cover-letter/cover-letter.tsx

@@ -3,26 +3,19 @@ import { useRef, useCallback, useMemo } from 'react';
 import { Button } from "@/components/ui/button";
 import { Plus } from "lucide-react";
 import { useResumeContext } from '@/components/resume/editor/resume-editor-context';
+import { sanitizeRichTextHtml } from '@/lib/html-safety';
 
 
 interface CoverLetterProps {
     containerWidth: number;
 
 }
 
-function sanitizeHtmlForPreview(html: string): string {
-  return html
-    .replace(/<script[\s\S]*?>[\s\S]*?<\/script>/gi, '')
-    .replace(/\son\w+=("[^"]*"|'[^']*'|[^\s>]+)/gi, '')
-    .replace(/\s(href|src)=("|')\s*javascript:[^"']*("|')/gi, '');
-}
-
-
 export default function CoverLetter({ containerWidth }: CoverLetterProps) {
   const { state, dispatch } = useResumeContext();
   const contentRef = useRef<HTMLDivElement>(null);
   const sanitizedCoverLetterContent = useMemo(
-    () => sanitizeHtmlForPreview((state.resume.cover_letter?.content as string) || ''),
+    () => sanitizeRichTextHtml((state.resume.cover_letter?.content as string) || ''),
     [state.resume.cover_letter?.content]
   );
 

src/components/jobs/job-listings-card.tsx

@@ -48,13 +48,25 @@ export function JobListingsCard() {
       const { data: { user } } = await supabase.auth.getUser();
 
       if (user) {
-        const { data: profile } = await supabase
+        const { data: profile, error: profileError } = await supabase
           .from('profiles')
           .select('is_admin')
           .eq('user_id', user.id)
-          .single();
-        
-        setIsAdmin(profile?.is_admin ?? false);
+          .maybeSingle();
+
+        if (!profileError) {
+          setIsAdmin(profile?.is_admin === true);
+          return;
+        }
+
+        // Backward compatibility for deployments still using public.admins
+        const { data: adminData } = await supabase
+          .from('admins')
+          .select('is_admin')
+          .eq('user_id', user.id)
+          .maybeSingle();
+
+        setIsAdmin(adminData?.is_admin === true);
       }
     }
 
@@ -300,4 +312,4 @@ export function JobListingsCard() {
       </Card>
     </div>
   );
-} 
+} 

src/components/resume/editor/forms/basic-info-form.tsx

@@ -79,7 +79,7 @@ export const BasicInfoForm = memo(function BasicInfoFormComponent({
     if (!profile) return;
 
     // List of fields to copy from profile
-    const fieldsToFill: (keyof Profile)[] = [
+    const fieldsToFill = [
       'first_name',
       'last_name',
       'email',
@@ -88,7 +88,7 @@ export const BasicInfoForm = memo(function BasicInfoFormComponent({
       'website',
       'linkedin_url',
       'github_url'
-    ];
+    ] as const satisfies Array<keyof Resume>;
 
     // Copy each field if it exists in the profile
     fieldsToFill.forEach((field) => {
@@ -192,4 +192,4 @@ export const BasicInfoForm = memo(function BasicInfoFormComponent({
       </Card>
     </div>
   );
-}, areBasicInfoPropsEqual); 
+}, areBasicInfoPropsEqual);