Harden impersonation and close high-risk exposure paths

Use signed HttpOnly impersonation state and restore the original admin session safely to reduce account takeover risk during admin impersonation. Also scope job listings to the authenticated user and remove unsafe HTML injection paths in resume UI rendering.

Author: olyaiy

src/app/admin/components/users-table.tsx

@@ -79,6 +79,13 @@ interface UserData {
   resume_count: number;
 }
 
+interface TrialMeta {
+  hasTrial: boolean;
+  isTrialing: boolean;
+  isExpired: boolean;
+  displayDate: string;
+}
+
 type SortableColumns =
   | 'email'
   | 'created_at'
@@ -94,6 +101,34 @@ type SortableColumns =
   | 'trial_end'
   | 'resume_count'; // Added resume_count
 
+function formatDate(dateString?: string) {
+  if (!dateString) return 'N/A';
+  return new Date(dateString).toLocaleDateString('en-US', {
+    year: 'numeric',
+    month: 'short',
+    day: 'numeric',
+  });
+}
+
+function getTrialMeta(trialEnd?: string | null): TrialMeta {
+  if (!trialEnd) {
+    return { hasTrial: false, isTrialing: false, isExpired: false, displayDate: 'N/A' };
+  }
+
+  const parsed = new Date(trialEnd);
+  if (Number.isNaN(parsed.getTime())) {
+    return { hasTrial: true, isTrialing: false, isExpired: false, displayDate: 'Invalid date' };
+  }
+
+  const isTrialing = parsed.getTime() > Date.now();
+  return {
+    hasTrial: true,
+    isTrialing,
+    isExpired: !isTrialing,
+    displayDate: formatDate(trialEnd),
+  };
+}
+
 export default function UsersTable() {
   const router = useRouter(); // Initialize router
   const [users, setUsers] = useState<UserData[]>([]);
@@ -124,10 +159,6 @@ export default function UsersTable() {
       try {
         setLoading(true);
         const data = await getUsersWithProfilesAndSubscriptions();
-        console.log('DEBUG (browser) | users fetched from server action:', {
-          total: data?.length,
-          sample: (data as unknown as UserData[])?.slice?.(0, 3) // show first 3
-        });
         setUsers(data as unknown as UserData[]);
       } catch (err) {
         console.error('Error fetching users:', err);
@@ -140,34 +171,6 @@ export default function UsersTable() {
     fetchUsers();
   }, []);
 
-  function formatDate(dateString?: string) {
-    if (!dateString) return 'N/A';
-    return new Date(dateString).toLocaleDateString('en-US', {
-      year: 'numeric',
-      month: 'short',
-      day: 'numeric',
-    });
-  }
-
-  const getTrialMeta = (trialEnd?: string | null) => {
-    if (!trialEnd) {
-      return { hasTrial: false, isTrialing: false, isExpired: false, displayDate: 'N/A' };
-    }
-
-    const parsed = new Date(trialEnd);
-    if (Number.isNaN(parsed.getTime())) {
-      return { hasTrial: true, isTrialing: false, isExpired: false, displayDate: 'Invalid date' };
-    }
-
-    const isTrialing = parsed.getTime() > Date.now();
-    return {
-      hasTrial: true,
-      isTrialing,
-      isExpired: !isTrialing,
-      displayDate: formatDate(trialEnd),
-    };
-  };
-  
   const handleSort = (column: SortableColumns) => {
     setSortDescriptor((prev) => ({
       column,

src/app/admin/impersonate/[user-id]/route.ts

@@ -1,6 +1,11 @@
 import { NextRequest, NextResponse } from 'next/server'
-import { createServiceClient } from '@/utils/supabase/server'
+import { createClient, createServiceClient } from '@/utils/supabase/server'
 import { ensureAdmin } from '../../actions' // relative to this file
+import {
+  createImpersonationStateCookieValue,
+  IMPERSONATION_STATE_COOKIE_NAME,
+  IMPERSONATION_STATE_MAX_AGE_SECONDS,
+} from '@/lib/impersonation'
 
 /**
  * GET /admin/impersonate/:user-id
@@ -29,25 +34,41 @@ export async function GET(
   // 1. Re-authenticate that the current caller is an admin
   await ensureAdmin()
 
-  // 2. Fetch the target user's email so we can generate a magic-link
+  // 2. Read the currently authenticated admin user ID
+  const supabase = await createClient()
+  const {
+    data: { user: adminUser },
+    error: adminUserError,
+  } = await supabase.auth.getUser()
+
+  if (adminUserError || !adminUser) {
+    return NextResponse.json({ error: 'Admin authentication required' }, { status: 401 })
+  }
+
+  if (adminUser.id === targetUserId) {
+    return NextResponse.json({ error: 'Cannot impersonate current user' }, { status: 400 })
+  }
+
+  // 3. Fetch the target user's email so we can generate a magic-link
   const supabaseAdmin = await createServiceClient()
   const { data: authUser, error: fetchError } = await supabaseAdmin.auth.admin.getUserById(
     targetUserId
   )
 
-  if (fetchError || !authUser) {
+  if (fetchError || !authUser?.user?.email) {
     return NextResponse.json(
       { error: fetchError?.message || 'User not found' },
       { status: 404 }
     )
   }
 
-  // 3. Generate a magic-link that signs the admin in **as the target user**.
+  // 4. Generate a magic-link that signs the admin in **as the target user**.
+  const siteUrl = process.env.NEXT_PUBLIC_SITE_URL ?? request.nextUrl.origin
   const { data: linkData, error: linkError } = await supabaseAdmin.auth.admin.generateLink({
     type: 'magiclink',
-    email: authUser.user.email!, // email can be safely asserted – Supabase guarantees it on users
+    email: authUser.user.email,
     options: {
-      redirectTo: `${process.env.NEXT_PUBLIC_SITE_URL}/auth/callback`,
+      redirectTo: `${siteUrl}/auth/callback?next=/home`,
     },
   })
 
@@ -60,19 +81,20 @@ export async function GET(
 
   const actionLink = linkData.properties.action_link
 
-  // 4. Set helper cookies so we can show an indicator while impersonating
-  const response = NextResponse.redirect(actionLink)
-  response.cookies.set('is_impersonating', 'true', {
-    path: '/',
-    httpOnly: false,
-    sameSite: 'lax',
-    maxAge: 60 * 60, // 1 hour is plenty – adjust as needed
+  const impersonationState = createImpersonationStateCookieValue({
+    adminUserId: adminUser.id,
+    impersonatedUserId: targetUserId,
+    maxAgeSeconds: IMPERSONATION_STATE_MAX_AGE_SECONDS,
   })
-  response.cookies.set('impersonated_user_id', targetUserId, {
+
+  // 5. Set secure helper cookie so we can safely restore the admin session
+  const response = NextResponse.redirect(actionLink)
+  response.cookies.set(IMPERSONATION_STATE_COOKIE_NAME, impersonationState, {
     path: '/',
-    httpOnly: false,
+    httpOnly: true,
     sameSite: 'lax',
-    maxAge: 60 * 60,
+    secure: process.env.NODE_ENV === 'production',
+    maxAge: IMPERSONATION_STATE_MAX_AGE_SECONDS,
   })
 
   return response

src/app/layout.tsx

@@ -8,6 +8,10 @@ import { Metadata } from "next";
 import { Analytics } from "@vercel/analytics/react";
 import Link from "next/link";
 import { cookies } from "next/headers";
+import {
+  IMPERSONATION_STATE_COOKIE_NAME,
+  parseImpersonationStateCookieValue,
+} from "@/lib/impersonation";
 
 // Only enable Vercel Analytics when running on Vercel platform
 const isVercel = process.env.VERCEL === '1';
@@ -82,9 +86,12 @@ export default async function RootLayout({
   const supabase = await createClient();
   const { data: { user } } = await supabase.auth.getUser();
 
-  // Detect impersonation via cookie set during /admin/impersonate flow
+  // Detect impersonation via signed cookie set during /admin/impersonate flow
   const cookieStore = await cookies();
-  const isImpersonating = cookieStore.get('is_impersonating')?.value === 'true';
+  const impersonationState = parseImpersonationStateCookieValue(
+    cookieStore.get(IMPERSONATION_STATE_COOKIE_NAME)?.value
+  );
+  const isImpersonating = Boolean(impersonationState);
 
 
   let showUpgradeButton = false;

src/app/stop-impersonation/route.ts

@@ -1,19 +1,72 @@
 import { NextRequest, NextResponse } from 'next/server'
-import { createClient } from '@/utils/supabase/server'
+import { createClient, createServiceClient } from '@/utils/supabase/server'
+import {
+  IMPERSONATION_STATE_COOKIE_NAME,
+  parseImpersonationStateCookieValue,
+} from '@/lib/impersonation'
+
+function clearImpersonationCookie(response: NextResponse) {
+  response.cookies.set(IMPERSONATION_STATE_COOKIE_NAME, '', {
+    path: '/',
+    httpOnly: true,
+    sameSite: 'lax',
+    secure: process.env.NODE_ENV === 'production',
+    maxAge: 0,
+  })
+}
 
 /**
  * GET /stop-impersonation
  *
- * Signs out the current (impersonated) session and removes helper cookies.
- * Afterward, the user is redirected to the login page.
+ * Restores the original admin session after impersonation ends.
+ *
+ * Flow:
+ * - Read and verify the signed impersonation cookie
+ * - Sign out the currently impersonated session
+ * - Generate a magic link for the original admin
+ * - Redirect through Supabase callback to restore admin session
  */
 export async function GET(request: NextRequest) {
+  const stateCookie = request.cookies.get(IMPERSONATION_STATE_COOKIE_NAME)?.value
+  const state = parseImpersonationStateCookieValue(stateCookie)
+
+  if (!state) {
+    const response = NextResponse.redirect(new URL('/', request.url))
+    clearImpersonationCookie(response)
+    return response
+  }
+
   const supabase = await createClient()
   await supabase.auth.signOut()
 
-  const response = NextResponse.redirect(new URL('/auth/login', request.url))
-  response.cookies.delete('is_impersonating')
-  response.cookies.delete('impersonated_user_id')
+  const supabaseAdmin = await createServiceClient()
+  const { data: adminAuthUser, error: adminUserError } = await supabaseAdmin.auth.admin.getUserById(
+    state.adminUserId
+  )
+
+  if (adminUserError || !adminAuthUser?.user?.email) {
+    const response = NextResponse.redirect(new URL('/auth/login', request.url))
+    clearImpersonationCookie(response)
+    return response
+  }
+
+  const siteUrl = process.env.NEXT_PUBLIC_SITE_URL ?? request.nextUrl.origin
+  const { data: linkData, error: linkError } = await supabaseAdmin.auth.admin.generateLink({
+    type: 'magiclink',
+    email: adminAuthUser.user.email,
+    options: {
+      redirectTo: `${siteUrl}/auth/callback?next=/admin`,
+    },
+  })
+
+  if (linkError || !linkData?.properties?.action_link) {
+    const response = NextResponse.redirect(new URL('/auth/login', request.url))
+    clearImpersonationCookie(response)
+    return response
+  }
+
+  const response = NextResponse.redirect(linkData.properties.action_link)
+  clearImpersonationCookie(response)
 
   return response
 }

src/components/cover-letter/cover-letter.tsx

@@ -1,5 +1,5 @@
 import CoverLetterEditor from "./cover-letter-editor";
-import { useRef, useCallback } from 'react';
+import { useRef, useCallback, useMemo } from 'react';
 import { Button } from "@/components/ui/button";
 import { Plus } from "lucide-react";
 import { useResumeContext } from '@/components/resume/editor/resume-editor-context';
@@ -10,10 +10,21 @@ interface CoverLetterProps {
 
 }
 
+function sanitizeHtmlForPreview(html: string): string {
+  return html
+    .replace(/<script[\s\S]*?>[\s\S]*?<\/script>/gi, '')
+    .replace(/\son\w+=("[^"]*"|'[^']*'|[^\s>]+)/gi, '')
+    .replace(/\s(href|src)=("|')\s*javascript:[^"']*("|')/gi, '');
+}
+
 
 export default function CoverLetter({ containerWidth }: CoverLetterProps) {
   const { state, dispatch } = useResumeContext();
   const contentRef = useRef<HTMLDivElement>(null);
+  const sanitizedCoverLetterContent = useMemo(
+    () => sanitizeHtmlForPreview((state.resume.cover_letter?.content as string) || ''),
+    [state.resume.cover_letter?.content]
+  );
 
   const handleContentChange = useCallback((data: Record<string, unknown>) => {
     dispatch({
@@ -57,7 +68,7 @@ export default function CoverLetter({ containerWidth }: CoverLetterProps) {
       >
         <div 
           className="p-16 prose prose-sm !max-w-none"
-          dangerouslySetInnerHTML={{ __html: (state.resume.cover_letter?.content as string) || '' }} 
+          dangerouslySetInnerHTML={{ __html: sanitizedCoverLetterContent }} 
         />
       </div>
 
@@ -82,4 +93,3 @@ export default function CoverLetter({ containerWidth }: CoverLetterProps) {
     </div>
   );
 }
-

src/components/resume/assistant/work-experience-suggestion.tsx

@@ -13,6 +13,11 @@ interface WorkExperienceSuggestionProps {
   newValue: WorkExperience[keyof WorkExperience];
 }
 
+interface DescriptionPoint {
+  text: string;
+  isNew: boolean;
+}
+
 function getHighlightClass<T>(currentValue: T, newValue: T, fieldValue: T): string {
   return JSON.stringify(currentValue) !== JSON.stringify(newValue) && fieldValue === newValue 
     ? DIFF_HIGHLIGHT_CLASSES 
@@ -33,18 +38,17 @@ export function WorkExperienceSuggestion({
   };
 
   // Safe description comparison
-  const descriptionComparison = (current: string[] = [], suggested: string[] = []) => {
+  const descriptionComparison = (current: string[] = [], suggested: string[] = []): DescriptionPoint[] => {
     // Handle undefined/null cases and ensure arrays
     const safeCurrent = Array.isArray(current) ? current : [];
     const safeSuggested = Array.isArray(suggested) ? suggested : [];
 
     return safeSuggested.map((point = '', index) => { // Add default for point
       const currentPoint = safeCurrent[index] || '';
-      const isNew = point !== currentPoint;
-      
-      return isNew 
-        ? `<span class="${DIFF_HIGHLIGHT_CLASSES}">${point}</span>` 
-        : point;
+      return {
+        text: point,
+        isNew: point !== currentPoint,
+      };
     });
   };
 
@@ -53,7 +57,10 @@ export function WorkExperienceSuggestion({
         currentWork?.description ?? [],
         (newValue as string[]) // Type assertion since we know modifiedField='description'
       )
-    : currentWork.description ?? [];
+    : (currentWork.description ?? []).map((point) => ({
+        text: point,
+        isNew: false,
+      }));
 
   return (
     <Card className={cn(
@@ -106,10 +113,7 @@ export function WorkExperienceSuggestion({
             {highlightedDescription.map((point, index) => (
               <div key={index} className="flex items-start gap-1.5">
                 <span className="text-gray-800 mt-0.5 text-xs">•</span>
-                <p 
-                  className="text-xs text-gray-800"
-                  dangerouslySetInnerHTML={{ __html: point || 'No description provided' }}
-                />
+                <p className={cn("text-xs text-gray-800", point.isNew ? DIFF_HIGHLIGHT_CLASSES : "")}>{point.text || 'No description provided'}</p>
               </div>
             ))}
           </div>