admin
f0eca1959b
- C1: Rewrite /api/usage to resolve teamId server-side from tenant CR; customers can no longer pass arbitrary teamId (IDOR fix) - C2: Remove POST /api/tenants — tenants are only created via admin approval flow - H1: Validate packages against catalog, workspaceFiles against allowlist, and field lengths in PATCH /api/tenants/[name] - H2: Remove full ZITADEL profile claims logging from JWT callback - H3: Add safeError() utility; sanitize all error responses to clients, toggle raw errors via PORTAL_DEBUG_ERRORS=true - H4/H5: Escape HTML entities in all email templates (contactName, companyName, adminNotes)
44 lines
1.2 KiB
TypeScript
44 lines
1.2 KiB
TypeScript
import { NextResponse } from "next/server";
|
|
import { requirePlatformRole } from "@/lib/session";
|
|
import { getTenant, patchTenantSpec } from "@/lib/k8s";
|
|
import { safeError } from "@/lib/errors";
|
|
|
|
/**
|
|
* POST /api/admin/tenants/[name]/suspend
|
|
* Toggle suspend on a PiecedTenant CR.
|
|
* Body: { suspend: true } or { suspend: false }
|
|
*/
|
|
export async function POST(
|
|
request: Request,
|
|
{ params }: { params: Promise<{ name: string }> }
|
|
) {
|
|
try {
|
|
await requirePlatformRole();
|
|
} catch {
|
|
return NextResponse.json({ error: "Forbidden" }, { status: 403 });
|
|
}
|
|
|
|
const { name } = await params;
|
|
const body = await request.json().catch(() => ({}));
|
|
const suspend = body.suspend === true;
|
|
|
|
const tenant = await getTenant(name);
|
|
if (!tenant) {
|
|
return NextResponse.json({ error: "Tenant not found" }, { status: 404 });
|
|
}
|
|
|
|
try {
|
|
const updated = await patchTenantSpec(name, { suspend });
|
|
return NextResponse.json({
|
|
message: suspend ? "Tenant suspended." : "Tenant resumed.",
|
|
tenant: updated,
|
|
});
|
|
} catch (e: any) {
|
|
console.error("Failed to update tenant suspend state:", e);
|
|
return NextResponse.json(
|
|
{ error: safeError(e, "Failed to update tenant") },
|
|
{ status: 500 }
|
|
);
|
|
}
|
|
}
|