Security update: Patch React and Next.js CVE vulnerabilities

Updated React to 19.2.1 and Next.js to 16.0.7 to address critical security vulnerabilities: - CVE-2025-55182: React Server Components deserialization flaw - CVE-2025-66478: Next.js RSC implementation vulnerability Also includes: - Add PATCH endpoint for geofence updates - Reorder admin navigation items - Add geofence update functionality in database layer 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-04 09:30:47 +00:00
parent 96d7314317
commit 3ac82621c8
5 changed files with 191 additions and 54 deletions
--- a/app/admin/layout.tsx
+++ b/app/admin/layout.tsx
@@ -19,10 +19,10 @@ export default function AdminLayout({
  const allNavigation = [
    { name: "Dashboard", href: "/admin", roles: ['ADMIN', 'VIEWER'], superAdminOnly: false },
    { name: "Devices", href: "/admin/devices", roles: ['ADMIN', 'VIEWER'], superAdminOnly: false },
-    { name: "Geofences", href: "/admin/geofences", roles: ['ADMIN'], superAdminOnly: false },
    { name: "MQTT Provisioning", href: "/admin/mqtt", roles: ['ADMIN'], superAdminOnly: false },
-    { name: "Setup Guide", href: "/admin/setup", roles: ['ADMIN', 'VIEWER'], superAdminOnly: false },
+    { name: "Geofences", href: "/admin/geofences", roles: ['ADMIN'], superAdminOnly: false },
    { name: "Users", href: "/admin/users", roles: ['ADMIN'], superAdminOnly: false },
+    { name: "Setup Guide", href: "/admin/setup", roles: ['ADMIN', 'VIEWER'], superAdminOnly: false },
    { name: "Settings", href: "/admin/settings", roles: ['ADMIN'], superAdminOnly: true },
    { name: "Emails", href: "/admin/emails", roles: ['ADMIN'], superAdminOnly: true },
  ];
--- a/app/api/geofences/[id]/route.ts
+++ b/app/api/geofences/[id]/route.ts
@@ -2,6 +2,89 @@ import { NextResponse } from "next/server";
 import { auth } from "@/lib/auth";
 import { geofenceDb } from "@/lib/geofence-db";

+// PATCH /api/geofences/[id] - Update a geofence
+export async function PATCH(
+  request: Request,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  try {
+    const session = await auth();
+
+    if (!session?.user) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
+    const userId = (session.user as any).id;
+    const { id: geofenceId } = await params;
+
+    // Check if geofence exists
+    const geofence = geofenceDb.findById(geofenceId);
+
+    if (!geofence) {
+      return NextResponse.json(
+        { error: "Geofence not found" },
+        { status: 404 }
+      );
+    }
+
+    // Check ownership
+    if (geofence.owner_id !== userId) {
+      return NextResponse.json(
+        { error: "Forbidden: You can only update your own geofences" },
+        { status: 403 }
+      );
+    }
+
+    // Parse request body
+    const body = await request.json();
+    const { name, description, radius_meters, color, is_active } = body;
+
+    // Build updates object with only provided fields
+    const updates: any = {};
+    if (name !== undefined) updates.name = name;
+    if (description !== undefined) updates.description = description;
+    if (radius_meters !== undefined) updates.radius_meters = radius_meters;
+    if (color !== undefined) updates.color = color;
+    if (is_active !== undefined) updates.is_active = is_active;
+
+    // Validate updates if provided
+    if (radius_meters !== undefined) {
+      if (typeof radius_meters !== 'number' || radius_meters < 50 || radius_meters > 50000) {
+        return NextResponse.json(
+          { error: "Invalid radius_meters (must be between 50 and 50000)" },
+          { status: 400 }
+        );
+      }
+    }
+
+    // Update geofence
+    const updatedGeofence = geofenceDb.update(geofenceId, updates);
+
+    if (!updatedGeofence) {
+      return NextResponse.json(
+        { error: "Failed to update geofence" },
+        { status: 500 }
+      );
+    }
+
+    console.log(`[PATCH /api/geofences/${geofenceId}] Updated geofence ${updatedGeofence.name} for user ${userId}`);
+
+    return NextResponse.json({
+      success: true,
+      geofence: updatedGeofence,
+    });
+  } catch (error) {
+    console.error(`[PATCH /api/geofences/[id]] Error:`, error);
+    return NextResponse.json(
+      {
+        error: "Failed to update geofence",
+        details: error instanceof Error ? error.message : "Unknown error",
+      },
+      { status: 500 }
+    );
+  }
+}
+
 // DELETE /api/geofences/[id] - Delete a geofence
 export async function DELETE(
  request: Request,