Dashboard Routes Restructuring Plan

Dashboard Routes Restructuring Plan

Critical Security Issue 🚨

Current Problem: Publication dashboard routes at /[publication]/dashboard are NOT protected by authentication middleware, allowing unauthorized access to publication settings!

Root Cause

In middleware.ts:70-82, the authentication check is:

if (path.startsWith("/dashboard") || path.startsWith("/login")) {
  const session = await getToken({ req, secret: env.NEXTAUTH_SECRET });
  if (!session && path.startsWith("/dashboard")) {
    // redirect to login
  }
}

This only protects routes starting with /dashboard, but publication dashboards are at:

  • /[publication]/dashboard (e.g., /my-publication/dashboard)

These paths start with the publication slug, NOT /dashboard, so they bypass authentication entirely!

Current Route Structure Analysis

Authenticated Dashboard Routes (Protected)

/dashboard                              β†’ User overview (sites & publications)
/dashboard/settings                     β†’ User account settings
/dashboard/new                          β†’ Create new site
/dashboard/admin                        β†’ Admin panel
/dashboard/publications/new             β†’ Create new publication
/dashboard/site/[id]/settings           β†’ Site settings ⚠️ singular "site"
/dashboard/site/[id]/analytics          β†’ Site analytics
/dashboard/site/[id]/settings/appearance β†’ Site appearance

Publication Routes (NOT Protected! ⚠️)

/[publication]/dashboard                β†’ Publication management (VULNERABLE!)
  └─ Tabs: posts, settings

Public Routes (No Auth Required)

/                                       β†’ Landing page
/[publication]                          β†’ Public publication view
/[publication]/[post]/[[...slug]]       β†’ Public post view

Issues Identified

  1. πŸ”’ Security Vulnerability: Publication dashboards bypass middleware authentication
  2. πŸ“ Inconsistent Structure: Management routes split between /dashboard/* and /[publication]/dashboard
  3. 🏷️ Inconsistent Naming:
    • /dashboard/site/[id]/* (singular and using id)
    • /[publication]/dashboard (using slug and /dashboard suffix instead of prefix)
    • /dashboard/publications/new (plural)
  4. πŸ€” Confusing UX: Hard to understand where to find things
  5. πŸ”§ Hard to Maintain: Scattered dashboard logic across different route segments

Proposed Solution

New Consolidated Dashboard Structure

All authenticated admin/management routes under /dashboard with consistent plural naming:

PUBLIC ROUTES (No authentication required)
β”œβ”€β”€ /                                    β†’ Landing page
β”œβ”€β”€ /pricing                             β†’ Pricing page
β”œβ”€β”€ /solutions                           β†’ Solutions page
β”œβ”€β”€ /[publication]                       β†’ Public publication homepage
└── /[publication]/[post]/[[...slug]]    β†’ Public post view

AUTHENTICATED ROUTES (All under /dashboard)
β”œβ”€β”€ /dashboard                           β†’ Publications list (Rewrite to /dashboard/publications)
β”œβ”€β”€ /dashboard/settings                  β†’ User account settings
β”œβ”€β”€ /dashboard/admin                     β†’ Admin panel
β”‚
β”œβ”€β”€ /dashboard/sites/new                 β†’ Create new site
β”œβ”€β”€ /dashboard/sites/[id]/settings       β†’ Site settings
β”œβ”€β”€ /dashboard/sites/[id]/analytics      β†’ Site analytics
└── /dashboard/sites/[id]/settings/appearance β†’ Site appearance
β”‚
β”œβ”€β”€ /dashboard/publications                           β†’ Publications list (redirect to /dashboard)
β”œβ”€β”€ /dashboard/publications/new          β†’ Create new publication
└── /dashboard/publications/[id]         β†’ Publication management βœ… MOVED HERE
    β”œβ”€β”€ ?tab=posts                       β†’ Manage posts
    └── ?tab=settings                    β†’ Publication settings