PlansDashboard Routes Restructuring Plan

Dashboard Routes Restructuring Plan

Dashboard Routes Restructuring Plan

Critical Security Issue 🚨

Current Problem: Publication dashboard routes at /[publication]/dashboard are NOT protected by authentication middleware, allowing unauthorized access to publication settings!

Root Cause

In middleware.ts:70-82, the authentication check is:

if (path.startsWith("/dashboard") || path.startsWith("/login")) {
  const session = await getToken({ req, secret: env.NEXTAUTH_SECRET });
  if (!session && path.startsWith("/dashboard")) {
    // redirect to login
  }
}

This only protects routes starting with /dashboard, but publication dashboards are at:

  • /[publication]/dashboard (e.g., /my-publication/dashboard)

These paths start with the publication slug, NOT /dashboard, so they bypass authentication entirely!

Current Route Structure Analysis

Authenticated Dashboard Routes (Protected)

/dashboard                              → User overview (sites & publications)
/dashboard/settings                     → User account settings
/dashboard/new                          → Create new site
/dashboard/admin                        → Admin panel
/dashboard/publications/new             → Create new publication
/dashboard/site/[id]/settings           → Site settings ⚠️ singular "site"
/dashboard/site/[id]/analytics          → Site analytics
/dashboard/site/[id]/settings/appearance → Site appearance

Publication Routes (NOT Protected! ⚠️)

/[publication]/dashboard                → Publication management (VULNERABLE!)
  └─ Tabs: posts, settings

Public Routes (No Auth Required)

/                                       → Landing page
/[publication]                          → Public publication view
/[publication]/[post]/[[...slug]]       → Public post view

Issues Identified

  1. 🔒 Security Vulnerability: Publication dashboards bypass middleware authentication
  2. 📁 Inconsistent Structure: Management routes split between /dashboard/* and /[publication]/dashboard
  3. 🏷️ Inconsistent Naming:
    • /dashboard/site/[id]/* (singular and using id)
    • /[publication]/dashboard (using slug and /dashboard suffix instead of prefix)
    • /dashboard/publications/new (plural)
  4. 🤔 Confusing UX: Hard to understand where to find things
  5. 🔧 Hard to Maintain: Scattered dashboard logic across different route segments

Proposed Solution

New Consolidated Dashboard Structure

All authenticated admin/management routes under /dashboard with consistent plural naming:

PUBLIC ROUTES (No authentication required)
├── /                                    → Landing page
├── /pricing                             → Pricing page
├── /solutions                           → Solutions page
├── /[publication]                       → Public publication homepage
└── /[publication]/[post]/[[...slug]]    → Public post view

AUTHENTICATED ROUTES (All under /dashboard)
├── /dashboard                           → Publications list (Rewrite to /dashboard/publications)
├── /dashboard/settings                  → User account settings
├── /dashboard/admin                     → Admin panel
├── /dashboard/sites/new                 → Create new site
├── /dashboard/sites/[id]/settings       → Site settings
├── /dashboard/sites/[id]/analytics      → Site analytics
└── /dashboard/sites/[id]/settings/appearance → Site appearance
├── /dashboard/publications                           → Publications list (redirect to /dashboard)
├── /dashboard/publications/new          → Create new publication
└── /dashboard/publications/[id]         → Publication management ✅ MOVED HERE
    ├── ?tab=posts                       → Manage posts
    └── ?tab=settings                    → Publication settings