- Sign out: skip NextAuth redirect (which resolves against NEXTAUTH_URL)
and use window.location.href='/' instead — works from any hostname
- Admin users page: add 'Reset PW' button per user that opens a modal
to set a new password (no current password required)
- Allow COMMISSIONER role to reset user passwords via PATCH /api/users/[id]
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Rename VIEWER role to COMMISSIONER throughout (schema, middleware,
admin layout, users page); add psql pre-migration step in entrypoint
to rename the PostgreSQL enum value without data loss
- Install postgresql-client in Docker runner stage for psql access
- Login page: fetch sbLogo from settings API instead of hardcoded path
- Password change for all authenticated users:
- New PATCH /api/users/me endpoint (verifies current password, hashes new)
- Change Password button/modal on /my-squares page
- Change Password link in admin sidebar (links to /my-squares)
- New password_change email template (seeded, editable in admin)
- sendPasswordChangedEmail auto-email triggered on change
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Keep only afc-generic.png and nfc-generic.png as defaults.
All team-specific logos, backgrounds, and other assets removed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Next.js standalone output does not serve files added dynamically to
public/uploads/ after build time. Serve uploads via a new API route
(/api/uploads/[filename]) that reads from disk at request time.
- Add src/app/api/uploads/[filename]/route.ts to stream uploaded files
- Update POST /api/upload to return /api/uploads/<file> URLs
- Update GET /api/upload to list uploads with /api/uploads/ URLs
- Update DELETE /api/upload to accept /api/uploads/ URL prefix
- Add /api/uploads to middleware public routes whitelist
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Fix uploaded images showing as 404: /uploads/ was not excluded from the
auth middleware matcher, so browsers were blocked from loading images.
Added uploads to the matcher exclusion alongside images.
- Ensure uploads directory exists at startup (mkdir -p in entrypoint +
recursive mkdir in the upload POST handler).
- Add DELETE /api/upload?url=... endpoint for admins to delete any image.
- Simplify gallery to a single unified view (no stock/uploads filter tabs).
Each image tile shows a red × delete button on hover with confirmation.
Upload Image button also available inside the gallery modal.
- Add Docker named volume for /app/public/uploads so uploaded images
persist across container restarts.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds a Print button to the header that opens /print in a new tab.
The print page auto-triggers the browser print dialog, formatted for
11x8.5" landscape. Includes team logos, AFC/NFC axis numbers, player
names in each cell (color-coded confirmed/pending/available), and a legend.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Production servers pull the pre-built image from ghcr.io — having
build: . caused docker compose up to fail when no Dockerfile was present.
Moved build: . to docker-compose.override.yml (gitignored) which Docker
Compose automatically merges locally for dev builds. Production deployments
only need docker-compose.yml and .env.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Allows the image to be pushed to GitHub Container Registry and pulled
on deployment servers without needing the source code.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
/api/settings was missing from the middleware public routes allowlist,
causing unauthenticated (guest) requests to be blocked before reaching
the route handler. The error was silently caught, leaving settings null
and hiding the amount owed, payment methods, and payment instructions.
Logged-in users were unaffected as their session token passed middleware.
Also update CLAUDE.md to reflect the WebSocket userId-based auth change.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Full rewrite of the legacy PHP/MySQL app using Next.js 14, PostgreSQL,
Prisma, NextAuth, Tailwind CSS, and WebSocket-based live chat/grid updates.
Deployed via Docker Compose with a custom Node.js server for WebSocket support.
Fix chat display names by passing userId from the NextAuth session over
WebSocket instead of attempting to read the HttpOnly session cookie (which
is inaccessible to JavaScript). Server now looks up the user's first name
from the database using the userId.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Philip