account management upgrades

2025-09-30 19:35:27 -04:00 · 2025-09-30 19:35:27 -04:00 · 86fdd403b0
commit 86fdd403b0
parent 94de501a49
8 changed files with 439 additions and 46 deletions
--- a/app/api/account/route.ts
+++ b/app/api/account/route.ts
@ -6,6 +6,7 @@ import { requireBearer } from "@/app/api/_lib/auth";

 const API = (process.env.NEXT_PUBLIC_API_BASE_URL || "").replace(/\/$/, "");
 const bad = (m: string, c = 400) => NextResponse.json({ error: m }, { status: c });
+const secure = process.env.NODE_ENV === "production";

 /** GET: current user's profile */
 export async function GET(req: Request) {
@ -36,17 +37,32 @@ return NextResponse.json({ ok: true, user: j?.data ?? j });
 export async function PATCH(req: Request) {
    try {
        const bearer = requireBearer(req);
-        const body = await req.json().catch(() => ({}));
+        const body = await req.json().catch(() => ({} as Record<string, unknown>));
+
+        // Enforce recent re-auth for sensitive fields (email/username)
+        const SENSITIVE = new Set(["email", "username"]);
+        const wantsSensitive = Object.keys(body).some((k) => SENSITIVE.has(k));
+        if (wantsSensitive) {
+            const cookie = req.headers.get("cookie") || "";
+            const hasRecentAuth = /(?:^|;\s*)ma_ra=1(?:;|$)/.test(cookie);
+            if (!hasRecentAuth) {
+                return NextResponse.json(
+                    { error: "Re-authentication required" },
+                    { status: 428 } // Precondition Required
+                );
+            }
+        }

        const payload: Record<string, any> = {};
        if (typeof body.first_name === "string") payload.first_name = body.first_name.trim();
        if (typeof body.last_name === "string") payload.last_name = body.last_name.trim();
        if ("email" in body) {
-            const e = String(body.email ?? "").trim();
+            const e = String((body as any).email ?? "").trim();
            payload.email = e ? e : null; // optional; blank clears
        }
        if (typeof body.location === "string") payload.location = body.location.trim();
        if (typeof body.avatar === "string") payload.avatar = body.avatar; // file id
+        // (username is read-only in UI; if you decide to allow it later, payload.username = ...)

        if (!Object.keys(payload).length) return bad("No changes");

@ -62,6 +78,21 @@ export async function PATCH(req: Request) {
            return NextResponse.json({ error: msg }, { status: res.status });
        }

+        // Success: if we just did a sensitive change, clear recent-auth cookie (single-use)
+        if (wantsSensitive) {
+            const resp = NextResponse.json({ ok: true });
+            resp.cookies.set({
+                name: "ma_ra",
+                value: "",
+                httpOnly: false,
+                sameSite: "lax",
+                secure,
+                path: "/",
+                maxAge: 0,
+            });
+            return resp;
+        }
+
        return NextResponse.json({ ok: true });
    } catch (e: any) {
        const status = e?.status === 401 ? 401 : e?.status || 500;
--- a/app/api/auth/reconfirm/route.ts
+++ b/app/api/auth/reconfirm/route.ts
@ -9,14 +9,14 @@ export async function POST(req: NextRequest) {
    try {
        const body = await req.json().catch(() => ({} as any));
        const identifier = String(body?.identifier ?? "").trim();
-        const password   = String(body?.password ?? "").trim();
+        const password = String(body?.password ?? "").trim();

        if (!identifier || !password) {
            return NextResponse.json({ error: "Missing credentials" }, { status: 400 });
        }

-        // Resolve identifier -> email (username allowed)
-        let email = identifier.includes("@") ? identifier : await emailForUsername(identifier);
+        // Resolve identifier -> email (username or email accepted)
+        const email = identifier.includes("@") ? identifier : await emailForUsername(identifier);
        if (!email) return NextResponse.json({ error: "User not found" }, { status: 404 });

        const auth = await loginDirectus(email, password);
@ -30,7 +30,8 @@ export async function POST(req: NextRequest) {
        const res = NextResponse.json({ ok: true });

        // Refresh the access token cookie
-        const maxAge = typeof expiresSec === "number" ? Math.max(0, Math.floor(expiresSec)) : 60 * 60 * 8;
+        const maxAge =
+        typeof expiresSec === "number" ? Math.max(0, Math.floor(expiresSec)) : 60 * 60 * 8;
        res.cookies.set({
            name: "ma_at",
            value: access,
@ -41,7 +42,7 @@ export async function POST(req: NextRequest) {
            maxAge,
        });

-        // Short-lived client-visible flag: “recently authenticated”
+        // Short-lived client-visible flag: “recently authenticated” (5 minutes)
        res.cookies.set({
            name: "ma_ra",
            value: "1",
@ -49,7 +50,7 @@ export async function POST(req: NextRequest) {
            sameSite: "lax",
            secure,
            path: "/",
-            maxAge: 5 * 60, // 5 minutes
+            maxAge: 5 * 60,
        });

        return res;