account management upgrades

2025-09-30 19:35:27 -04:00 · 2025-09-30 19:35:27 -04:00 · 86fdd403b0
commit 86fdd403b0
parent 94de501a49
8 changed files with 439 additions and 46 deletions
--- a/app/api/account/route.ts
+++ b/app/api/account/route.ts
@ -6,6 +6,7 @@ import { requireBearer } from "@/app/api/_lib/auth";

 const API = (process.env.NEXT_PUBLIC_API_BASE_URL || "").replace(/\/$/, "");
 const bad = (m: string, c = 400) => NextResponse.json({ error: m }, { status: c });
+const secure = process.env.NODE_ENV === "production";

 /** GET: current user's profile */
 export async function GET(req: Request) {
@ -36,17 +37,32 @@ return NextResponse.json({ ok: true, user: j?.data ?? j });
 export async function PATCH(req: Request) {
    try {
        const bearer = requireBearer(req);
-        const body = await req.json().catch(() => ({}));
+        const body = await req.json().catch(() => ({} as Record<string, unknown>));
+
+        // Enforce recent re-auth for sensitive fields (email/username)
+        const SENSITIVE = new Set(["email", "username"]);
+        const wantsSensitive = Object.keys(body).some((k) => SENSITIVE.has(k));
+        if (wantsSensitive) {
+            const cookie = req.headers.get("cookie") || "";
+            const hasRecentAuth = /(?:^|;\s*)ma_ra=1(?:;|$)/.test(cookie);
+            if (!hasRecentAuth) {
+                return NextResponse.json(
+                    { error: "Re-authentication required" },
+                    { status: 428 } // Precondition Required
+                );
+            }
+        }

        const payload: Record<string, any> = {};
        if (typeof body.first_name === "string") payload.first_name = body.first_name.trim();
        if (typeof body.last_name === "string") payload.last_name = body.last_name.trim();
        if ("email" in body) {
-            const e = String(body.email ?? "").trim();
+            const e = String((body as any).email ?? "").trim();
            payload.email = e ? e : null; // optional; blank clears
        }
        if (typeof body.location === "string") payload.location = body.location.trim();
        if (typeof body.avatar === "string") payload.avatar = body.avatar; // file id
+        // (username is read-only in UI; if you decide to allow it later, payload.username = ...)

        if (!Object.keys(payload).length) return bad("No changes");

@ -62,6 +78,21 @@ export async function PATCH(req: Request) {
            return NextResponse.json({ error: msg }, { status: res.status });
        }

+        // Success: if we just did a sensitive change, clear recent-auth cookie (single-use)
+        if (wantsSensitive) {
+            const resp = NextResponse.json({ ok: true });
+            resp.cookies.set({
+                name: "ma_ra",
+                value: "",
+                httpOnly: false,
+                sameSite: "lax",
+                secure,
+                path: "/",
+                maxAge: 0,
+            });
+            return resp;
+        }
+
        return NextResponse.json({ ok: true });
    } catch (e: any) {
        const status = e?.status === 401 ? 401 : e?.status || 500;