account auth cleanup

2025-09-30 17:04:37 -04:00 · 2025-09-30 17:04:37 -04:00 · 94de501a49
commit 94de501a49
parent 6162722c87
5 changed files with 41 additions and 22 deletions
--- a/app/api/account/avatar/route.ts
+++ b/app/api/account/avatar/route.ts
@ -30,7 +30,7 @@ export async function POST(req: Request) {

        const r1 = await fetch(`${API}/files`, {
            method: "POST",
-            headers: { Authorization: bearer },
+            headers: { Authorization: `Bearer ${bearer}` },
            body: up,
        });
        const j1 = await r1.json().catch(() => ({}));
@ -43,7 +43,7 @@ export async function POST(req: Request) {
        // Link file to the current user
        const r2 = await fetch(`${API}/users/me`, {
            method: "PATCH",
-            headers: { Authorization: bearer, "Content-Type": "application/json" },
+            headers: { Authorization: `Bearer ${bearer}`, "Content-Type": "application/json" },
            body: JSON.stringify({ avatar: fileId }),
        });
        const j2 = await r2.json().catch(() => ({}));
--- a/app/api/account/password/route.ts
+++ b/app/api/account/password/route.ts
@ -11,10 +11,8 @@ async function handle(req: Request) {
    const bearer = requireBearer(req);

    const body = await req.json().catch(() => ({}));
-    const current =
-    String(body?.current ?? body?.current_password ?? "").trim();
-    const next =
-    String(body?.next ?? body?.new_password ?? "").trim();
+    const current = String(body?.current ?? body?.current_password ?? "").trim();
+    const next = String(body?.next ?? body?.new_password ?? "").trim();

    if (!current || !next) return bad("Missing current and/or new password");
    if (next.length < 8) return bad("Password must be at least 8 characters");
@ -22,7 +20,7 @@ async function handle(req: Request) {
    const res = await fetch(`${API}/users/me`, {
        method: "PATCH",
        headers: {
-            Authorization: bearer,
+            Authorization: `Bearer ${bearer}`,
            "Content-Type": "application/json",
        },
        body: JSON.stringify({ password: next, old_password: current }),
--- a/app/api/account/profile/route.ts
+++ b/app/api/account/profile/route.ts
@ -5,7 +5,7 @@ import { NextResponse } from "next/server";
 import { requireBearer } from "@/app/api/_lib/auth";

 const API = (process.env.NEXT_PUBLIC_API_BASE_URL || "").replace(/\/$/, "");
-const bad = (m: string, c=400) => NextResponse.json({ error: m }, { status: c });
+const bad = (m: string, c = 400) => NextResponse.json({ error: m }, { status: c });

 export async function GET() {
    // show username (read-only) + editable fields
@ -21,21 +21,38 @@ export async function GET() {
 export async function PATCH(req: Request) {
    try {
        const bearer = requireBearer(req);
-        const body = await req.json().catch(() => ({}));
+        const body = await req.json().catch(() => ({} as Record<string, unknown>));
+
+        // Enforce recent re-auth for sensitive fields
+        const SENSITIVE = new Set(["email", "username"]);
+        const wantsSensitive = Object.keys(body).some((k) => SENSITIVE.has(k));
+        if (wantsSensitive) {
+            const cookie = req.headers.get("cookie") || "";
+            const hasRecentAuth = /(?:^|;\s*)ma_ra=1(?:;|$)/.test(cookie);
+            if (!hasRecentAuth) {
+                return NextResponse.json(
+                    { error: "Re-authentication required" },
+                    { status: 428 } // Precondition Required
+                );
+            }
+        }

        const payload: any = {};
-        if (typeof body.first_name === "string") payload.first_name = body.first_name.trim();
-        if (typeof body.last_name === "string")  payload.last_name  = body.last_name.trim();
-        if (typeof body.location === "string")   payload.location   = body.location.trim();
+        if (typeof (body as any).first_name === "string")
+            payload.first_name = (body as any).first_name.trim();
+        if (typeof (body as any).last_name === "string")
+            payload.last_name = (body as any).last_name.trim();
+        if (typeof (body as any).location === "string")
+            payload.location = (body as any).location.trim();
        if ("email" in body) {
-            const e = String(body.email ?? "").trim();
+            const e = String((body as any).email ?? "").trim();
            payload.email = e ? e : null; // ← optional! blank clears it
        }
        // (password handled by /api/account/password)

        const r = await fetch(`${API}/users/me`, {
            method: "PATCH",
-            headers: { Authorization: bearer, "Content-Type": "application/json" },
+            headers: { Authorization: `Bearer ${bearer}`, "Content-Type": "application/json" },
            body: JSON.stringify(payload),
        });
        const j = await r.json().catch(() => ({}));
--- a/app/api/account/route.ts
+++ b/app/api/account/route.ts
@ -16,7 +16,7 @@ export async function GET(req: Request) {

 const res = await fetch(
    `${API}/users/me?fields=${encodeURIComponent(fields)}`,
-                        { headers: { Authorization: bearer }, cache: "no-store" }
+                        { headers: { Authorization: `Bearer ${bearer}` }, cache: "no-store" }
 );
 const j = await res.json().catch(() => ({}));

@ -40,19 +40,19 @@ export async function PATCH(req: Request) {

        const payload: Record<string, any> = {};
        if (typeof body.first_name === "string") payload.first_name = body.first_name.trim();
-        if (typeof body.last_name === "string")  payload.last_name  = body.last_name.trim();
+        if (typeof body.last_name === "string") payload.last_name = body.last_name.trim();
        if ("email" in body) {
            const e = String(body.email ?? "").trim();
            payload.email = e ? e : null; // optional; blank clears
        }
-        if (typeof body.location === "string")   payload.location   = body.location.trim();
-        if (typeof body.avatar === "string")     payload.avatar     = body.avatar; // file id
+        if (typeof body.location === "string") payload.location = body.location.trim();
+        if (typeof body.avatar === "string") payload.avatar = body.avatar; // file id

        if (!Object.keys(payload).length) return bad("No changes");

        const res = await fetch(`${API}/users/me`, {
            method: "PATCH",
-            headers: { Authorization: bearer, "Content-Type": "application/json" },
+            headers: { Authorization: `Bearer ${bearer}`, "Content-Type": "application/json" },
            body: JSON.stringify(payload),
        });
        const j = await res.json().catch(() => ({}));
--- a/app/auth/sign-in/page.tsx
+++ b/app/auth/sign-in/page.tsx
@ -6,10 +6,8 @@ import SignIn from "./sign-in";
 export default async function SignInPage(
    props: { searchParams: Promise<Record<string, string | string[] | undefined>> }
 ) {
-    const at = (await cookies()).get("ma_at")?.value;
-    if (at) redirect("/portal");
-
    const sp = await props.searchParams;
+
    const nextParam = Array.isArray(sp.next) ? sp.next[0] : sp.next;
    const nextPath = nextParam && nextParam.startsWith("/") ? nextParam : "/portal";

@ -17,5 +15,11 @@ export default async function SignInPage(
    const forceParam  = Array.isArray(sp.force)  ? sp.force[0]  : sp.force;
    const reauth = reauthParam === "1" || forceParam === "1";

+    // If reauth is requested, always render the form (no redirect).
+    if (!reauth) {
+        const at = (await cookies()).get("ma_at")?.value;
+        if (at) redirect("/portal");
+    }
+
    return <SignIn nextPath={nextPath} reauth={reauth} />;
 }