makearmy/makearmy-app
1
0
Fork 0
Code Issues 11 Pull requests Projects Releases Packages Wiki Activity Actions

account auth cleanup

Browse source
This commit is contained in:
makearmy 2025-09-30 17:04:37 -04:00
parent 6162722c87
commit 94de501a49
5 changed files with 41 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

31
app/api/account/profile/route.ts
View file

@ -5,7 +5,7 @@ import { NextResponse } from "next/server";
import { requireBearer } from "@/app/api/_lib/auth";
const API = (process.env.NEXT_PUBLIC_API_BASE_URL || "").replace(/\/$/, "");
const bad = (m: string, c=400) => NextResponse.json({ error: m }, { status: c });
const bad = (m: string, c = 400) => NextResponse.json({ error: m }, { status: c });
export async function GET() {
// show username (read-only) + editable fields
@ -21,21 +21,38 @@ export async function GET() {
export async function PATCH(req: Request) {
try {
const bearer = requireBearer(req);
const body = await req.json().catch(() => ({}));
const body = await req.json().catch(() => ({} as Record<string, unknown>));
// Enforce recent re-auth for sensitive fields
const SENSITIVE = new Set(["email", "username"]);
const wantsSensitive = Object.keys(body).some((k) => SENSITIVE.has(k));
if (wantsSensitive) {
const cookie = req.headers.get("cookie") || "";
const hasRecentAuth = /(?:^|;\s*)ma_ra=1(?:;|$)/.test(cookie);
if (!hasRecentAuth) {
return NextResponse.json(
{ error: "Re-authentication required" },
{ status: 428 } // Precondition Required
);
}
}
const payload: any = {};
if (typeof body.first_name === "string") payload.first_name = body.first_name.trim();
if (typeof body.last_name === "string") payload.last_name = body.last_name.trim();
if (typeof body.location === "string") payload.location = body.location.trim();
if (typeof (body as any).first_name === "string")
payload.first_name = (body as any).first_name.trim();
if (typeof (body as any).last_name === "string")
payload.last_name = (body as any).last_name.trim();
if (typeof (body as any).location === "string")
payload.location = (body as any).location.trim();
if ("email" in body) {
const e = String(body.email ?? "").trim();
const e = String((body as any).email ?? "").trim();
payload.email = e ? e : null; // ← optional! blank clears it
}
// (password handled by /api/account/password)
const r = await fetch(`${API}/users/me`, {
method: "PATCH",
headers: { Authorization: bearer, "Content-Type": "application/json" },
headers: { Authorization: `Bearer ${bearer}`, "Content-Type": "application/json" },
body: JSON.stringify(payload),
});
const j = await r.json().catch(() => ({}));