makearmy/makearmy-app
1
0
Fork 0
Code Issues 11 Pull requests Projects Releases Packages Wiki Activity Actions

account auth cleanup

Browse source
This commit is contained in:
makearmy 2025-09-30 17:04:37 -04:00
parent 6162722c87
commit 94de501a49
5 changed files with 41 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

4
app/api/account/avatar/route.ts
View file

@ -30,7 +30,7 @@ export async function POST(req: Request) {
const r1 = await fetch(`${API}/files`, { const r1 = await fetch(`${API}/files`, {
method: "POST", method: "POST",
headers: { Authorization: bearer }, headers: { Authorization: `Bearer ${bearer}` },
body: up, body: up,
}); });
const j1 = await r1.json().catch(() => ({})); const j1 = await r1.json().catch(() => ({}));
@ -43,7 +43,7 @@ export async function POST(req: Request) {
// Link file to the current user // Link file to the current user
const r2 = await fetch(`${API}/users/me`, { const r2 = await fetch(`${API}/users/me`, {
method: "PATCH", method: "PATCH",
headers: { Authorization: bearer, "Content-Type": "application/json" }, headers: { Authorization: `Bearer ${bearer}`, "Content-Type": "application/json" },
body: JSON.stringify({ avatar: fileId }), body: JSON.stringify({ avatar: fileId }),
}); });
const j2 = await r2.json().catch(() => ({})); const j2 = await r2.json().catch(() => ({}));

8
app/api/account/password/route.ts
View file

@ -11,10 +11,8 @@ async function handle(req: Request) {
const bearer = requireBearer(req); const bearer = requireBearer(req);
const body = await req.json().catch(() => ({})); const body = await req.json().catch(() => ({}));
const current = const current = String(body?.current ?? body?.current_password ?? "").trim();
String(body?.current ?? body?.current_password ?? "").trim(); const next = String(body?.next ?? body?.new_password ?? "").trim();
const next =
String(body?.next ?? body?.new_password ?? "").trim();
if (!current || !next) return bad("Missing current and/or new password"); if (!current || !next) return bad("Missing current and/or new password");
if (next.length < 8) return bad("Password must be at least 8 characters"); if (next.length < 8) return bad("Password must be at least 8 characters");
@ -22,7 +20,7 @@ async function handle(req: Request) {
const res = await fetch(`${API}/users/me`, { const res = await fetch(`${API}/users/me`, {
method: "PATCH", method: "PATCH",
headers: { headers: {
Authorization: bearer, Authorization: `Bearer ${bearer}`,
"Content-Type": "application/json", "Content-Type": "application/json",
}, },
body: JSON.stringify({ password: next, old_password: current }), body: JSON.stringify({ password: next, old_password: current }),

31
app/api/account/profile/route.ts
View file

@ -5,7 +5,7 @@ import { NextResponse } from "next/server";
import { requireBearer } from "@/app/api/_lib/auth"; import { requireBearer } from "@/app/api/_lib/auth";
const API = (process.env.NEXT_PUBLIC_API_BASE_URL || "").replace(/\/$/, ""); const API = (process.env.NEXT_PUBLIC_API_BASE_URL || "").replace(/\/$/, "");
const bad = (m: string, c=400) => NextResponse.json({ error: m }, { status: c }); const bad = (m: string, c = 400) => NextResponse.json({ error: m }, { status: c });
export async function GET() { export async function GET() {
// show username (read-only) + editable fields // show username (read-only) + editable fields
@ -21,21 +21,38 @@ export async function GET() {
export async function PATCH(req: Request) { export async function PATCH(req: Request) {
try { try {
const bearer = requireBearer(req); const bearer = requireBearer(req);
const body = await req.json().catch(() => ({})); const body = await req.json().catch(() => ({} as Record<string, unknown>));
// Enforce recent re-auth for sensitive fields
const SENSITIVE = new Set(["email", "username"]);
const wantsSensitive = Object.keys(body).some((k) => SENSITIVE.has(k));
if (wantsSensitive) {
const cookie = req.headers.get("cookie") || "";
const hasRecentAuth = /(?:^|;\s*)ma_ra=1(?:;|$)/.test(cookie);
if (!hasRecentAuth) {
return NextResponse.json(
{ error: "Re-authentication required" },
{ status: 428 } // Precondition Required
);
}
}
const payload: any = {}; const payload: any = {};
if (typeof body.first_name === "string") payload.first_name = body.first_name.trim(); if (typeof (body as any).first_name === "string")
if (typeof body.last_name === "string") payload.last_name = body.last_name.trim(); payload.first_name = (body as any).first_name.trim();
if (typeof body.location === "string") payload.location = body.location.trim(); if (typeof (body as any).last_name === "string")
payload.last_name = (body as any).last_name.trim();
if (typeof (body as any).location === "string")
payload.location = (body as any).location.trim();
if ("email" in body) { if ("email" in body) {
const e = String(body.email ?? "").trim(); const e = String((body as any).email ?? "").trim();
payload.email = e ? e : null; // ← optional! blank clears it payload.email = e ? e : null; // ← optional! blank clears it
} }
// (password handled by /api/account/password) // (password handled by /api/account/password)
const r = await fetch(`${API}/users/me`, { const r = await fetch(`${API}/users/me`, {
method: "PATCH", method: "PATCH",
headers: { Authorization: bearer, "Content-Type": "application/json" }, headers: { Authorization: `Bearer ${bearer}`, "Content-Type": "application/json" },
body: JSON.stringify(payload), body: JSON.stringify(payload),
}); });
const j = await r.json().catch(() => ({})); const j = await r.json().catch(() => ({}));

10
app/api/account/route.ts
View file

@ -16,7 +16,7 @@ export async function GET(req: Request) {
const res = await fetch( const res = await fetch(
`${API}/users/me?fields=${encodeURIComponent(fields)}`, `${API}/users/me?fields=${encodeURIComponent(fields)}`,
{ headers: { Authorization: bearer }, cache: "no-store" } { headers: { Authorization: `Bearer ${bearer}` }, cache: "no-store" }
); );
const j = await res.json().catch(() => ({})); const j = await res.json().catch(() => ({}));
@ -40,19 +40,19 @@ export async function PATCH(req: Request) {
const payload: Record<string, any> = {}; const payload: Record<string, any> = {};
if (typeof body.first_name === "string") payload.first_name = body.first_name.trim(); if (typeof body.first_name === "string") payload.first_name = body.first_name.trim();
if (typeof body.last_name === "string") payload.last_name = body.last_name.trim(); if (typeof body.last_name === "string") payload.last_name = body.last_name.trim();
if ("email" in body) { if ("email" in body) {
const e = String(body.email ?? "").trim(); const e = String(body.email ?? "").trim();
payload.email = e ? e : null; // optional; blank clears payload.email = e ? e : null; // optional; blank clears
} }
if (typeof body.location === "string") payload.location = body.location.trim(); if (typeof body.location === "string") payload.location = body.location.trim();
if (typeof body.avatar === "string") payload.avatar = body.avatar; // file id if (typeof body.avatar === "string") payload.avatar = body.avatar; // file id
if (!Object.keys(payload).length) return bad("No changes"); if (!Object.keys(payload).length) return bad("No changes");
const res = await fetch(`${API}/users/me`, { const res = await fetch(`${API}/users/me`, {
method: "PATCH", method: "PATCH",
headers: { Authorization: bearer, "Content-Type": "application/json" }, headers: { Authorization: `Bearer ${bearer}`, "Content-Type": "application/json" },
body: JSON.stringify(payload), body: JSON.stringify(payload),
}); });
const j = await res.json().catch(() => ({})); const j = await res.json().catch(() => ({}));

10
app/auth/sign-in/page.tsx
View file

@ -6,10 +6,8 @@ import SignIn from "./sign-in";
export default async function SignInPage( export default async function SignInPage(
props: { searchParams: Promise<Record<string, string | string[] | undefined>> } props: { searchParams: Promise<Record<string, string | string[] | undefined>> }
) { ) {
const at = (await cookies()).get("ma_at")?.value;
if (at) redirect("/portal");
const sp = await props.searchParams; const sp = await props.searchParams;
const nextParam = Array.isArray(sp.next) ? sp.next[0] : sp.next; const nextParam = Array.isArray(sp.next) ? sp.next[0] : sp.next;
const nextPath = nextParam && nextParam.startsWith("/") ? nextParam : "/portal"; const nextPath = nextParam && nextParam.startsWith("/") ? nextParam : "/portal";
@ -17,5 +15,11 @@ export default async function SignInPage(
const forceParam = Array.isArray(sp.force) ? sp.force[0] : sp.force; const forceParam = Array.isArray(sp.force) ? sp.force[0] : sp.force;
const reauth = reauthParam === "1" || forceParam === "1"; const reauth = reauthParam === "1" || forceParam === "1";
// If reauth is requested, always render the form (no redirect).
if (!reauth) {
const at = (await cookies()).get("ma_at")?.value;
if (at) redirect("/portal");
}
return <SignIn nextPath={nextPath} reauth={reauth} />; return <SignIn nextPath={nextPath} reauth={reauth} />;
} }