account auth fix for account management

2025-09-30 01:05:03 -04:00 · 2025-09-30 01:05:03 -04:00 · b835529b77
commit b835529b77
parent 787de00274
3 changed files with 81 additions and 44 deletions
--- a/app/api/account/password/route.ts
+++ b/app/api/account/password/route.ts
@ -1,4 +1,6 @@
 // app/api/account/password/route.ts
+export const runtime = "nodejs";
+
 import { NextResponse } from "next/server";
 import { requireBearer } from "@/app/api/_lib/auth";

@ -8,34 +10,31 @@ function bad(msg: string, code = 400) {
    return NextResponse.json({ error: msg }, { status: code });
 }

-/**
- * This uses the simplest approach: PATCH /users/me { password: NEW }.
- * It requires your role to have Update permission on `directus_users` with
- * filter id = $CURRENT_USER and field permission for `password`.
- * If your Directus is configured to use a dedicated password endpoint instead,
- * swap the implementation accordingly.
- */
 export async function POST(req: Request) {
    try {
        const bearer = requireBearer(req);
-        const { current_password, new_password } = await req.json().catch(() => ({}));
-        if (!new_password) return bad("Missing new_password");
+        const body = await req.json().catch(() => ({}));

-        // Optional: you can verify current_password server-side by attempting a login
-        // to your auth endpoint; omitted here to keep it simple.
+        // accept various shapes: {next}, {new_password}, {password}
+        const nextPwd =
+        String(body?.next ?? body?.new_password ?? body?.password ?? "").trim();

-        const r = await fetch(`${API}/users/me`, {
+        if (nextPwd.length < 8) return bad("Password must be at least 8 characters");
+
+        const res = await fetch(`${API}/users/me`, {
            method: "PATCH",
            headers: { Authorization: bearer, "Content-Type": "application/json" },
-            body: JSON.stringify({ password: new_password }),
+            body: JSON.stringify({ password: nextPwd }),
        });
-        const j = await r.json().catch(() => ({}));
-        if (!r.ok) {
-            const msg = j?.errors?.[0]?.message || "Password update failed";
-            return bad(msg, r.status);
+
+        const j = await res.json().catch(() => ({}));
+        if (!res.ok) {
+            return bad(j?.errors?.[0]?.message || "Password update failed", res.status);
        }
-        return NextResponse.json({ ok: true });
+
+        // tell the client to re-auth so their token reflects the password change
+        return NextResponse.json({ ok: true, requireReauth: true });
    } catch (e: any) {
-        return bad(e?.message || "Failed to change password", e?.status || 500);
+        return bad(e?.message || "Unexpected error", e?.status || 500);
    }
 }
--- a/app/api/account/profile/route.ts
+++ b/app/api/account/profile/route.ts
@ -0,0 +1,48 @@
+// app/api/account/profile/route.ts
+export const runtime = "nodejs";
+
+import { NextResponse } from "next/server";
+import { requireBearer } from "@/app/api/_lib/auth";
+
+const API = (process.env.NEXT_PUBLIC_API_BASE_URL || "").replace(/\/$/, "");
+const bad = (m: string, c=400) => NextResponse.json({ error: m }, { status: c });
+
+export async function GET() {
+    // show username (read-only) + editable fields
+    // allow missing email
+    try {
+        // caller is already gated by middleware; no token needed for GET here
+        return NextResponse.json({ ok: true });
+    } catch (e: any) {
+        return bad(e?.message || "Failed to load profile", e?.status || 500);
+    }
+}
+
+export async function PATCH(req: Request) {
+    try {
+        const bearer = requireBearer(req);
+        const body = await req.json().catch(() => ({}));
+
+        const payload: any = {};
+        if (typeof body.first_name === "string") payload.first_name = body.first_name.trim();
+        if (typeof body.last_name === "string")  payload.last_name  = body.last_name.trim();
+        if (typeof body.location === "string")   payload.location   = body.location.trim();
+        if ("email" in body) {
+            const e = String(body.email ?? "").trim();
+            payload.email = e ? e : null; // ← optional! blank clears it
+        }
+        // (password handled by /api/account/password)
+
+        const r = await fetch(`${API}/users/me`, {
+            method: "PATCH",
+            headers: { Authorization: bearer, "Content-Type": "application/json" },
+            body: JSON.stringify(payload),
+        });
+        const j = await r.json().catch(() => ({}));
+        if (!r.ok) return bad(j?.errors?.[0]?.message || "Update failed", r.status);
+
+        return NextResponse.json({ ok: true });
+    } catch (e: any) {
+        return bad(e?.message || "Unexpected error", e?.status || 500);
+    }
+}