add reauth for account changes

2025-09-30 10:03:32 -04:00 · 2025-09-30 10:03:32 -04:00 · b9c5c22f86
commit b9c5c22f86
parent 3e4c6241f6
2 changed files with 128 additions and 0 deletions
--- a/app/api/auth/reconfirm/route.ts
+++ b/app/api/auth/reconfirm/route.ts
@ -0,0 +1,65 @@
+// app/api/auth/reconfirm/route.ts
+import { NextRequest, NextResponse } from "next/server";
+import { emailForUsername, loginDirectus } from "@/lib/directus";
+
+export const runtime = "nodejs";
+const secure = process.env.NODE_ENV === "production";
+
+export async function POST(req: NextRequest) {
+    try {
+        const body = await req.json().catch(() => ({} as any));
+        const identifier = String(body?.identifier ?? "").trim();
+        const password   = String(body?.password ?? "").trim();
+
+        if (!identifier || !password) {
+            return NextResponse.json({ error: "Missing credentials" }, { status: 400 });
+        }
+
+        // Resolve identifier -> email (username allowed)
+        let email = identifier.includes("@") ? identifier : await emailForUsername(identifier);
+        if (!email) return NextResponse.json({ error: "User not found" }, { status: 404 });
+
+        const auth = await loginDirectus(email, password);
+        const access = auth?.access_token ?? auth?.data?.access_token;
+        const expiresSec = auth?.expires ?? auth?.data?.expires;
+
+        if (!access) {
+            return NextResponse.json({ error: "Invalid credentials" }, { status: 401 });
+        }
+
+        const res = NextResponse.json({ ok: true });
+
+        // Refresh the access token cookie
+        const maxAge = typeof expiresSec === "number" ? Math.max(0, Math.floor(expiresSec)) : 60 * 60 * 8;
+        res.cookies.set({
+            name: "ma_at",
+            value: access,
+            httpOnly: true,
+            sameSite: "lax",
+            secure,
+            path: "/",
+            maxAge,
+        });
+
+        // Short-lived client-visible flag: “recently authenticated”
+        res.cookies.set({
+            name: "ma_ra",
+            value: "1",
+            httpOnly: false,
+            sameSite: "lax",
+            secure,
+            path: "/",
+            maxAge: 5 * 60, // 5 minutes
+        });
+
+        return res;
+    } catch (err: any) {
+        const msg =
+        err?.response?.data?.errors?.[0]?.message ||
+        err?.response?.data?.error ||
+        err?.message ||
+        "Re-auth failed";
+            const status = /invalid|credential/i.test(msg) ? 401 : 400;
+            return NextResponse.json({ error: msg }, { status });
+    }
+}