registration reprint

2025-10-03 07:21:49 -04:00 · 2025-10-03 07:21:49 -04:00 · d610379337
commit d610379337
parent fba693f761
1 changed files with 10 additions and 7 deletions
--- a/app/api/auth/register/route.ts
+++ b/app/api/auth/register/route.ts
@ -2,14 +2,17 @@
 import { NextResponse } from "next/server";

 const DIRECTUS = (process.env.DIRECTUS_URL || process.env.NEXT_PUBLIC_API_BASE_URL || "").replace(/\/$/, "");
-const SERVICE_TOKEN =
-process.env.DIRECTUS_TOKEN_ADMIN_REGISTER || "";
+
+// Registration MUST use only the dedicated admin-register token. No fallbacks.
+const SERVICE_TOKEN = process.env.DIRECTUS_TOKEN_ADMIN_REGISTER || "";
+
 const DEFAULT_ROLE = process.env.DIRECTUS_DEFAULT_ROLE || undefined;
 const SECURE = process.env.NODE_ENV === "production";

 function bad(message: string, status = 400) {
    return NextResponse.json({ error: message }, { status });
 }
+
 const EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;

 async function directusLogin(email: string, password: string) {
@ -27,7 +30,7 @@ async function directusLogin(email: string, password: string) {
 export async function POST(req: Request) {
    try {
        if (!DIRECTUS) return bad("Missing DIRECTUS_URL/NEXT_PUBLIC_API_BASE_URL", 500);
-        if (!SERVICE_TOKEN) return bad("Missing DIRECTUS_SERVICE_TOKEN / admin token", 500);
+        if (!SERVICE_TOKEN) return bad("Missing DIRECTUS_TOKEN_ADMIN_REGISTER", 500);

        const body = await req.json().catch(() => ({} as any));
        const email = String(body?.email ?? "").trim().toLowerCase();
@ -58,12 +61,12 @@ export async function POST(req: Request) {
            return bad("Email or username already in use", 409);
        }

-        // Create user with sane defaults
+        // Create user with sane defaults (no provider — Directus defaults to "default")
        const createPayload: any = {
            email,
            username,
            password,
-            status: "active",,
+            status: "active",
        };
        if (DEFAULT_ROLE) createPayload.role = DEFAULT_ROLE;

@ -74,7 +77,7 @@ export async function POST(req: Request) {
                "Content-Type": "application/json",
                Accept: "application/json",
            },
-            body: JSON.stringify(createPayload),
+            body: JSON.stringify({ data: createPayload }),
                                      cache: "no-store",
        });

@ -84,7 +87,7 @@ export async function POST(req: Request) {
            return bad(msg, createRes.status || 500);
        }

-        // Auto-login (email-based; directus expects "email" even though it's an identifier)
+        // Auto-login (Directus expects "email" even though it's the identifier)
        const tokens = await directusLogin(email, password);

        const res = NextResponse.json({ ok: true, id: cj?.data?.id || null }, { status: 201 });