101 lines
3.9 KiB
TypeScript
101 lines
3.9 KiB
TypeScript
// app/api/account/route.ts
|
|
export const runtime = "nodejs";
|
|
|
|
import { NextResponse } from "next/server";
|
|
import { requireBearer } from "@/app/api/_lib/auth";
|
|
|
|
const API = (process.env.NEXT_PUBLIC_API_BASE_URL || "").replace(/\/$/, "");
|
|
const bad = (m: string, c = 400) => NextResponse.json({ error: m }, { status: c });
|
|
const secure = process.env.NODE_ENV === "production";
|
|
|
|
/** GET: current user's profile */
|
|
export async function GET(req: Request) {
|
|
try {
|
|
const bearer = requireBearer(req); // ← pass req
|
|
const fields =
|
|
"id,username,first_name,last_name,email,location,avatar.id,avatar.filename_download";
|
|
|
|
const res = await fetch(
|
|
`${API}/users/me?fields=${encodeURIComponent(fields)}`,
|
|
{ headers: { Authorization: `Bearer ${bearer}` }, cache: "no-store" }
|
|
);
|
|
const j = await res.json().catch(() => ({}));
|
|
|
|
if (!res.ok) {
|
|
const msg = j?.errors?.[0]?.message || "Failed to load profile";
|
|
return NextResponse.json({ error: msg }, { status: res.status });
|
|
}
|
|
|
|
return NextResponse.json({ ok: true, user: j?.data ?? j });
|
|
} catch (e: any) {
|
|
const status = e?.status === 401 ? 401 : e?.status || 500;
|
|
return bad(e?.message || "Unexpected error", status);
|
|
}
|
|
}
|
|
|
|
/** PATCH: update editable fields for current user */
|
|
export async function PATCH(req: Request) {
|
|
try {
|
|
const bearer = requireBearer(req);
|
|
const body = await req.json().catch(() => ({} as Record<string, unknown>));
|
|
|
|
// Enforce recent re-auth for sensitive fields (email/username)
|
|
const SENSITIVE = new Set(["email", "username"]);
|
|
const wantsSensitive = Object.keys(body).some((k) => SENSITIVE.has(k));
|
|
if (wantsSensitive) {
|
|
const cookie = req.headers.get("cookie") || "";
|
|
const hasRecentAuth = /(?:^|;\s*)ma_ra=1(?:;|$)/.test(cookie);
|
|
if (!hasRecentAuth) {
|
|
return NextResponse.json(
|
|
{ error: "Re-authentication required" },
|
|
{ status: 428 } // Precondition Required
|
|
);
|
|
}
|
|
}
|
|
|
|
const payload: Record<string, any> = {};
|
|
if (typeof body.first_name === "string") payload.first_name = body.first_name.trim();
|
|
if (typeof body.last_name === "string") payload.last_name = body.last_name.trim();
|
|
if ("email" in body) {
|
|
const e = String((body as any).email ?? "").trim();
|
|
payload.email = e ? e : null; // optional; blank clears
|
|
}
|
|
if (typeof body.location === "string") payload.location = body.location.trim();
|
|
if (typeof body.avatar === "string") payload.avatar = body.avatar; // file id
|
|
// (username is read-only in UI; if you decide to allow it later, payload.username = ...)
|
|
|
|
if (!Object.keys(payload).length) return bad("No changes");
|
|
|
|
const res = await fetch(`${API}/users/me`, {
|
|
method: "PATCH",
|
|
headers: { Authorization: `Bearer ${bearer}`, "Content-Type": "application/json" },
|
|
body: JSON.stringify(payload),
|
|
});
|
|
const j = await res.json().catch(() => ({}));
|
|
|
|
if (!res.ok) {
|
|
const msg = j?.errors?.[0]?.message || "Update failed";
|
|
return NextResponse.json({ error: msg }, { status: res.status });
|
|
}
|
|
|
|
// Success: if we just did a sensitive change, clear recent-auth cookie (single-use)
|
|
if (wantsSensitive) {
|
|
const resp = NextResponse.json({ ok: true });
|
|
resp.cookies.set({
|
|
name: "ma_ra",
|
|
value: "",
|
|
httpOnly: false,
|
|
sameSite: "lax",
|
|
secure,
|
|
path: "/",
|
|
maxAge: 0,
|
|
});
|
|
return resp;
|
|
}
|
|
|
|
return NextResponse.json({ ok: true });
|
|
} catch (e: any) {
|
|
const status = e?.status === 401 ? 401 : e?.status || 500;
|
|
return bad(e?.message || "Unexpected error", status);
|
|
}
|
|
}
|