@knotpad/app 0.1.0 → 0.1.2

package/app/api/auth/2fa/route.tsx

@@ -1,148 +0,0 @@
-import { NextRequest, NextResponse } from "next/server";
-import { auth } from "@/auth";
-import { prisma } from "@/lib/prisma";
-import { randomBytes, createHmac } from "crypto";
-
-// TOTP implementation using Node.js crypto
-function generateSecret(): string {
-  return randomBytes(20).toString("base64url").slice(0, 32);
-}
-
-function generateTOTP(secret: string, window = 0): string {
-  const counter = Math.floor(Date.now() / 1000 / 30) + window;
-  const counterBuffer = Buffer.alloc(8);
-  counterBuffer.writeBigUInt64BE(BigInt(counter), 0);
-
-  const secretBuffer = Buffer.from(secret, "base64url");
-  const hmac = createHmac("sha1", secretBuffer);
-  hmac.update(counterBuffer);
-  const hash = hmac.digest();
-
-  const offset = hash[hash.length - 1] & 0x0f;
-  const code =
-    ((hash[offset] & 0x7f) << 24) |
-    ((hash[offset + 1] & 0xff) << 16) |
-    ((hash[offset + 2] & 0xff) << 8) |
-    (hash[offset + 3] & 0xff);
-
-  return (code % 1000000).toString().padStart(6, "0");
-}
-
-function verifyTOTP(secret: string, token: string): boolean {
-  // Check current and adjacent time windows (±1 window = ±30 seconds)
-  for (let window = -1; window <= 1; window++) {
-    if (generateTOTP(secret, window) === token) {
-      return true;
-    }
-  }
-  return false;
-}
-
-function generateQRCodeURL(secret: string, email: string, appName: string): string {
-  const encodedSecret = secret.replace(/=/g, "");
-  const encodedApp = encodeURIComponent(appName);
-  const encodedEmail = encodeURIComponent(email);
-  return `otpauth://totp/${encodedApp}:${encodedEmail}?secret=${encodedSecret}&issuer=${encodedApp}`;
-}
-
-// GET: Check if 2FA is enabled for current user
-export async function GET() {
-  const session = await auth();
-  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-
-  const user = await prisma.user.findUnique({
-    where: { id: session.user.id },
-    select: { twoFactorEnabled: true },
-  });
-
-  return NextResponse.json({ enabled: user?.twoFactorEnabled ?? false });
-}
-
-// POST: Enable 2FA - generate secret and return QR code
-export async function POST(req: NextRequest) {
-  const session = await auth();
-  if (!session?.user?.email) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-
-  const { action } = await req.json();
-
-  if (action === "setup") {
-    // Generate new secret
-    const secret = generateSecret();
-    const qrCodeURL = generateQRCodeURL(secret, session.user.email, "Knotpad");
-
-    // Store secret temporarily (not enabled until verified)
-    await prisma.user.update({
-      where: { id: session.user.id },
-      data: { twoFactorSecret: secret, twoFactorEnabled: false, twoFactorVerified: false },
-    });
-
-    return NextResponse.json({
-      secret,
-      qrCodeURL,
-      manualEntryKey: secret.replace(/=/g, "").slice(0, 32).toUpperCase().replace(/(.{4})/g, "$1 ").trim(),
-    });
-  }
-
-  if (action === "verify") {
-    const { code } = await req.json();
-    if (!code || !/^\d{6}$/.test(code)) {
-      return NextResponse.json({ error: "Invalid code format" }, { status: 400 });
-    }
-
-    const user = await prisma.user.findUnique({
-      where: { id: session.user.id },
-      select: { twoFactorSecret: true, twoFactorEnabled: true },
-    });
-
-    if (!user?.twoFactorSecret) {
-      return NextResponse.json({ error: "2FA not set up" }, { status: 400 });
-    }
-
-    if (verifyTOTP(user.twoFactorSecret, code)) {
-      await prisma.user.update({
-        where: { id: session.user.id },
-        data: { twoFactorEnabled: true, twoFactorVerified: true },
-      });
-      return NextResponse.json({ success: true });
-    }
-
-    return NextResponse.json({ error: "Invalid code" }, { status: 400 });
-  }
-
-  if (action === "disable") {
-    const { code, password } = await req.json();
-
-    // Verify password first
-    const user = await prisma.user.findUnique({
-      where: { id: session.user.id },
-      select: { passwordHash: true, twoFactorSecret: true, twoFactorEnabled: true },
-    });
-
-    if (!user?.passwordHash) {
-      return NextResponse.json({ error: "Password required" }, { status: 400 });
-    }
-
-    // Import bcrypt for password verification
-    const { default: bcrypt } = await import("bcryptjs");
-    const validPassword = await bcrypt.compare(password, user.passwordHash);
-    if (!validPassword) {
-      return NextResponse.json({ error: "Invalid password" }, { status: 400 });
-    }
-
-    // Verify 2FA code if enabled
-    if (user.twoFactorEnabled && user.twoFactorSecret) {
-      if (!code || !verifyTOTP(user.twoFactorSecret, code)) {
-        return NextResponse.json({ error: "Invalid 2FA code" }, { status: 400 });
-      }
-    }
-
-    await prisma.user.update({
-      where: { id: session.user.id },
-      data: { twoFactorSecret: null, twoFactorEnabled: false, twoFactorVerified: false },
-    });
-
-    return NextResponse.json({ success: true });
-  }
-
-  return NextResponse.json({ error: "Invalid action" }, { status: 400 });
-}

package/app/api/auth/[...nextauth]/route.tsx

@@ -1,3 +0,0 @@
-import { handlers } from "@/auth";
-
-export const { GET, POST } = handlers;

package/app/api/auth/change-password/route.tsx

@@ -1,61 +0,0 @@
-import { NextRequest, NextResponse } from "next/server";
-import bcrypt from "bcryptjs";
-import { auth } from "@/auth";
-import { prisma, getCloudPrisma } from "@/lib/prisma";
-import { rateLimit, getClientIp } from "@/lib/rate-limit";
-
-const RL_MAX = 10;
-const RL_WINDOW_MS = 60 * 60_000;
-
-export async function POST(req: NextRequest) {
-  const session = await auth();
-  if (!session?.user?.id) {
-    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-  }
-
-  const ip = getClientIp(req);
-  const rl = rateLimit(`change-password:${ip}`, RL_MAX, RL_WINDOW_MS);
-  if (rl.limited) {
-    return NextResponse.json(
-      { error: "Too many attempts. Try again later." },
-      { status: 429, headers: { "Retry-After": String(rl.retryAfter) } }
-    );
-  }
-
-  const { currentPassword, newPassword } = await req.json();
-
-  if (!currentPassword || typeof currentPassword !== "string") {
-    return NextResponse.json({ error: "Current password required" }, { status: 400 });
-  }
-  if (!newPassword || typeof newPassword !== "string" || newPassword.length < 8) {
-    return NextResponse.json({ error: "New password must be at least 8 characters" }, { status: 400 });
-  }
-
-  const db = getCloudPrisma() ?? prisma;
-
-  const user = await db.user.findUnique({
-    where: { id: session.user.id },
-    select: { id: true, passwordHash: true },
-  });
-
-  if (!user || !user.passwordHash) {
-    return NextResponse.json(
-      { error: "Password change is not available for this account." },
-      { status: 400 }
-    );
-  }
-
-  const valid = await bcrypt.compare(currentPassword, user.passwordHash);
-  if (!valid) {
-    return NextResponse.json({ error: "Current password is incorrect" }, { status: 400 });
-  }
-
-  const passwordHash = await bcrypt.hash(newPassword, 12);
-
-  await db.user.update({
-    where: { id: user.id },
-    data: { passwordHash },
-  });
-
-  return NextResponse.json({ ok: true });
-}

package/app/api/auth/check-2fa/route.tsx

@@ -1,19 +0,0 @@
-import { NextRequest, NextResponse } from "next/server";
-import { prisma } from "@/lib/prisma";
-
-export async function POST(req: NextRequest) {
-  const { email } = await req.json();
-
-  if (!email) {
-    return NextResponse.json({ error: "Email required" }, { status: 400 });
-  }
-
-  const user = await prisma.user.findUnique({
-    where: { email },
-    select: { twoFactorEnabled: true },
-  });
-
-  return NextResponse.json({
-    requires2FA: user?.twoFactorEnabled ?? false,
-  });
-}

package/app/api/auth/forgot-password/route.tsx

@@ -1,65 +0,0 @@
-import { NextRequest, NextResponse } from "next/server";
-import { prisma, getCloudPrisma } from "@/lib/prisma";
-import { rateLimit, getClientIp } from "@/lib/rate-limit";
-import { sendAuthEmail } from "@/lib/email";
-
-const RL_MAX = 5;
-const RL_WINDOW_MS = 60 * 60_000; // 5 attempts per IP per hour
-
-export async function POST(req: NextRequest) {
-  const ip = getClientIp(req);
-  const rl = rateLimit(`forgot-password:${ip}`, RL_MAX, RL_WINDOW_MS);
-  if (rl.limited) {
-    return NextResponse.json(
-      { error: "Too many attempts. Try again later." },
-      { status: 429, headers: { "Retry-After": String(rl.retryAfter) } }
-    );
-  }
-
-  const { email } = await req.json();
-  if (!email || typeof email !== "string") {
-    return NextResponse.json({ error: "Email required" }, { status: 400 });
-  }
-
-  // Look up user in the same DB auth reads from (cloud if available, local otherwise).
-  const db = getCloudPrisma() ?? prisma;
-  const user = await db.user.findUnique({ where: { email: email.toLowerCase().trim() } });
-
-  // Always return 200 to prevent email enumeration.
-  if (!user || !user.passwordHash) {
-    return NextResponse.json({ ok: true });
-  }
-
-  // Invalidate any existing unused tokens for this user.
-  await db.passwordResetToken.updateMany({
-    where: { userId: user.id, usedAt: null },
-    data: { usedAt: new Date() },
-  });
-
-  const record = await db.passwordResetToken.create({
-    data: {
-      userId: user.id,
-      expiresAt: new Date(Date.now() + 60 * 60_000), // 1 hour
-    },
-  });
-
-  const appUrl = process.env.NEXT_PUBLIC_APP_URL ?? "http://localhost:3000";
-  const resetUrl = `${appUrl}/reset-password?token=${record.token}`;
-
-  // Send reset email via Brevo. If no email provider is configured the URL is
-  // returned in the response so admins/devs can copy it manually.
-  const sent = await sendAuthEmail(
-    email,
-    "Reset your Knotpad password",
-    `
-      <p>Hi${user.name ? ` ${user.name}` : ""},</p>
-      <p>Click the link below to reset your password. This link expires in 1 hour.</p>
-      <p><a href="${resetUrl}">${resetUrl}</a></p>
-      <p>If you didn't request this, you can ignore this email.</p>
-    `
-  );
-
-  // When no email provider is configured, expose the URL for local/dev use.
-  if (!sent) return NextResponse.json({ ok: true, resetUrl });
-  return NextResponse.json({ ok: true });
-}

package/app/api/auth/reset-password/route.tsx

@@ -1,52 +0,0 @@
-import { NextRequest, NextResponse } from "next/server";
-import bcrypt from "bcryptjs";
-import { prisma, getCloudPrisma } from "@/lib/prisma";
-import { rateLimit, getClientIp } from "@/lib/rate-limit";
-
-const RL_MAX = 10;
-const RL_WINDOW_MS = 60 * 60_000;
-
-export async function POST(req: NextRequest) {
-  const ip = getClientIp(req);
-  const rl = rateLimit(`reset-password:${ip}`, RL_MAX, RL_WINDOW_MS);
-  if (rl.limited) {
-    return NextResponse.json(
-      { error: "Too many attempts. Try again later." },
-      { status: 429, headers: { "Retry-After": String(rl.retryAfter) } }
-    );
-  }
-
-  const { token, password } = await req.json();
-  if (!token || typeof token !== "string") {
-    return NextResponse.json({ error: "Token required" }, { status: 400 });
-  }
-  if (!password || typeof password !== "string" || password.length < 8) {
-    return NextResponse.json({ error: "Password must be at least 8 characters" }, { status: 400 });
-  }
-
-  const db = getCloudPrisma() ?? prisma;
-
-  const record = await db.passwordResetToken.findUnique({
-    where: { token },
-    include: { user: { select: { id: true, email: true } } },
-  });
-
-  if (!record || record.usedAt || record.expiresAt < new Date()) {
-    return NextResponse.json({ error: "Invalid or expired token" }, { status: 400 });
-  }
-
-  const passwordHash = await bcrypt.hash(password, 12);
-
-  await db.$transaction(async (tx) => {
-    await tx.user.update({
-      where: { id: record.userId },
-      data: { passwordHash },
-    });
-    await tx.passwordResetToken.update({
-      where: { id: record.id },
-      data: { usedAt: new Date() },
-    });
-  });
-
-  return NextResponse.json({ ok: true });
-}

package/app/api/auth/verify-2fa/route.tsx

@@ -1,88 +0,0 @@
-import { NextRequest, NextResponse } from "next/server";
-import { prisma } from "@/lib/prisma";
-import { createHmac } from "crypto";
-import bcrypt from "bcryptjs";
-
-function generateTOTP(secret: string, window = 0): string {
-  const counter = Math.floor(Date.now() / 1000 / 30) + window;
-  const counterBuffer = Buffer.alloc(8);
-  counterBuffer.writeBigUInt64BE(BigInt(counter), 0);
-
-  const secretBuffer = Buffer.from(secret, "base64url");
-  const hmac = createHmac("sha1", secretBuffer);
-  hmac.update(counterBuffer);
-  const hash = hmac.digest();
-
-  const offset = hash[hash.length - 1] & 0x0f;
-  const code =
-    ((hash[offset] & 0x7f) << 24) |
-    ((hash[offset + 1] & 0xff) << 16) |
-    ((hash[offset + 2] & 0xff) << 8) |
-    (hash[offset + 3] & 0xff);
-
-  return (code % 1000000).toString().padStart(6, "0");
-}
-
-function verifyTOTP(secret: string, token: string): boolean {
-  for (let window = -1; window <= 1; window++) {
-    if (generateTOTP(secret, window) === token) {
-      return true;
-    }
-  }
-  return false;
-}
-
-export async function POST(req: NextRequest) {
-  const { email, password, code } = await req.json();
-
-  if (!email || !password || !code) {
-    return NextResponse.json({ error: "Missing credentials" }, { status: 400 });
-  }
-
-  if (!/^\d{6}$/.test(code)) {
-    return NextResponse.json({ error: "Invalid 2FA code format" }, { status: 400 });
-  }
-
-  const db = prisma;
-  const user = await db.user.findUnique({
-    where: { email },
-    select: {
-      id: true,
-      email: true,
-      name: true,
-      passwordHash: true,
-      twoFactorSecret: true,
-      twoFactorEnabled: true,
-    },
-  });
-
-  if (!user || !user.passwordHash) {
-    return NextResponse.json({ error: "Invalid credentials" }, { status: 401 });
-  }
-
-  // Verify password first
-  const validPassword = await bcrypt.compare(password, user.passwordHash);
-  if (!validPassword) {
-    return NextResponse.json({ error: "Invalid credentials" }, { status: 401 });
-  }
-
-  // Check if 2FA is enabled
-  if (!user.twoFactorEnabled || !user.twoFactorSecret) {
-    return NextResponse.json({ error: "2FA not enabled" }, { status: 400 });
-  }
-
-  // Verify TOTP code
-  if (!verifyTOTP(user.twoFactorSecret, code)) {
-    return NextResponse.json({ error: "Invalid 2FA code" }, { status: 401 });
-  }
-
-  // Return user info for client-side session creation
-  return NextResponse.json({
-    success: true,
-    user: {
-      id: user.id,
-      email: user.email,
-      name: user.name ?? "",
-    },
-  });
-}

package/app/api/backup/download/db/route.ts

@@ -1,29 +0,0 @@
-import { NextResponse } from "next/server";
-import { auth } from "@/auth";
-import { prisma } from "@/lib/prisma";
-import { buildWorkspaceBackup } from "@/lib/backup/export-workspace-backup";
-
-export async function GET() {
-  const session = await auth();
-  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-
-  const member = await prisma.workspaceMember.findFirst({
-    where: { userId: session.user.id, revokedAt: null },
-    include: { workspace: true },
-  });
-  if (!member) return NextResponse.json({ error: "No workspace" }, { status: 404 });
-
-  const { filename, payload } = await buildWorkspaceBackup(
-    member.workspaceId,
-    member.workspace.name,
-    member.workspace.slug
-  );
-
-  return new NextResponse(JSON.stringify(payload, null, 2), {
-    headers: {
-      "Content-Type": "application/json",
-      "Content-Disposition": `attachment; filename="${filename}"`,
-      "x-brief-filename": filename,
-    },
-  });
-}

package/app/api/backup/download/notes/route.ts

@@ -1,25 +0,0 @@
-import { NextResponse } from "next/server";
-import { auth } from "@/auth";
-import { prisma } from "@/lib/prisma";
-import { buildNotesZipExport } from "@/lib/backup/export-notes-zip";
-
-export async function GET() {
-  const session = await auth();
-  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-
-  const member = await prisma.workspaceMember.findFirst({
-    where: { userId: session.user.id, revokedAt: null },
-    include: { workspace: true },
-  });
-  if (!member) return NextResponse.json({ error: "No workspace" }, { status: 404 });
-
-  const { filename, bytes } = await buildNotesZipExport(member.workspaceId);
-
-  return new NextResponse(Buffer.from(bytes), {
-    headers: {
-      "Content-Type": "application/zip",
-      "Content-Disposition": `attachment; filename="${filename}"`,
-      "x-brief-filename": filename,
-    },
-  });
-}

package/app/api/backup/settings/route.ts

@@ -1,92 +0,0 @@
-import { NextRequest, NextResponse } from "next/server";
-import { auth } from "@/auth";
-import { prisma } from "@/lib/prisma";
-import { validateBackupSettingsInput } from "@/lib/backup/backup-settings";
-
-export async function GET() {
-  const session = await auth();
-  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-
-  const member = await prisma.workspaceMember.findFirst({
-    where: {
-      userId: session.user.id,
-      role: { in: ["OWNER", "ADMIN"] },
-      revokedAt: null,
-    },
-    include: {
-      workspace: {
-        include: {
-          backupSettings: true,
-        },
-      },
-    },
-  });
-  if (!member) return NextResponse.json({ error: "Forbidden" }, { status: 403 });
-
-  return NextResponse.json({
-    workspace: {
-      id: member.workspaceId,
-      isCloud: member.workspace.isCloud,
-      isPro: member.workspace.isPro,
-    },
-    settings: member.workspace.backupSettings,
-  });
-}
-
-export async function PUT(req: NextRequest) {
-  const session = await auth();
-  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-
-  const member = await prisma.workspaceMember.findFirst({
-    where: {
-      userId: session.user.id,
-      role: { in: ["OWNER", "ADMIN"] },
-      revokedAt: null,
-    },
-    include: { workspace: true },
-  });
-  if (!member) return NextResponse.json({ error: "Forbidden" }, { status: 403 });
-
-  const body = await req.json().catch(() => null);
-  if (!body) return NextResponse.json({ error: "Invalid body" }, { status: 400 });
-
-  const validation = validateBackupSettingsInput({
-    scheduleEnabled: Boolean(body.scheduleEnabled),
-    scheduleCadence: body.scheduleCadence,
-    destinationPath: typeof body.destinationPath === "string" ? body.destinationPath : "",
-    includeMarkdownZip: Boolean(body.includeMarkdownZip),
-    isCloudWorkspace: member.workspace.isCloud,
-  });
-  if (!validation.success) {
-    return NextResponse.json({ error: validation.error }, { status: 422 });
-  }
-
-  const settings = await prisma.workspaceBackupSettings.upsert({
-    where: { workspaceId: member.workspaceId },
-    update: {
-      scheduleEnabled: Boolean(body.scheduleEnabled),
-      scheduleCadence: body.scheduleCadence,
-      destinationPath: body.destinationPath?.trim() ? body.destinationPath.trim() : null,
-      includeMarkdownZip: Boolean(body.includeMarkdownZip),
-      lastBackupAt: body.lastBackupAt ? new Date(body.lastBackupAt) : undefined,
-      lastBackupStatus:
-        typeof body.lastBackupStatus === "string" ? body.lastBackupStatus : undefined,
-      lastBackupError:
-        typeof body.lastBackupError === "string" ? body.lastBackupError : body.lastBackupError === null ? null : undefined,
-    },
-    create: {
-      workspaceId: member.workspaceId,
-      scheduleEnabled: Boolean(body.scheduleEnabled),
-      scheduleCadence: body.scheduleCadence,
-      destinationPath: body.destinationPath?.trim() ? body.destinationPath.trim() : null,
-      includeMarkdownZip: Boolean(body.includeMarkdownZip),
-      lastBackupAt: body.lastBackupAt ? new Date(body.lastBackupAt) : null,
-      lastBackupStatus:
-        typeof body.lastBackupStatus === "string" ? body.lastBackupStatus : "idle",
-      lastBackupError:
-        typeof body.lastBackupError === "string" ? body.lastBackupError : null,
-    },
-  });
-
-  return NextResponse.json({ settings });
-}

package/app/api/billing/checkout/route.tsx

@@ -1,81 +0,0 @@
-import { NextRequest, NextResponse } from "next/server";
-import { auth } from "@/auth";
-import { prisma } from "@/lib/prisma";
-import { stripe, PRICE_ID_PERSONAL_PRO, PRICE_ID_TEAM_PRO, APP_URL } from "@/lib/stripe";
-
-export async function POST(req: NextRequest) {
-  const session = await auth();
-  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-
-  const body = await req.json().catch(() => ({}));
-
-  // plan = "personal" (1 seat, PERSONAL_PRO) | "team" (N seats, TEAM_PRO, min 2)
-  const plan: "personal" | "team" = body.plan === "team" ? "team" : "personal";
-  const seats: number = plan === "team" ? Math.max(2, parseInt(body.seats ?? "2")) : 1;
-  const targetWorkspaceId: string | undefined = body.workspaceId;
-
-  // Find the workspace to upgrade. For team checkouts a specific workspaceId is
-  // required (the newly created team workspace). For personal, use the caller's
-  // personal workspace.
-  const member = targetWorkspaceId
-    ? await prisma.workspaceMember.findFirst({
-        where: {
-          userId: session.user.id,
-          workspaceId: targetWorkspaceId,
-          role: { in: ["OWNER", "ADMIN"] },
-        },
-        include: { workspace: true },
-      })
-    : await prisma.workspaceMember.findFirst({
-        where: {
-          userId: session.user.id,
-          role: { in: ["OWNER", "ADMIN"] },
-          workspace: { type: "PERSONAL" },
-        },
-        include: { workspace: true },
-      });
-
-  if (!member) return NextResponse.json({ error: "Must be owner or admin" }, { status: 403 });
-
-  const { workspace } = member;
-
-  // Guard: prevent creating a second checkout session for an already-active subscription.
-  if (workspace.isPro && workspace.stripeSubId) {
-    return NextResponse.json(
-      { error: "Workspace is already subscribed", stripeSubId: workspace.stripeSubId },
-      { status: 409 }
-    );
-  }
-
-  // Create or reuse Stripe customer
-  let customerId = workspace.stripeId;
-  if (!customerId) {
-    const customer = await stripe.customers.create({
-      email: session.user.email,
-      name: session.user.name,
-      metadata: { workspaceId: workspace.id },
-    });
-    customerId = customer.id;
-    await prisma.workspace.update({
-      where: { id: workspace.id },
-      data: { stripeId: customerId },
-    });
-  }
-
-  const planType = plan === "team" ? "TEAM_PRO" : "PERSONAL_PRO";
-  const priceId = plan === "team" ? PRICE_ID_TEAM_PRO : PRICE_ID_PERSONAL_PRO;
-
-  const checkoutSession = await stripe.checkout.sessions.create({
-    customer: customerId,
-    mode: "subscription",
-    line_items: [{ price: priceId, quantity: seats }],
-    success_url: `${APP_URL}/settings/billing?upgraded=1`,
-    cancel_url: `${APP_URL}/settings/billing`,
-    metadata: { workspaceId: workspace.id, userId: session.user.id, planType },
-    subscription_data: {
-      metadata: { workspaceId: workspace.id, planType },
-    },
-  });
-
-  return NextResponse.json({ url: checkoutSession.url });
-}