@knotpad/app 0.1.0

package/app/api/account/claim/route.tsx

@@ -0,0 +1,135 @@
+import { NextRequest, NextResponse } from "next/server";
+import bcrypt from "bcryptjs";
+import { auth } from "@/auth";
+import { prisma, getCloudPrisma } from "@/lib/prisma";
+import { rateLimit, getClientIp } from "@/lib/rate-limit";
+
+/**
+ * POST /api/account/claim
+ * Body: { name, email, password }
+ *
+ * Converts the current GUEST (local, no-password `*@local.brief`) into a real
+ * account WITHOUT orphaning their notes:
+ *   1. Attach real name/email/passwordHash to the existing local user (same id,
+ *      same workspace → their notes stay put).
+ *   2. Mirror the identity (User + each Workspace + WorkspaceMember + that
+ *      workspace's KanbanStatuses) into Neon BY ID, because identity is
+ *      cloud-scoped (PrismaAdapter(cloud)) and `/api/billing/migrate` is keyed by
+ *      workspaceId — both need the records to exist in cloud.
+ *
+ * After this, the client signs in with the new credentials and proceeds to
+ * billing (setup-intent → subscribe); the Stripe webhook flips the plan flags
+ * and triggers the data migration. This route does NOT touch Stripe or plan
+ * flags — it only establishes the real, cloud-resolvable identity.
+ */
+
+const AUTH_MAX = 10;
+const AUTH_WINDOW_MS = 60 * 60_000;
+
+export async function POST(req: NextRequest) {
+  const ip = getClientIp(req);
+  const rl = rateLimit(`claim:${ip}`, AUTH_MAX, AUTH_WINDOW_MS);
+  if (rl.limited) {
+    return NextResponse.json(
+      { error: "Too many attempts. Try again later." },
+      { status: 429, headers: { "Retry-After": String(rl.retryAfter) } }
+    );
+  }
+
+  const session = await auth();
+  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const cloud = getCloudPrisma();
+  if (!cloud) {
+    return NextResponse.json(
+      { error: "Cloud is not configured — upgrading requires a cloud connection." },
+      { status: 503 }
+    );
+  }
+
+  // The signed-in user must be an unclaimed guest.
+  const me = await prisma.user.findUnique({ where: { id: session.user.id } });
+  if (!me || !me.email?.endsWith("@local.brief") || me.passwordHash) {
+    return NextResponse.json(
+      { error: "This account can't be upgraded (already a real account)." },
+      { status: 400 }
+    );
+  }
+
+  const { name, email, password } = await req.json().catch(() => ({}));
+  if (!name || !email || !password) {
+    return NextResponse.json({ error: "Missing fields" }, { status: 400 });
+  }
+  if (typeof password !== "string" || password.length < 8) {
+    return NextResponse.json({ error: "Password must be at least 8 characters" }, { status: 400 });
+  }
+  if (typeof email !== "string" || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
+    return NextResponse.json({ error: "Invalid email address" }, { status: 400 });
+  }
+
+  // Email must be free in BOTH databases (auth checks cloud-first, but the local
+  // DB also holds users in fully-local mode).
+  for (const db of [prisma, cloud]) {
+    const taken = await db.user.findUnique({ where: { email } });
+    if (taken) return NextResponse.json({ error: "Email already in use" }, { status: 409 });
+  }
+
+  const passwordHash = await bcrypt.hash(password, 12);
+
+  // 1) Promote the local user in place (keeps id + workspace + notes).
+  await prisma.user.update({
+    where: { id: me.id },
+    data: { name, email, passwordHash },
+  });
+
+  // 2) Mirror identity into Neon by id so cloud login + migrate resolve.
+  const memberships = await prisma.workspaceMember.findMany({
+    where: { userId: me.id, revokedAt: null },
+    include: { workspace: true },
+  });
+
+  await cloud.user.upsert({
+    where: { id: me.id },
+    create: { id: me.id, name, email, passwordHash, role: me.role, createdAt: me.createdAt },
+    update: { name, email, passwordHash },
+  });
+
+  for (const m of memberships) {
+    const ws = m.workspace;
+    await cloud.workspace.upsert({
+      where: { id: ws.id },
+      create: {
+        id: ws.id,
+        name: ws.name,
+        slug: ws.slug,
+        type: ws.type,
+        planType: ws.planType,
+        licenseType: ws.licenseType,
+        isCloud: ws.isCloud,
+        isPro: ws.isPro,
+        seatCount: ws.seatCount,
+        encryptionSalt: ws.encryptionSalt,
+        createdAt: ws.createdAt,
+      },
+      update: { name: ws.name, slug: ws.slug, encryptionSalt: ws.encryptionSalt },
+    });
+
+    await cloud.workspaceMember.upsert({
+      where: { userId_workspaceId: { userId: me.id, workspaceId: ws.id } },
+      create: { id: m.id, userId: me.id, workspaceId: ws.id, role: m.role, joinedAt: m.joinedAt },
+      update: { role: m.role },
+    });
+
+    // Mirror the workspace's kanban statuses so the board looks identical in cloud.
+    const statuses = await prisma.kanbanStatus.findMany({ where: { workspaceId: ws.id } });
+    for (const s of statuses) {
+      await cloud.kanbanStatus.upsert({
+        where: { workspaceId_key: { workspaceId: ws.id, key: s.key } },
+        create: { workspaceId: ws.id, key: s.key, label: s.label, color: s.color, order: s.order, isVisible: s.isVisible },
+        update: { label: s.label, color: s.color, order: s.order, isVisible: s.isVisible },
+      });
+    }
+  }
+
+  return NextResponse.json({ ok: true, email });
+}

package/app/api/admin/backfill-encryption/route.tsx

@@ -0,0 +1,43 @@
+import { NextRequest, NextResponse } from "next/server";
+import { prisma } from "@/lib/prisma";
+import { encryptContent } from "@/lib/note-crypto";
+import { isEncrypted } from "@/lib/encryption";
+
+/**
+ * POST /api/admin/backfill-encryption
+ * Header: Authorization: Bearer <ADMIN_SECRET>
+ *
+ * One-off migration: encrypts any note.content rows still stored as plaintext
+ * (e.g. created while encryption was disabled). Idempotent — already-encrypted
+ * rows are skipped via isEncrypted(), so it is safe to re-run.
+ */
+export async function POST(req: NextRequest) {
+  const secret = process.env.ADMIN_SECRET;
+  if (!secret) return NextResponse.json({ error: "Not configured" }, { status: 501 });
+
+  const auth = req.headers.get("authorization");
+  if (auth !== `Bearer ${secret}`) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const notes = await prisma.note.findMany({ select: { id: true, content: true, workspaceId: true } });
+
+  let encrypted = 0;
+  let skipped = 0;
+  for (const note of notes) {
+    if (isEncrypted(note.content)) {
+      skipped++;
+      continue;
+    }
+    const ciphertext = await encryptContent(note.content, note.workspaceId);
+    // version stays put (storage-format change, not a content edit); @updatedAt
+    // will refresh, which simply makes sync push the now-encrypted row once.
+    await prisma.note.update({
+      where: { id: note.id },
+      data: { content: ciphertext },
+    });
+    encrypted++;
+  }
+
+  return NextResponse.json({ ok: true, total: notes.length, encrypted, skipped });
+}

package/app/api/admin/license/route.tsx

@@ -0,0 +1,42 @@
+import { NextRequest, NextResponse } from "next/server";
+import { prisma } from "@/lib/prisma";
+
+/**
+ * POST /api/admin/license
+ * Body: { workspaceId: string, licenseType: "STANDARD" | "COMPLIMENTARY" }
+ * Header: Authorization: Bearer <ADMIN_SECRET>
+ *
+ * Sets the license type on a workspace.
+ * COMPLIMENTARY workspaces get isPro + isCloud for free — no Stripe subscription needed.
+ */
+export async function POST(req: NextRequest) {
+  const secret = process.env.ADMIN_SECRET;
+  if (!secret) return NextResponse.json({ error: "Not configured" }, { status: 501 });
+
+  const auth = req.headers.get("authorization");
+  if (auth !== `Bearer ${secret}`) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const { workspaceId, licenseType } = await req.json().catch(() => ({}));
+
+  if (!workspaceId) return NextResponse.json({ error: "workspaceId required" }, { status: 400 });
+  if (!["STANDARD", "COMPLIMENTARY"].includes(licenseType)) {
+    return NextResponse.json({ error: "licenseType must be STANDARD or COMPLIMENTARY" }, { status: 400 });
+  }
+
+  const isComplimentary = licenseType === "COMPLIMENTARY";
+
+  const workspace = await prisma.workspace.update({
+    where: { id: workspaceId },
+    data: {
+      licenseType,
+      isPro: isComplimentary ? true : undefined,
+      isCloud: isComplimentary ? true : undefined,
+      // Downgrading to STANDARD: let Stripe state govern isPro/isCloud (don't touch them here)
+    },
+    select: { id: true, name: true, licenseType: true, isPro: true, isCloud: true, planType: true },
+  });
+
+  return NextResponse.json(workspace);
+}

package/app/api/auth/2fa/route.tsx

@@ -0,0 +1,148 @@
+import { NextRequest, NextResponse } from "next/server";
+import { auth } from "@/auth";
+import { prisma } from "@/lib/prisma";
+import { randomBytes, createHmac } from "crypto";
+
+// TOTP implementation using Node.js crypto
+function generateSecret(): string {
+  return randomBytes(20).toString("base64url").slice(0, 32);
+}
+
+function generateTOTP(secret: string, window = 0): string {
+  const counter = Math.floor(Date.now() / 1000 / 30) + window;
+  const counterBuffer = Buffer.alloc(8);
+  counterBuffer.writeBigUInt64BE(BigInt(counter), 0);
+
+  const secretBuffer = Buffer.from(secret, "base64url");
+  const hmac = createHmac("sha1", secretBuffer);
+  hmac.update(counterBuffer);
+  const hash = hmac.digest();
+
+  const offset = hash[hash.length - 1] & 0x0f;
+  const code =
+    ((hash[offset] & 0x7f) << 24) |
+    ((hash[offset + 1] & 0xff) << 16) |
+    ((hash[offset + 2] & 0xff) << 8) |
+    (hash[offset + 3] & 0xff);
+
+  return (code % 1000000).toString().padStart(6, "0");
+}
+
+function verifyTOTP(secret: string, token: string): boolean {
+  // Check current and adjacent time windows (±1 window = ±30 seconds)
+  for (let window = -1; window <= 1; window++) {
+    if (generateTOTP(secret, window) === token) {
+      return true;
+    }
+  }
+  return false;
+}
+
+function generateQRCodeURL(secret: string, email: string, appName: string): string {
+  const encodedSecret = secret.replace(/=/g, "");
+  const encodedApp = encodeURIComponent(appName);
+  const encodedEmail = encodeURIComponent(email);
+  return `otpauth://totp/${encodedApp}:${encodedEmail}?secret=${encodedSecret}&issuer=${encodedApp}`;
+}
+
+// GET: Check if 2FA is enabled for current user
+export async function GET() {
+  const session = await auth();
+  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const user = await prisma.user.findUnique({
+    where: { id: session.user.id },
+    select: { twoFactorEnabled: true },
+  });
+
+  return NextResponse.json({ enabled: user?.twoFactorEnabled ?? false });
+}
+
+// POST: Enable 2FA - generate secret and return QR code
+export async function POST(req: NextRequest) {
+  const session = await auth();
+  if (!session?.user?.email) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const { action } = await req.json();
+
+  if (action === "setup") {
+    // Generate new secret
+    const secret = generateSecret();
+    const qrCodeURL = generateQRCodeURL(secret, session.user.email, "Knotpad");
+
+    // Store secret temporarily (not enabled until verified)
+    await prisma.user.update({
+      where: { id: session.user.id },
+      data: { twoFactorSecret: secret, twoFactorEnabled: false, twoFactorVerified: false },
+    });
+
+    return NextResponse.json({
+      secret,
+      qrCodeURL,
+      manualEntryKey: secret.replace(/=/g, "").slice(0, 32).toUpperCase().replace(/(.{4})/g, "$1 ").trim(),
+    });
+  }
+
+  if (action === "verify") {
+    const { code } = await req.json();
+    if (!code || !/^\d{6}$/.test(code)) {
+      return NextResponse.json({ error: "Invalid code format" }, { status: 400 });
+    }
+
+    const user = await prisma.user.findUnique({
+      where: { id: session.user.id },
+      select: { twoFactorSecret: true, twoFactorEnabled: true },
+    });
+
+    if (!user?.twoFactorSecret) {
+      return NextResponse.json({ error: "2FA not set up" }, { status: 400 });
+    }
+
+    if (verifyTOTP(user.twoFactorSecret, code)) {
+      await prisma.user.update({
+        where: { id: session.user.id },
+        data: { twoFactorEnabled: true, twoFactorVerified: true },
+      });
+      return NextResponse.json({ success: true });
+    }
+
+    return NextResponse.json({ error: "Invalid code" }, { status: 400 });
+  }
+
+  if (action === "disable") {
+    const { code, password } = await req.json();
+
+    // Verify password first
+    const user = await prisma.user.findUnique({
+      where: { id: session.user.id },
+      select: { passwordHash: true, twoFactorSecret: true, twoFactorEnabled: true },
+    });
+
+    if (!user?.passwordHash) {
+      return NextResponse.json({ error: "Password required" }, { status: 400 });
+    }
+
+    // Import bcrypt for password verification
+    const { default: bcrypt } = await import("bcryptjs");
+    const validPassword = await bcrypt.compare(password, user.passwordHash);
+    if (!validPassword) {
+      return NextResponse.json({ error: "Invalid password" }, { status: 400 });
+    }
+
+    // Verify 2FA code if enabled
+    if (user.twoFactorEnabled && user.twoFactorSecret) {
+      if (!code || !verifyTOTP(user.twoFactorSecret, code)) {
+        return NextResponse.json({ error: "Invalid 2FA code" }, { status: 400 });
+      }
+    }
+
+    await prisma.user.update({
+      where: { id: session.user.id },
+      data: { twoFactorSecret: null, twoFactorEnabled: false, twoFactorVerified: false },
+    });
+
+    return NextResponse.json({ success: true });
+  }
+
+  return NextResponse.json({ error: "Invalid action" }, { status: 400 });
+}

package/app/api/auth/[...nextauth]/route.tsx

@@ -0,0 +1,3 @@
+import { handlers } from "@/auth";
+
+export const { GET, POST } = handlers;

package/app/api/auth/change-password/route.tsx

@@ -0,0 +1,61 @@
+import { NextRequest, NextResponse } from "next/server";
+import bcrypt from "bcryptjs";
+import { auth } from "@/auth";
+import { prisma, getCloudPrisma } from "@/lib/prisma";
+import { rateLimit, getClientIp } from "@/lib/rate-limit";
+
+const RL_MAX = 10;
+const RL_WINDOW_MS = 60 * 60_000;
+
+export async function POST(req: NextRequest) {
+  const session = await auth();
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const ip = getClientIp(req);
+  const rl = rateLimit(`change-password:${ip}`, RL_MAX, RL_WINDOW_MS);
+  if (rl.limited) {
+    return NextResponse.json(
+      { error: "Too many attempts. Try again later." },
+      { status: 429, headers: { "Retry-After": String(rl.retryAfter) } }
+    );
+  }
+
+  const { currentPassword, newPassword } = await req.json();
+
+  if (!currentPassword || typeof currentPassword !== "string") {
+    return NextResponse.json({ error: "Current password required" }, { status: 400 });
+  }
+  if (!newPassword || typeof newPassword !== "string" || newPassword.length < 8) {
+    return NextResponse.json({ error: "New password must be at least 8 characters" }, { status: 400 });
+  }
+
+  const db = getCloudPrisma() ?? prisma;
+
+  const user = await db.user.findUnique({
+    where: { id: session.user.id },
+    select: { id: true, passwordHash: true },
+  });
+
+  if (!user || !user.passwordHash) {
+    return NextResponse.json(
+      { error: "Password change is not available for this account." },
+      { status: 400 }
+    );
+  }
+
+  const valid = await bcrypt.compare(currentPassword, user.passwordHash);
+  if (!valid) {
+    return NextResponse.json({ error: "Current password is incorrect" }, { status: 400 });
+  }
+
+  const passwordHash = await bcrypt.hash(newPassword, 12);
+
+  await db.user.update({
+    where: { id: user.id },
+    data: { passwordHash },
+  });
+
+  return NextResponse.json({ ok: true });
+}

package/app/api/auth/check-2fa/route.tsx

@@ -0,0 +1,19 @@
+import { NextRequest, NextResponse } from "next/server";
+import { prisma } from "@/lib/prisma";
+
+export async function POST(req: NextRequest) {
+  const { email } = await req.json();
+
+  if (!email) {
+    return NextResponse.json({ error: "Email required" }, { status: 400 });
+  }
+
+  const user = await prisma.user.findUnique({
+    where: { email },
+    select: { twoFactorEnabled: true },
+  });
+
+  return NextResponse.json({
+    requires2FA: user?.twoFactorEnabled ?? false,
+  });
+}

package/app/api/auth/forgot-password/route.tsx

@@ -0,0 +1,65 @@
+import { NextRequest, NextResponse } from "next/server";
+import { prisma, getCloudPrisma } from "@/lib/prisma";
+import { rateLimit, getClientIp } from "@/lib/rate-limit";
+import { sendAuthEmail } from "@/lib/email";
+
+const RL_MAX = 5;
+const RL_WINDOW_MS = 60 * 60_000; // 5 attempts per IP per hour
+
+export async function POST(req: NextRequest) {
+  const ip = getClientIp(req);
+  const rl = rateLimit(`forgot-password:${ip}`, RL_MAX, RL_WINDOW_MS);
+  if (rl.limited) {
+    return NextResponse.json(
+      { error: "Too many attempts. Try again later." },
+      { status: 429, headers: { "Retry-After": String(rl.retryAfter) } }
+    );
+  }
+
+  const { email } = await req.json();
+  if (!email || typeof email !== "string") {
+    return NextResponse.json({ error: "Email required" }, { status: 400 });
+  }
+
+  // Look up user in the same DB auth reads from (cloud if available, local otherwise).
+  const db = getCloudPrisma() ?? prisma;
+  const user = await db.user.findUnique({ where: { email: email.toLowerCase().trim() } });
+
+  // Always return 200 to prevent email enumeration.
+  if (!user || !user.passwordHash) {
+    return NextResponse.json({ ok: true });
+  }
+
+  // Invalidate any existing unused tokens for this user.
+  await db.passwordResetToken.updateMany({
+    where: { userId: user.id, usedAt: null },
+    data: { usedAt: new Date() },
+  });
+
+  const record = await db.passwordResetToken.create({
+    data: {
+      userId: user.id,
+      expiresAt: new Date(Date.now() + 60 * 60_000), // 1 hour
+    },
+  });
+
+  const appUrl = process.env.NEXT_PUBLIC_APP_URL ?? "http://localhost:3000";
+  const resetUrl = `${appUrl}/reset-password?token=${record.token}`;
+
+  // Send reset email via Brevo. If no email provider is configured the URL is
+  // returned in the response so admins/devs can copy it manually.
+  const sent = await sendAuthEmail(
+    email,
+    "Reset your Knotpad password",
+    `
+      <p>Hi${user.name ? ` ${user.name}` : ""},</p>
+      <p>Click the link below to reset your password. This link expires in 1 hour.</p>
+      <p><a href="${resetUrl}">${resetUrl}</a></p>
+      <p>If you didn't request this, you can ignore this email.</p>
+    `
+  );
+
+  // When no email provider is configured, expose the URL for local/dev use.
+  if (!sent) return NextResponse.json({ ok: true, resetUrl });
+  return NextResponse.json({ ok: true });
+}

package/app/api/auth/reset-password/route.tsx

@@ -0,0 +1,52 @@
+import { NextRequest, NextResponse } from "next/server";
+import bcrypt from "bcryptjs";
+import { prisma, getCloudPrisma } from "@/lib/prisma";
+import { rateLimit, getClientIp } from "@/lib/rate-limit";
+
+const RL_MAX = 10;
+const RL_WINDOW_MS = 60 * 60_000;
+
+export async function POST(req: NextRequest) {
+  const ip = getClientIp(req);
+  const rl = rateLimit(`reset-password:${ip}`, RL_MAX, RL_WINDOW_MS);
+  if (rl.limited) {
+    return NextResponse.json(
+      { error: "Too many attempts. Try again later." },
+      { status: 429, headers: { "Retry-After": String(rl.retryAfter) } }
+    );
+  }
+
+  const { token, password } = await req.json();
+  if (!token || typeof token !== "string") {
+    return NextResponse.json({ error: "Token required" }, { status: 400 });
+  }
+  if (!password || typeof password !== "string" || password.length < 8) {
+    return NextResponse.json({ error: "Password must be at least 8 characters" }, { status: 400 });
+  }
+
+  const db = getCloudPrisma() ?? prisma;
+
+  const record = await db.passwordResetToken.findUnique({
+    where: { token },
+    include: { user: { select: { id: true, email: true } } },
+  });
+
+  if (!record || record.usedAt || record.expiresAt < new Date()) {
+    return NextResponse.json({ error: "Invalid or expired token" }, { status: 400 });
+  }
+
+  const passwordHash = await bcrypt.hash(password, 12);
+
+  await db.$transaction(async (tx) => {
+    await tx.user.update({
+      where: { id: record.userId },
+      data: { passwordHash },
+    });
+    await tx.passwordResetToken.update({
+      where: { id: record.id },
+      data: { usedAt: new Date() },
+    });
+  });
+
+  return NextResponse.json({ ok: true });
+}

package/app/api/auth/verify-2fa/route.tsx

@@ -0,0 +1,88 @@
+import { NextRequest, NextResponse } from "next/server";
+import { prisma } from "@/lib/prisma";
+import { createHmac } from "crypto";
+import bcrypt from "bcryptjs";
+
+function generateTOTP(secret: string, window = 0): string {
+  const counter = Math.floor(Date.now() / 1000 / 30) + window;
+  const counterBuffer = Buffer.alloc(8);
+  counterBuffer.writeBigUInt64BE(BigInt(counter), 0);
+
+  const secretBuffer = Buffer.from(secret, "base64url");
+  const hmac = createHmac("sha1", secretBuffer);
+  hmac.update(counterBuffer);
+  const hash = hmac.digest();
+
+  const offset = hash[hash.length - 1] & 0x0f;
+  const code =
+    ((hash[offset] & 0x7f) << 24) |
+    ((hash[offset + 1] & 0xff) << 16) |
+    ((hash[offset + 2] & 0xff) << 8) |
+    (hash[offset + 3] & 0xff);
+
+  return (code % 1000000).toString().padStart(6, "0");
+}
+
+function verifyTOTP(secret: string, token: string): boolean {
+  for (let window = -1; window <= 1; window++) {
+    if (generateTOTP(secret, window) === token) {
+      return true;
+    }
+  }
+  return false;
+}
+
+export async function POST(req: NextRequest) {
+  const { email, password, code } = await req.json();
+
+  if (!email || !password || !code) {
+    return NextResponse.json({ error: "Missing credentials" }, { status: 400 });
+  }
+
+  if (!/^\d{6}$/.test(code)) {
+    return NextResponse.json({ error: "Invalid 2FA code format" }, { status: 400 });
+  }
+
+  const db = prisma;
+  const user = await db.user.findUnique({
+    where: { email },
+    select: {
+      id: true,
+      email: true,
+      name: true,
+      passwordHash: true,
+      twoFactorSecret: true,
+      twoFactorEnabled: true,
+    },
+  });
+
+  if (!user || !user.passwordHash) {
+    return NextResponse.json({ error: "Invalid credentials" }, { status: 401 });
+  }
+
+  // Verify password first
+  const validPassword = await bcrypt.compare(password, user.passwordHash);
+  if (!validPassword) {
+    return NextResponse.json({ error: "Invalid credentials" }, { status: 401 });
+  }
+
+  // Check if 2FA is enabled
+  if (!user.twoFactorEnabled || !user.twoFactorSecret) {
+    return NextResponse.json({ error: "2FA not enabled" }, { status: 400 });
+  }
+
+  // Verify TOTP code
+  if (!verifyTOTP(user.twoFactorSecret, code)) {
+    return NextResponse.json({ error: "Invalid 2FA code" }, { status: 401 });
+  }
+
+  // Return user info for client-side session creation
+  return NextResponse.json({
+    success: true,
+    user: {
+      id: user.id,
+      email: user.email,
+      name: user.name ?? "",
+    },
+  });
+}

package/app/api/backup/download/db/route.ts

@@ -0,0 +1,29 @@
+import { NextResponse } from "next/server";
+import { auth } from "@/auth";
+import { prisma } from "@/lib/prisma";
+import { buildWorkspaceBackup } from "@/lib/backup/export-workspace-backup";
+
+export async function GET() {
+  const session = await auth();
+  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const member = await prisma.workspaceMember.findFirst({
+    where: { userId: session.user.id, revokedAt: null },
+    include: { workspace: true },
+  });
+  if (!member) return NextResponse.json({ error: "No workspace" }, { status: 404 });
+
+  const { filename, payload } = await buildWorkspaceBackup(
+    member.workspaceId,
+    member.workspace.name,
+    member.workspace.slug
+  );
+
+  return new NextResponse(JSON.stringify(payload, null, 2), {
+    headers: {
+      "Content-Type": "application/json",
+      "Content-Disposition": `attachment; filename="${filename}"`,
+      "x-brief-filename": filename,
+    },
+  });
+}