@knotpad/app 0.1.5 → 0.1.7

package/app/api/admin/backfill-encryption/route.tsx

@@ -0,0 +1,43 @@
+import { NextRequest, NextResponse } from "next/server";
+import { prisma } from "@/lib/prisma";
+import { encryptContent } from "@/lib/note-crypto";
+import { isEncrypted } from "@/lib/encryption";
+
+/**
+ * POST /api/admin/backfill-encryption
+ * Header: Authorization: Bearer <ADMIN_SECRET>
+ *
+ * One-off migration: encrypts any note.content rows still stored as plaintext
+ * (e.g. created while encryption was disabled). Idempotent — already-encrypted
+ * rows are skipped via isEncrypted(), so it is safe to re-run.
+ */
+export async function POST(req: NextRequest) {
+  const secret = process.env.ADMIN_SECRET;
+  if (!secret) return NextResponse.json({ error: "Not configured" }, { status: 501 });
+
+  const auth = req.headers.get("authorization");
+  if (auth !== `Bearer ${secret}`) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const notes = await prisma.note.findMany({ select: { id: true, content: true, workspaceId: true } });
+
+  let encrypted = 0;
+  let skipped = 0;
+  for (const note of notes) {
+    if (isEncrypted(note.content)) {
+      skipped++;
+      continue;
+    }
+    const ciphertext = await encryptContent(note.content, note.workspaceId);
+    // version stays put (storage-format change, not a content edit); @updatedAt
+    // will refresh, which simply makes sync push the now-encrypted row once.
+    await prisma.note.update({
+      where: { id: note.id },
+      data: { content: ciphertext },
+    });
+    encrypted++;
+  }
+
+  return NextResponse.json({ ok: true, total: notes.length, encrypted, skipped });
+}

package/app/api/admin/license/route.tsx

@@ -0,0 +1,42 @@
+import { NextRequest, NextResponse } from "next/server";
+import { prisma } from "@/lib/prisma";
+
+/**
+ * POST /api/admin/license
+ * Body: { workspaceId: string, licenseType: "STANDARD" | "COMPLIMENTARY" }
+ * Header: Authorization: Bearer <ADMIN_SECRET>
+ *
+ * Sets the license type on a workspace.
+ * COMPLIMENTARY workspaces get isPro + isCloud for free — no Stripe subscription needed.
+ */
+export async function POST(req: NextRequest) {
+  const secret = process.env.ADMIN_SECRET;
+  if (!secret) return NextResponse.json({ error: "Not configured" }, { status: 501 });
+
+  const auth = req.headers.get("authorization");
+  if (auth !== `Bearer ${secret}`) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const { workspaceId, licenseType } = await req.json().catch(() => ({}));
+
+  if (!workspaceId) return NextResponse.json({ error: "workspaceId required" }, { status: 400 });
+  if (!["STANDARD", "COMPLIMENTARY"].includes(licenseType)) {
+    return NextResponse.json({ error: "licenseType must be STANDARD or COMPLIMENTARY" }, { status: 400 });
+  }
+
+  const isComplimentary = licenseType === "COMPLIMENTARY";
+
+  const workspace = await prisma.workspace.update({
+    where: { id: workspaceId },
+    data: {
+      licenseType,
+      isPro: isComplimentary ? true : undefined,
+      isCloud: isComplimentary ? true : undefined,
+      // Downgrading to STANDARD: let Stripe state govern isPro/isCloud (don't touch them here)
+    },
+    select: { id: true, name: true, licenseType: true, isPro: true, isCloud: true, planType: true },
+  });
+
+  return NextResponse.json(workspace);
+}

package/app/api/auth/2fa/route.tsx

@@ -0,0 +1,148 @@
+import { NextRequest, NextResponse } from "next/server";
+import { auth } from "@/auth";
+import { prisma } from "@/lib/prisma";
+import { randomBytes, createHmac } from "crypto";
+
+// TOTP implementation using Node.js crypto
+function generateSecret(): string {
+  return randomBytes(20).toString("base64url").slice(0, 32);
+}
+
+function generateTOTP(secret: string, window = 0): string {
+  const counter = Math.floor(Date.now() / 1000 / 30) + window;
+  const counterBuffer = Buffer.alloc(8);
+  counterBuffer.writeBigUInt64BE(BigInt(counter), 0);
+
+  const secretBuffer = Buffer.from(secret, "base64url");
+  const hmac = createHmac("sha1", secretBuffer);
+  hmac.update(counterBuffer);
+  const hash = hmac.digest();
+
+  const offset = hash[hash.length - 1] & 0x0f;
+  const code =
+    ((hash[offset] & 0x7f) << 24) |
+    ((hash[offset + 1] & 0xff) << 16) |
+    ((hash[offset + 2] & 0xff) << 8) |
+    (hash[offset + 3] & 0xff);
+
+  return (code % 1000000).toString().padStart(6, "0");
+}
+
+function verifyTOTP(secret: string, token: string): boolean {
+  // Check current and adjacent time windows (±1 window = ±30 seconds)
+  for (let window = -1; window <= 1; window++) {
+    if (generateTOTP(secret, window) === token) {
+      return true;
+    }
+  }
+  return false;
+}
+
+function generateQRCodeURL(secret: string, email: string, appName: string): string {
+  const encodedSecret = secret.replace(/=/g, "");
+  const encodedApp = encodeURIComponent(appName);
+  const encodedEmail = encodeURIComponent(email);
+  return `otpauth://totp/${encodedApp}:${encodedEmail}?secret=${encodedSecret}&issuer=${encodedApp}`;
+}
+
+// GET: Check if 2FA is enabled for current user
+export async function GET() {
+  const session = await auth();
+  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const user = await prisma.user.findUnique({
+    where: { id: session.user.id },
+    select: { twoFactorEnabled: true },
+  });
+
+  return NextResponse.json({ enabled: user?.twoFactorEnabled ?? false });
+}
+
+// POST: Enable 2FA - generate secret and return QR code
+export async function POST(req: NextRequest) {
+  const session = await auth();
+  if (!session?.user?.email) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const { action } = await req.json();
+
+  if (action === "setup") {
+    // Generate new secret
+    const secret = generateSecret();
+    const qrCodeURL = generateQRCodeURL(secret, session.user.email, "Knotpad");
+
+    // Store secret temporarily (not enabled until verified)
+    await prisma.user.update({
+      where: { id: session.user.id },
+      data: { twoFactorSecret: secret, twoFactorEnabled: false, twoFactorVerified: false },
+    });
+
+    return NextResponse.json({
+      secret,
+      qrCodeURL,
+      manualEntryKey: secret.replace(/=/g, "").slice(0, 32).toUpperCase().replace(/(.{4})/g, "$1 ").trim(),
+    });
+  }
+
+  if (action === "verify") {
+    const { code } = await req.json();
+    if (!code || !/^\d{6}$/.test(code)) {
+      return NextResponse.json({ error: "Invalid code format" }, { status: 400 });
+    }
+
+    const user = await prisma.user.findUnique({
+      where: { id: session.user.id },
+      select: { twoFactorSecret: true, twoFactorEnabled: true },
+    });
+
+    if (!user?.twoFactorSecret) {
+      return NextResponse.json({ error: "2FA not set up" }, { status: 400 });
+    }
+
+    if (verifyTOTP(user.twoFactorSecret, code)) {
+      await prisma.user.update({
+        where: { id: session.user.id },
+        data: { twoFactorEnabled: true, twoFactorVerified: true },
+      });
+      return NextResponse.json({ success: true });
+    }
+
+    return NextResponse.json({ error: "Invalid code" }, { status: 400 });
+  }
+
+  if (action === "disable") {
+    const { code, password } = await req.json();
+
+    // Verify password first
+    const user = await prisma.user.findUnique({
+      where: { id: session.user.id },
+      select: { passwordHash: true, twoFactorSecret: true, twoFactorEnabled: true },
+    });
+
+    if (!user?.passwordHash) {
+      return NextResponse.json({ error: "Password required" }, { status: 400 });
+    }
+
+    // Import bcrypt for password verification
+    const { default: bcrypt } = await import("bcryptjs");
+    const validPassword = await bcrypt.compare(password, user.passwordHash);
+    if (!validPassword) {
+      return NextResponse.json({ error: "Invalid password" }, { status: 400 });
+    }
+
+    // Verify 2FA code if enabled
+    if (user.twoFactorEnabled && user.twoFactorSecret) {
+      if (!code || !verifyTOTP(user.twoFactorSecret, code)) {
+        return NextResponse.json({ error: "Invalid 2FA code" }, { status: 400 });
+      }
+    }
+
+    await prisma.user.update({
+      where: { id: session.user.id },
+      data: { twoFactorSecret: null, twoFactorEnabled: false, twoFactorVerified: false },
+    });
+
+    return NextResponse.json({ success: true });
+  }
+
+  return NextResponse.json({ error: "Invalid action" }, { status: 400 });
+}

package/app/api/auth/[...nextauth]/route.tsx

@@ -0,0 +1,3 @@
+import { handlers } from "@/auth";
+
+export const { GET, POST } = handlers;

package/app/api/auth/change-password/route.tsx

@@ -0,0 +1,61 @@
+import { NextRequest, NextResponse } from "next/server";
+import bcrypt from "bcryptjs";
+import { auth } from "@/auth";
+import { prisma, getCloudPrisma } from "@/lib/prisma";
+import { rateLimit, getClientIp } from "@/lib/rate-limit";
+
+const RL_MAX = 10;
+const RL_WINDOW_MS = 60 * 60_000;
+
+export async function POST(req: NextRequest) {
+  const session = await auth();
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const ip = getClientIp(req);
+  const rl = rateLimit(`change-password:${ip}`, RL_MAX, RL_WINDOW_MS);
+  if (rl.limited) {
+    return NextResponse.json(
+      { error: "Too many attempts. Try again later." },
+      { status: 429, headers: { "Retry-After": String(rl.retryAfter) } }
+    );
+  }
+
+  const { currentPassword, newPassword } = await req.json();
+
+  if (!currentPassword || typeof currentPassword !== "string") {
+    return NextResponse.json({ error: "Current password required" }, { status: 400 });
+  }
+  if (!newPassword || typeof newPassword !== "string" || newPassword.length < 8) {
+    return NextResponse.json({ error: "New password must be at least 8 characters" }, { status: 400 });
+  }
+
+  const db = getCloudPrisma() ?? prisma;
+
+  const user = await db.user.findUnique({
+    where: { id: session.user.id },
+    select: { id: true, passwordHash: true },
+  });
+
+  if (!user || !user.passwordHash) {
+    return NextResponse.json(
+      { error: "Password change is not available for this account." },
+      { status: 400 }
+    );
+  }
+
+  const valid = await bcrypt.compare(currentPassword, user.passwordHash);
+  if (!valid) {
+    return NextResponse.json({ error: "Current password is incorrect" }, { status: 400 });
+  }
+
+  const passwordHash = await bcrypt.hash(newPassword, 12);
+
+  await db.user.update({
+    where: { id: user.id },
+    data: { passwordHash },
+  });
+
+  return NextResponse.json({ ok: true });
+}

package/app/api/auth/check-2fa/route.tsx

@@ -0,0 +1,19 @@
+import { NextRequest, NextResponse } from "next/server";
+import { prisma } from "@/lib/prisma";
+
+export async function POST(req: NextRequest) {
+  const { email } = await req.json();
+
+  if (!email) {
+    return NextResponse.json({ error: "Email required" }, { status: 400 });
+  }
+
+  const user = await prisma.user.findUnique({
+    where: { email },
+    select: { twoFactorEnabled: true },
+  });
+
+  return NextResponse.json({
+    requires2FA: user?.twoFactorEnabled ?? false,
+  });
+}

package/app/api/auth/forgot-password/route.tsx

@@ -0,0 +1,65 @@
+import { NextRequest, NextResponse } from "next/server";
+import { prisma, getCloudPrisma } from "@/lib/prisma";
+import { rateLimit, getClientIp } from "@/lib/rate-limit";
+import { sendAuthEmail } from "@/lib/email";
+
+const RL_MAX = 5;
+const RL_WINDOW_MS = 60 * 60_000; // 5 attempts per IP per hour
+
+export async function POST(req: NextRequest) {
+  const ip = getClientIp(req);
+  const rl = rateLimit(`forgot-password:${ip}`, RL_MAX, RL_WINDOW_MS);
+  if (rl.limited) {
+    return NextResponse.json(
+      { error: "Too many attempts. Try again later." },
+      { status: 429, headers: { "Retry-After": String(rl.retryAfter) } }
+    );
+  }
+
+  const { email } = await req.json();
+  if (!email || typeof email !== "string") {
+    return NextResponse.json({ error: "Email required" }, { status: 400 });
+  }
+
+  // Look up user in the same DB auth reads from (cloud if available, local otherwise).
+  const db = getCloudPrisma() ?? prisma;
+  const user = await db.user.findUnique({ where: { email: email.toLowerCase().trim() } });
+
+  // Always return 200 to prevent email enumeration.
+  if (!user || !user.passwordHash) {
+    return NextResponse.json({ ok: true });
+  }
+
+  // Invalidate any existing unused tokens for this user.
+  await db.passwordResetToken.updateMany({
+    where: { userId: user.id, usedAt: null },
+    data: { usedAt: new Date() },
+  });
+
+  const record = await db.passwordResetToken.create({
+    data: {
+      userId: user.id,
+      expiresAt: new Date(Date.now() + 60 * 60_000), // 1 hour
+    },
+  });
+
+  const appUrl = process.env.NEXT_PUBLIC_APP_URL ?? "http://localhost:3000";
+  const resetUrl = `${appUrl}/reset-password?token=${record.token}`;
+
+  // Send reset email via Brevo. If no email provider is configured the URL is
+  // returned in the response so admins/devs can copy it manually.
+  const sent = await sendAuthEmail(
+    email,
+    "Reset your Knotpad password",
+    `
+      <p>Hi${user.name ? ` ${user.name}` : ""},</p>
+      <p>Click the link below to reset your password. This link expires in 1 hour.</p>
+      <p><a href="${resetUrl}">${resetUrl}</a></p>
+      <p>If you didn't request this, you can ignore this email.</p>
+    `
+  );
+
+  // When no email provider is configured, expose the URL for local/dev use.
+  if (!sent) return NextResponse.json({ ok: true, resetUrl });
+  return NextResponse.json({ ok: true });
+}

package/app/api/auth/reset-password/route.tsx

@@ -0,0 +1,52 @@
+import { NextRequest, NextResponse } from "next/server";
+import bcrypt from "bcryptjs";
+import { prisma, getCloudPrisma } from "@/lib/prisma";
+import { rateLimit, getClientIp } from "@/lib/rate-limit";
+
+const RL_MAX = 10;
+const RL_WINDOW_MS = 60 * 60_000;
+
+export async function POST(req: NextRequest) {
+  const ip = getClientIp(req);
+  const rl = rateLimit(`reset-password:${ip}`, RL_MAX, RL_WINDOW_MS);
+  if (rl.limited) {
+    return NextResponse.json(
+      { error: "Too many attempts. Try again later." },
+      { status: 429, headers: { "Retry-After": String(rl.retryAfter) } }
+    );
+  }
+
+  const { token, password } = await req.json();
+  if (!token || typeof token !== "string") {
+    return NextResponse.json({ error: "Token required" }, { status: 400 });
+  }
+  if (!password || typeof password !== "string" || password.length < 8) {
+    return NextResponse.json({ error: "Password must be at least 8 characters" }, { status: 400 });
+  }
+
+  const db = getCloudPrisma() ?? prisma;
+
+  const record = await db.passwordResetToken.findUnique({
+    where: { token },
+    include: { user: { select: { id: true, email: true } } },
+  });
+
+  if (!record || record.usedAt || record.expiresAt < new Date()) {
+    return NextResponse.json({ error: "Invalid or expired token" }, { status: 400 });
+  }
+
+  const passwordHash = await bcrypt.hash(password, 12);
+
+  await db.$transaction(async (tx) => {
+    await tx.user.update({
+      where: { id: record.userId },
+      data: { passwordHash },
+    });
+    await tx.passwordResetToken.update({
+      where: { id: record.id },
+      data: { usedAt: new Date() },
+    });
+  });
+
+  return NextResponse.json({ ok: true });
+}

package/app/api/auth/verify-2fa/route.tsx

@@ -0,0 +1,88 @@
+import { NextRequest, NextResponse } from "next/server";
+import { prisma } from "@/lib/prisma";
+import { createHmac } from "crypto";
+import bcrypt from "bcryptjs";
+
+function generateTOTP(secret: string, window = 0): string {
+  const counter = Math.floor(Date.now() / 1000 / 30) + window;
+  const counterBuffer = Buffer.alloc(8);
+  counterBuffer.writeBigUInt64BE(BigInt(counter), 0);
+
+  const secretBuffer = Buffer.from(secret, "base64url");
+  const hmac = createHmac("sha1", secretBuffer);
+  hmac.update(counterBuffer);
+  const hash = hmac.digest();
+
+  const offset = hash[hash.length - 1] & 0x0f;
+  const code =
+    ((hash[offset] & 0x7f) << 24) |
+    ((hash[offset + 1] & 0xff) << 16) |
+    ((hash[offset + 2] & 0xff) << 8) |
+    (hash[offset + 3] & 0xff);
+
+  return (code % 1000000).toString().padStart(6, "0");
+}
+
+function verifyTOTP(secret: string, token: string): boolean {
+  for (let window = -1; window <= 1; window++) {
+    if (generateTOTP(secret, window) === token) {
+      return true;
+    }
+  }
+  return false;
+}
+
+export async function POST(req: NextRequest) {
+  const { email, password, code } = await req.json();
+
+  if (!email || !password || !code) {
+    return NextResponse.json({ error: "Missing credentials" }, { status: 400 });
+  }
+
+  if (!/^\d{6}$/.test(code)) {
+    return NextResponse.json({ error: "Invalid 2FA code format" }, { status: 400 });
+  }
+
+  const db = prisma;
+  const user = await db.user.findUnique({
+    where: { email },
+    select: {
+      id: true,
+      email: true,
+      name: true,
+      passwordHash: true,
+      twoFactorSecret: true,
+      twoFactorEnabled: true,
+    },
+  });
+
+  if (!user || !user.passwordHash) {
+    return NextResponse.json({ error: "Invalid credentials" }, { status: 401 });
+  }
+
+  // Verify password first
+  const validPassword = await bcrypt.compare(password, user.passwordHash);
+  if (!validPassword) {
+    return NextResponse.json({ error: "Invalid credentials" }, { status: 401 });
+  }
+
+  // Check if 2FA is enabled
+  if (!user.twoFactorEnabled || !user.twoFactorSecret) {
+    return NextResponse.json({ error: "2FA not enabled" }, { status: 400 });
+  }
+
+  // Verify TOTP code
+  if (!verifyTOTP(user.twoFactorSecret, code)) {
+    return NextResponse.json({ error: "Invalid 2FA code" }, { status: 401 });
+  }
+
+  // Return user info for client-side session creation
+  return NextResponse.json({
+    success: true,
+    user: {
+      id: user.id,
+      email: user.email,
+      name: user.name ?? "",
+    },
+  });
+}

package/app/api/backup/download/db/route.ts

@@ -0,0 +1,29 @@
+import { NextResponse } from "next/server";
+import { auth } from "@/auth";
+import { prisma } from "@/lib/prisma";
+import { buildWorkspaceBackup } from "@/lib/backup/export-workspace-backup";
+
+export async function GET() {
+  const session = await auth();
+  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const member = await prisma.workspaceMember.findFirst({
+    where: { userId: session.user.id, revokedAt: null },
+    include: { workspace: true },
+  });
+  if (!member) return NextResponse.json({ error: "No workspace" }, { status: 404 });
+
+  const { filename, payload } = await buildWorkspaceBackup(
+    member.workspaceId,
+    member.workspace.name,
+    member.workspace.slug
+  );
+
+  return new NextResponse(JSON.stringify(payload, null, 2), {
+    headers: {
+      "Content-Type": "application/json",
+      "Content-Disposition": `attachment; filename="${filename}"`,
+      "x-brief-filename": filename,
+    },
+  });
+}

package/app/api/backup/download/notes/route.ts

@@ -0,0 +1,25 @@
+import { NextResponse } from "next/server";
+import { auth } from "@/auth";
+import { prisma } from "@/lib/prisma";
+import { buildNotesZipExport } from "@/lib/backup/export-notes-zip";
+
+export async function GET() {
+  const session = await auth();
+  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const member = await prisma.workspaceMember.findFirst({
+    where: { userId: session.user.id, revokedAt: null },
+    include: { workspace: true },
+  });
+  if (!member) return NextResponse.json({ error: "No workspace" }, { status: 404 });
+
+  const { filename, bytes } = await buildNotesZipExport(member.workspaceId);
+
+  return new NextResponse(Buffer.from(bytes), {
+    headers: {
+      "Content-Type": "application/zip",
+      "Content-Disposition": `attachment; filename="${filename}"`,
+      "x-brief-filename": filename,
+    },
+  });
+}

package/app/api/backup/settings/route.ts

@@ -0,0 +1,92 @@
+import { NextRequest, NextResponse } from "next/server";
+import { auth } from "@/auth";
+import { prisma } from "@/lib/prisma";
+import { validateBackupSettingsInput } from "@/lib/backup/backup-settings";
+
+export async function GET() {
+  const session = await auth();
+  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const member = await prisma.workspaceMember.findFirst({
+    where: {
+      userId: session.user.id,
+      role: { in: ["OWNER", "ADMIN"] },
+      revokedAt: null,
+    },
+    include: {
+      workspace: {
+        include: {
+          backupSettings: true,
+        },
+      },
+    },
+  });
+  if (!member) return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+
+  return NextResponse.json({
+    workspace: {
+      id: member.workspaceId,
+      isCloud: member.workspace.isCloud,
+      isPro: member.workspace.isPro,
+    },
+    settings: member.workspace.backupSettings,
+  });
+}
+
+export async function PUT(req: NextRequest) {
+  const session = await auth();
+  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const member = await prisma.workspaceMember.findFirst({
+    where: {
+      userId: session.user.id,
+      role: { in: ["OWNER", "ADMIN"] },
+      revokedAt: null,
+    },
+    include: { workspace: true },
+  });
+  if (!member) return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+
+  const body = await req.json().catch(() => null);
+  if (!body) return NextResponse.json({ error: "Invalid body" }, { status: 400 });
+
+  const validation = validateBackupSettingsInput({
+    scheduleEnabled: Boolean(body.scheduleEnabled),
+    scheduleCadence: body.scheduleCadence,
+    destinationPath: typeof body.destinationPath === "string" ? body.destinationPath : "",
+    includeMarkdownZip: Boolean(body.includeMarkdownZip),
+    isCloudWorkspace: member.workspace.isCloud,
+  });
+  if (!validation.success) {
+    return NextResponse.json({ error: validation.error }, { status: 422 });
+  }
+
+  const settings = await prisma.workspaceBackupSettings.upsert({
+    where: { workspaceId: member.workspaceId },
+    update: {
+      scheduleEnabled: Boolean(body.scheduleEnabled),
+      scheduleCadence: body.scheduleCadence,
+      destinationPath: body.destinationPath?.trim() ? body.destinationPath.trim() : null,
+      includeMarkdownZip: Boolean(body.includeMarkdownZip),
+      lastBackupAt: body.lastBackupAt ? new Date(body.lastBackupAt) : undefined,
+      lastBackupStatus:
+        typeof body.lastBackupStatus === "string" ? body.lastBackupStatus : undefined,
+      lastBackupError:
+        typeof body.lastBackupError === "string" ? body.lastBackupError : body.lastBackupError === null ? null : undefined,
+    },
+    create: {
+      workspaceId: member.workspaceId,
+      scheduleEnabled: Boolean(body.scheduleEnabled),
+      scheduleCadence: body.scheduleCadence,
+      destinationPath: body.destinationPath?.trim() ? body.destinationPath.trim() : null,
+      includeMarkdownZip: Boolean(body.includeMarkdownZip),
+      lastBackupAt: body.lastBackupAt ? new Date(body.lastBackupAt) : null,
+      lastBackupStatus:
+        typeof body.lastBackupStatus === "string" ? body.lastBackupStatus : "idle",
+      lastBackupError:
+        typeof body.lastBackupError === "string" ? body.lastBackupError : null,
+    },
+  });
+
+  return NextResponse.json({ settings });
+}