@knotpad/app 0.1.5 → 0.1.7

package/app/api/graph/route.tsx

@@ -0,0 +1,242 @@
+import { NextRequest, NextResponse } from "next/server";
+import { auth } from "@/auth";
+import { prisma } from "@/lib/prisma";
+import { getActiveWorkspaceId } from "@/lib/workspace";
+import { rateLimit } from "@/lib/rate-limit";
+import { decryptContent } from "@/lib/note-crypto";
+
+export type GraphNodeType = "note" | "task" | "person" | "agent" | "folder";
+
+export type GraphNode = {
+  id: string;
+  type: GraphNodeType;
+  label: string;
+  href?: string;
+  status?: string;
+};
+
+export type GraphEdge = {
+  source: string;
+  target: string;
+  type: "contains" | "assigned" | "references";
+};
+
+export type GraphData = { nodes: GraphNode[]; edges: GraphEdge[] };
+
+export async function GET(req: NextRequest) {
+  const session = await auth();
+  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const rl = rateLimit(`graph:${session.user.id}`, 20, 60_000);
+  if (rl.limited) {
+    return NextResponse.json({ error: "Too many requests" }, { status: 429, headers: { "Retry-After": String(rl.retryAfter) } });
+  }
+
+  const activeWs = await getActiveWorkspaceId(session.user.id);
+  const member = await prisma.workspaceMember.findFirst({
+    where: { userId: session.user.id, workspaceId: activeWs ?? undefined },
+    include: {
+      workspace: {
+        include: {
+          folders: { select: { id: true, name: true } },
+          notes: {
+            include: {
+              tasks: {
+                include: {
+                  assignee: { select: { id: true, name: true, email: true } },
+                  // Cross-note references: notes that mention this task via ((title))
+                  references: { select: { noteId: true } },
+                },
+              },
+            },
+          },
+          members: {
+            include: { user: { select: { id: true, name: true, email: true } } },
+          },
+        },
+      },
+    },
+  });
+  if (!member) return NextResponse.json({ error: "No workspace" }, { status: 404 });
+
+  const nodes: GraphNode[] = [];
+  const edges: GraphEdge[] = [];
+  const personSet = new Set<string>();
+  const edgeSet = new Set<string>(); // dedupe edges
+
+  function addEdge(source: string, target: string, type: GraphEdge["type"]) {
+    const key = `${source}→${target}:${type}`;
+    if (edgeSet.has(key)) return;
+    edgeSet.add(key);
+    edges.push({ source, target, type });
+  }
+
+  // ── Folder nodes (amber) ─────────────────────────────────────────────────
+  for (const folder of member.workspace.folders) {
+    nodes.push({
+      id: `folder-${folder.id}`,
+      type: "folder",
+      label: folder.name,
+    });
+  }
+
+  // ── Note + Task nodes ────────────────────────────────────────────────────
+  const noteIdSet = new Set(member.workspace.notes.map((n) => n.id));
+
+  // Build lookup maps: title → node id for resolving [[note]] and ((task)) refs
+  const noteTitleToId = new Map<string, string>();
+  const taskTitleToId = new Map<string, string>();
+
+  for (const note of member.workspace.notes) {
+    noteTitleToId.set(note.title.toLowerCase(), note.id);
+    for (const task of note.tasks) {
+      taskTitleToId.set(task.title.toLowerCase(), task.id);
+    }
+  }
+
+  // Regex patterns for extracting references from note content
+  const NOTE_REF_RE = /\[\[([^\]]+)\]\]/g;
+  const TASK_REF_RE = /\(\(([^)]+)\)\)/g;
+  const TASK_LINE_RE = /^(\s*)-\s+\[([ x])\]\s+(.+)$/;
+
+  for (const note of member.workspace.notes) {
+    nodes.push({
+      id: `note-${note.id}`,
+      type: "note",
+      label: note.title,
+      href: `/notes/${note.id}`,
+    });
+
+    // Folder → Note containment edge
+    if (note.folderId) {
+      addEdge(`folder-${note.folderId}`, `note-${note.id}`, "contains");
+    }
+
+    for (const task of note.tasks) {
+      // Agent-assigned tasks rendered as blue, human as teal
+      const taskNodeType: GraphNodeType = task.assigneeType === "AGENT" ? "agent" : "task";
+      const taskNodeId = `task-${task.id}`;
+
+      nodes.push({
+        id: taskNodeId,
+        type: taskNodeType,
+        label: task.title,
+        href: `/tasks/${task.id}?from=/graph`,
+        status: task.status,
+      });
+
+      // Note → Task containment edge (source note owns the task)
+      addEdge(`note-${note.id}`, taskNodeId, "contains");
+
+      // ── Assignee edges ─────────────────────────────────────────────────
+      if (task.assignee) {
+        const personId = `person-${task.assignee.id}`;
+        if (!personSet.has(personId)) {
+          personSet.add(personId);
+          nodes.push({
+            id: personId,
+            type: "person",
+            label: task.assignee.name ?? task.assignee.email ?? "Unknown",
+          });
+        }
+        addEdge(taskNodeId, personId, "assigned");
+      } else if (task.assigneeType === "AGENT" && task.claimedByAlias) {
+        const agentPersonId = `agent-person-${task.claimedByAlias}`;
+        if (!personSet.has(agentPersonId)) {
+          personSet.add(agentPersonId);
+          nodes.push({ id: agentPersonId, type: "agent", label: `@agent:${task.claimedByAlias}` });
+        }
+        addEdge(taskNodeId, agentPersonId, "assigned");
+      }
+
+      // ── Cross-note reference edges (from TaskReference table) ────────
+      // For each note that has a ((task title)) mention pointing at this task,
+      // draw a dashed "references" edge: referencing-note → this-task.
+      // Skip if the reference comes from the task's own source note (already
+      // shown as a "contains" edge above).
+      for (const ref of task.references) {
+        if (ref.noteId !== note.id && noteIdSet.has(ref.noteId)) {
+          addEdge(`note-${ref.noteId}`, taskNodeId, "references");
+        }
+      }
+    }
+
+    // ── Parse decrypted note content for inline references ────────────────
+    // This catches:
+    //   - Note-level [[note]] refs → note-to-note edges
+    //   - Note-level ((task)) refs → note-to-task edges
+    //   - Task-level [[note]] refs → task-to-note edges
+    //   - Task-level ((task)) refs → task-to-task edges
+    try {
+      const plain = await decryptContent(note.content, note.workspaceId);
+      const lines = plain.split("\n");
+      const ownTaskIds = new Set(note.tasks.map((t) => t.id));
+
+      for (const rawLine of lines) {
+        const taskMatch = TASK_LINE_RE.exec(rawLine);
+
+        if (taskMatch) {
+          // This is a task line — resolve refs from the task node
+          const lineText = taskMatch[3];
+          // Strip metadata to get the clean task title for lookup
+          const cleanTitle = lineText
+            .replace(/\[\[[^\]]*\]\]/g, "")
+            .replace(/\(\([^)]*\)\)/g, "")
+            .replace(/@[\w-]+/g, "")
+            .replace(/<[^>]+>/g, "")
+            .replace(/\d{4}-\d{2}-\d{2}(\.\.\d{4}-\d{2}-\d{2})?/g, "")
+            .replace(/\s*<!--task::[A-Z_]+-->/g, "")
+            .trim();
+          const srcTaskId = taskTitleToId.get(cleanTitle.toLowerCase());
+          if (!srcTaskId) continue;
+          const srcTaskNodeId = `task-${srcTaskId}`;
+
+          // [[note title]] refs inside task line → task-to-note edge
+          let m: RegExpExecArray | null;
+          const noteRefRe = new RegExp(NOTE_REF_RE.source, "g");
+          while ((m = noteRefRe.exec(lineText)) !== null) {
+            const refNoteId = noteTitleToId.get(m[1].trim().toLowerCase());
+            if (refNoteId && refNoteId !== note.id) {
+              addEdge(srcTaskNodeId, `note-${refNoteId}`, "references");
+            }
+          }
+
+          // ((task title)) refs inside task line → task-to-task edge
+          const taskRefRe = new RegExp(TASK_REF_RE.source, "g");
+          while ((m = taskRefRe.exec(lineText)) !== null) {
+            const refTaskId = taskTitleToId.get(m[1].trim().toLowerCase());
+            if (refTaskId && refTaskId !== srcTaskId) {
+              addEdge(srcTaskNodeId, `task-${refTaskId}`, "references");
+            }
+          }
+        } else {
+          // Non-task line — resolve refs from the note node
+          const noteNodeId = `note-${note.id}`;
+
+          let m: RegExpExecArray | null;
+          const noteRefRe = new RegExp(NOTE_REF_RE.source, "g");
+          while ((m = noteRefRe.exec(rawLine)) !== null) {
+            const refNoteId = noteTitleToId.get(m[1].trim().toLowerCase());
+            if (refNoteId && refNoteId !== note.id) {
+              addEdge(noteNodeId, `note-${refNoteId}`, "references");
+            }
+          }
+
+          const taskRefRe = new RegExp(TASK_REF_RE.source, "g");
+          while ((m = taskRefRe.exec(rawLine)) !== null) {
+            const refTaskId = taskTitleToId.get(m[1].trim().toLowerCase());
+            // Skip tasks this note already owns — they have a "contains" edge,
+            // so a redundant "references" edge would just draw a doubled line.
+            if (refTaskId && !ownTaskIds.has(refTaskId)) {
+              addEdge(noteNodeId, `task-${refTaskId}`, "references");
+            }
+          }
+        }
+      }
+    } catch {
+      // If decryption fails, skip inline references for this note
+    }
+  }
+
+  return NextResponse.json({ nodes, edges } satisfies GraphData);
+}

package/app/api/guest/route.tsx

@@ -0,0 +1,58 @@
+import { NextResponse } from "next/server";
+import { prisma } from "@/lib/prisma";
+import { seedDefaultKanbanStatuses } from "@/lib/kanban-status";
+
+const IS_CLOUD = process.env.IS_CLOUD === "true";
+
+// Creates (or, on desktop, reuses) a local-only guest account.
+// Guest: no email, no password — full local features, no cloud sync.
+//
+// Desktop/NPX (IS_CLOUD=false): there is ONE persistent local identity, so
+// relaunching the app returns the user to the same notes instead of minting a
+// fresh empty workspace every time. Cloud (IS_CLOUD=true): mint a unique guest
+// per call (each browser is a different visitor; a shared identity would collide).
+export async function POST() {
+  if (!IS_CLOUD) {
+    // Reuse the existing unclaimed local guest (passwordHash still null — a
+    // claimed/upgraded account no longer qualifies, see /api/account/claim).
+    const existing = await prisma.user.findFirst({
+      where: { email: { endsWith: "@local.brief" }, passwordHash: null },
+      orderBy: { createdAt: "asc" },
+      select: { id: true, email: true },
+    });
+    if (existing) {
+      return NextResponse.json({ email: existing.email, guestId: existing.id }, { status: 200 });
+    }
+  }
+
+  const guestId = crypto.randomUUID();
+  const internalEmail = `guest_${guestId}@local.brief`;
+
+  const user = await prisma.$transaction(async (tx) => {
+    const newUser = await tx.user.create({
+      data: {
+        email: internalEmail,
+        name: "Guest",
+        role: "OWNER",
+      },
+    });
+
+    const slug = `guest-${guestId.slice(0, 8)}`;
+    const workspace = await tx.workspace.create({
+      data: {
+        name: "My Workspace",
+        slug,
+        members: { create: { userId: newUser.id, role: "OWNER" } },
+      },
+    });
+
+    // Seed the default kanban statuses so the board/list/badges work out of the
+    // box (mirrors /api/register; the old guest route skipped this).
+    await seedDefaultKanbanStatuses(workspace.id, tx);
+
+    return newUser;
+  });
+
+  // Return the internal credentials so the client can sign in via NextAuth
+  return NextResponse.json({ email: user.email, guestId }, { status: 201 });
+}

package/app/api/health/route.tsx

@@ -0,0 +1,10 @@
+import { NextResponse } from "next/server";
+
+// Tiny always-200 reachability probe. No auth, no DB — used by the client
+// online-status helper and the service worker to confirm the server is actually
+// reachable (navigator.onLine alone can't tell us that).
+export const dynamic = "force-dynamic";
+
+export function GET() {
+  return NextResponse.json({ ok: true, ts: Date.now() });
+}

package/app/api/holidays/countries/route.tsx

@@ -0,0 +1,14 @@
+import { NextResponse } from "next/server";
+import Holidays from "date-holidays";
+
+export async function GET() {
+  const hd = new Holidays();
+  const raw = hd.getCountries() as Record<string, string>;
+  const countries = Object.entries(raw)
+    .map(([code, name]) => ({ code, name }))
+    .sort((a, b) => a.name.localeCompare(b.name));
+  return NextResponse.json(
+    { countries },
+    { headers: { "Cache-Control": "public, max-age=86400" } }
+  );
+}

package/app/api/holidays/route.tsx

@@ -0,0 +1,49 @@
+/**
+ * General-purpose public holidays endpoint powered by the `date-holidays` npm library.
+ * Computes holidays locally — no external network dependency.
+ *
+ * Query params:
+ *   country – ISO 3166-1 alpha-2 code, e.g. "MY"  (required)
+ *   state   – region/state sub-code, e.g. "KUL"   (optional)
+ *   year    – 4-digit year                         (required)
+ *
+ * GET /api/holidays/countries           → { countries: { code, name }[] }
+ * GET /api/holidays/states?country=XX   → { states: { code, name }[] }
+ * GET /api/holidays?country=XX&year=YYYY[&state=YY] → { holidays: { name, date, is_subject_to_change }[] }
+ */
+import { NextRequest, NextResponse } from "next/server";
+import Holidays from "date-holidays";
+
+export async function GET(req: NextRequest) {
+  const { searchParams } = req.nextUrl;
+  const country = searchParams.get("country");
+  const state   = searchParams.get("state") ?? undefined;
+  const year    = searchParams.get("year");
+
+  if (!country) {
+    return NextResponse.json({ error: "country param required" }, { status: 400 });
+  }
+  if (!year || !/^\d{4}$/.test(year)) {
+    return NextResponse.json({ error: "year param required (YYYY)" }, { status: 400 });
+  }
+
+  try {
+    const hd = new Holidays(country, state ?? "");
+    const raw = hd.getHolidays(Number(year));
+
+    const holidays = raw
+      .filter((h) => h.type === "public")
+      .map((h) => ({
+        name: h.name,
+        date: h.date.slice(0, 10),
+        is_subject_to_change: false,
+      }));
+
+    return NextResponse.json(
+      { holidays },
+      { headers: { "Cache-Control": "public, max-age=86400, stale-while-revalidate=3600" } }
+    );
+  } catch {
+    return NextResponse.json({ error: "Failed to compute holidays for the given country/state" }, { status: 400 });
+  }
+}

package/app/api/holidays/states/route.tsx

@@ -0,0 +1,21 @@
+import { NextRequest, NextResponse } from "next/server";
+import Holidays from "date-holidays";
+
+export async function GET(req: NextRequest) {
+  const country = req.nextUrl.searchParams.get("country");
+  if (!country) {
+    return NextResponse.json({ error: "country param required" }, { status: 400 });
+  }
+  const hd = new Holidays();
+  const raw = hd.getStates(country) as Record<string, string> | undefined;
+  if (!raw) {
+    return NextResponse.json({ states: [] });
+  }
+  const states = Object.entries(raw)
+    .map(([code, name]) => ({ code, name }))
+    .sort((a, b) => a.name.localeCompare(b.name));
+  return NextResponse.json(
+    { states },
+    { headers: { "Cache-Control": "public, max-age=86400" } }
+  );
+}

package/app/api/invites/[token]/route.tsx

@@ -0,0 +1,131 @@
+import { NextRequest, NextResponse } from "next/server";
+import { auth } from "@/auth";
+import { prisma } from "@/lib/prisma";
+import { stripe } from "@/lib/stripe";
+
+export async function GET(
+  _req: NextRequest,
+  { params }: { params: Promise<{ token: string }> }
+) {
+  const { token } = await params;
+
+  const invite = await prisma.inviteToken.findUnique({
+    where: { token },
+    include: { workspace: { select: { name: true } }, invitedBy: { select: { name: true } } },
+  });
+
+  if (!invite) return NextResponse.json({ error: "Invite not found" }, { status: 404 });
+  if (invite.acceptedAt) return NextResponse.json({ error: "Already accepted" }, { status: 410 });
+  if (invite.expiresAt < new Date()) return NextResponse.json({ error: "Invite expired" }, { status: 410 });
+
+  return NextResponse.json({
+    email: invite.email,
+    workspaceName: invite.workspace.name,
+    invitedBy: invite.invitedBy.name,
+    role: invite.role,
+  });
+}
+
+// POST = accept invite
+export async function POST(
+  _req: NextRequest,
+  { params }: { params: Promise<{ token: string }> }
+) {
+  const session = await auth();
+  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const { token } = await params;
+
+  const invite = await prisma.inviteToken.findUnique({
+    where: { token },
+    include: { workspace: true },
+  });
+  if (!invite) return NextResponse.json({ error: "Invalid invite" }, { status: 404 });
+  if (invite.acceptedAt) return NextResponse.json({ error: "Already used" }, { status: 410 });
+  if (invite.expiresAt < new Date()) return NextResponse.json({ error: "Expired" }, { status: 410 });
+  if (invite.email !== session.user.email) {
+    return NextResponse.json({ error: "This invite was sent to a different email" }, { status: 403 });
+  }
+
+  const workspace = invite.workspace;
+
+  await prisma.$transaction(async (tx) => {
+    // Re-activate if previously revoked, otherwise create fresh
+    const existingMember = await tx.workspaceMember.findUnique({
+      where: { userId_workspaceId: { userId: session.user.id, workspaceId: workspace.id } },
+    });
+
+    if (existingMember) {
+      await tx.workspaceMember.update({
+        where: { id: existingMember.id },
+        data: { role: invite.role, revokedAt: null },
+      });
+    } else {
+      await tx.workspaceMember.create({
+        data: { userId: session.user.id, workspaceId: workspace.id, role: invite.role },
+      });
+    }
+
+    await tx.inviteToken.update({
+      where: { token },
+      data: { acceptedAt: new Date() },
+    });
+
+    await tx.notification.create({
+      data: {
+        userId: invite.invitedById,
+        type: "invite_accepted",
+        title: `${session.user.name ?? session.user.email} accepted your invite`,
+        body: `They've joined the workspace as ${invite.role.toLowerCase()}.`,
+      },
+    });
+  });
+
+  // Increment Stripe seat quantity if workspace has an active subscription
+  if (workspace.stripeSubId) {
+    try {
+      const sub = await stripe.subscriptions.retrieve(workspace.stripeSubId);
+      const item = sub.items.data[0];
+      if (item) {
+        const newQuantity = (item.quantity ?? 1) + 1;
+        await stripe.subscriptionItems.update(item.id, {
+          quantity: newQuantity,
+          proration_behavior: "create_prorations", // charge immediately for new seat
+        });
+        await prisma.workspace.update({
+          where: { id: workspace.id },
+          data: { seatCount: newQuantity },
+        });
+      }
+    } catch {
+      // Non-fatal: Stripe seat sync failure doesn't block the join.
+      // Seat count will reconcile on next webhook or manual billing check.
+    }
+  }
+
+  return NextResponse.json({ workspaceId: workspace.id });
+}
+
+// DELETE = revoke invite
+export async function DELETE(
+  _req: NextRequest,
+  { params }: { params: Promise<{ token: string }> }
+) {
+  const session = await auth();
+  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const { token } = await params;
+
+  const invite = await prisma.inviteToken.findUnique({ where: { token } });
+  if (!invite) return NextResponse.json({ error: "Not found" }, { status: 404 });
+
+  const member = await prisma.workspaceMember.findFirst({
+    where: { userId: session.user.id, workspaceId: invite.workspaceId, revokedAt: null },
+  });
+  if (!member || member.role === "MEMBER") {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  await prisma.inviteToken.delete({ where: { token } });
+  return NextResponse.json({ ok: true });
+}

package/app/api/invites/route.tsx

@@ -0,0 +1,74 @@
+import { NextRequest, NextResponse } from "next/server";
+import { auth } from "@/auth";
+import { prisma } from "@/lib/prisma";
+
+export async function POST(req: NextRequest) {
+  const session = await auth();
+  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const body = await req.json();
+  const { email, role = "MEMBER", workspaceId } = body;
+
+  if (!email) return NextResponse.json({ error: "Email required" }, { status: 400 });
+  if (!["MEMBER", "ADMIN"].includes(role)) {
+    return NextResponse.json({ error: "Invalid role" }, { status: 400 });
+  }
+
+  // Find the workspace the caller wants to invite into
+  const member = workspaceId
+    ? await prisma.workspaceMember.findFirst({
+        where: { userId: session.user.id, workspaceId, revokedAt: null },
+        include: { workspace: true },
+      })
+    : await prisma.workspaceMember.findFirst({
+        where: { userId: session.user.id, revokedAt: null },
+        include: { workspace: true },
+        orderBy: { joinedAt: "asc" },
+      });
+
+  if (!member) return NextResponse.json({ error: "No workspace found" }, { status: 404 });
+  if (member.role === "MEMBER") {
+    return NextResponse.json({ error: "Only owners and admins can invite" }, { status: 403 });
+  }
+
+  const { workspace } = member;
+
+  // Personal workspaces cannot have invites — owner must upgrade to Team Pro first
+  if (workspace.type === "PERSONAL") {
+    return NextResponse.json(
+      {
+        error: "upgrade_required",
+        message: "Inviting members requires a Team Pro workspace.",
+      },
+      { status: 402 }
+    );
+  }
+
+  // Check if already an active member
+  const existing = await prisma.user.findUnique({
+    where: { email },
+    include: {
+      workspaces: { where: { workspaceId: workspace.id, revokedAt: null } },
+    },
+  });
+  if (existing?.workspaces.length) {
+    return NextResponse.json({ error: "User is already a member" }, { status: 409 });
+  }
+
+  const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);
+
+  const invite = await prisma.inviteToken.create({
+    data: {
+      email,
+      role,
+      workspaceId: workspace.id,
+      invitedById: session.user.id,
+      expiresAt,
+    },
+  });
+
+  const appUrl = process.env.NEXT_PUBLIC_APP_URL ?? "http://localhost:3000";
+  const link = `${appUrl}/invite/${invite.token}`;
+
+  return NextResponse.json({ link, token: invite.token }, { status: 201 });
+}

package/app/api/mcp/generate-token/route.tsx

@@ -0,0 +1,55 @@
+import { NextRequest, NextResponse } from "next/server";
+import { auth } from "@/auth";
+import { prisma } from "@/lib/prisma";
+import { signMcpToken } from "@/lib/mcp-auth";
+
+export async function POST(req: NextRequest) {
+  const session = await auth();
+  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const body = await req.json().catch(() => ({}));
+  const requestedWorkspaceId: string | undefined = body?.workspaceId;
+
+  let workspaceId: string;
+
+  if (requestedWorkspaceId) {
+    const member = await prisma.workspaceMember.findFirst({
+      where: { userId: session.user.id, workspaceId: requestedWorkspaceId, revokedAt: null },
+    });
+    if (!member) return NextResponse.json({ error: "Not a member of that workspace" }, { status: 403 });
+    workspaceId = requestedWorkspaceId;
+  } else {
+    const member = await prisma.workspaceMember.findFirst({
+      where: { userId: session.user.id, revokedAt: null },
+    });
+    if (!member) return NextResponse.json({ error: "No workspace" }, { status: 404 });
+    workspaceId = member.workspaceId;
+  }
+
+  // Revoke any existing active tokens for this user+workspace
+  await prisma.mcpToken.updateMany({
+    where: { userId: session.user.id, workspaceId, revokedAt: null },
+    data: { revokedAt: new Date() },
+  });
+
+  const record = await prisma.mcpToken.create({
+    data: {
+      token: "pending",
+      userId: session.user.id,
+      workspaceId,
+    },
+  });
+
+  const jwt = await signMcpToken({
+    userId: session.user.id,
+    workspaceId,
+    tokenId: record.id,
+  });
+
+  await prisma.mcpToken.update({
+    where: { id: record.id },
+    data: { token: jwt },
+  });
+
+  return NextResponse.json({ id: record.id, token: jwt, alias: null }, { status: 201 });
+}