@lastbrain/module-auth 2.0.27 → 2.0.31

package/src/api/admin/storage/usage.ts

@@ -0,0 +1,141 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getSupabaseServerClient } from "@lastbrain/core/server";
+import { getStorageUsage, StorageUsageData } from "@lastbrain/core";
+
+// Cache simple pour éviter de recalculer trop souvent
+const storageCache = new Map<
+  string,
+  { data: StorageUsageData; timestamp: number }
+>();
+const CACHE_TTL = 30 * 1000; // 30 secondes
+
+// Nettoyer les entrées expirées du cache
+function cleanExpiredCache() {
+  const now = Date.now();
+  for (const [key, value] of storageCache.entries()) {
+    if (now - value.timestamp > CACHE_TTL) {
+      storageCache.delete(key);
+    }
+  }
+}
+
+/**
+ * GET /api/admin/storage/usage
+ * Admin route: superadmin can query any user's storage usage
+ * Query params:
+ * - ownerId: required, user ID to check
+ * - forceRefresh: optional, bypass cache
+ */
+export async function GET(request: NextRequest) {
+  try {
+    const supabase = await getSupabaseServerClient();
+
+    // Vérifier l'authentification
+    const {
+      data: { user },
+      error: authError,
+    } = await supabase.auth.getUser();
+
+    if (authError || !user) {
+      return NextResponse.json(
+        { success: false, error: "Non authentifié" },
+        { status: 401 }
+      );
+    }
+
+    // Vérifier si l'utilisateur est superadmin
+    const { data: isSuperAdmin, error: adminCheckError } = await supabase.rpc(
+      "is_superadmin",
+      { user_id: user.id }
+    );
+
+    if (adminCheckError || !isSuperAdmin) {
+      return NextResponse.json(
+        {
+          success: false,
+          error: "Accès non autorisé - réservé aux superadmins",
+        },
+        { status: 403 }
+      );
+    }
+
+    // Récupérer l'ownerId depuis les paramètres (requis pour la route admin)
+    const { searchParams } = new URL(request.url);
+    const ownerId = searchParams.get("ownerId");
+    const forceRefresh = searchParams.get("forceRefresh") === "true";
+
+    if (!ownerId) {
+      return NextResponse.json(
+        { success: false, error: "ownerId est requis" },
+        { status: 400 }
+      );
+    }
+
+    // Nettoyer le cache avant utilisation
+    cleanExpiredCache();
+
+    // Vérifier si on a des données en cache (sauf si forceRefresh)
+    const cacheKey = `storage-${ownerId}`;
+    let shouldUseCache = false;
+
+    if (!forceRefresh) {
+      const cachedEntry = storageCache.get(cacheKey);
+      const now = Date.now();
+
+      if (cachedEntry && now - cachedEntry.timestamp < CACHE_TTL) {
+        // Vérifier d'abord si l'allocation de stockage a changé
+        const { data: userProfile } = await supabase
+          .from("user_profil")
+          .select("stockage")
+          .eq("owner_id", ownerId)
+          .single();
+
+        if (
+          userProfile &&
+          userProfile.stockage === cachedEntry.data.allocatedGb
+        ) {
+          shouldUseCache = true;
+        }
+      }
+    }
+
+    // Utiliser le cache si valide
+    if (shouldUseCache) {
+      const cached = storageCache.get(cacheKey);
+      if (cached) {
+        return NextResponse.json({
+          success: true,
+          data: cached.data,
+          fromCache: true,
+        });
+      }
+    }
+
+    // Calculer les données de stockage
+    const storageData = await getStorageUsage(supabase, ownerId);
+
+    // Mettre en cache
+    storageCache.set(cacheKey, {
+      data: storageData,
+      timestamp: Date.now(),
+    });
+
+    return NextResponse.json({
+      success: true,
+      data: storageData,
+      fromCache: false,
+    });
+  } catch (error) {
+    console.error("[Admin Storage Usage] Error:", error);
+    return NextResponse.json(
+      {
+        success: false,
+        error:
+          error instanceof Error
+            ? error.message
+            : "Erreur lors du calcul du stockage",
+      },
+      { status: 500 }
+    );
+  }
+}

package/src/api/admin/users/[id]/notifications.ts

@@ -1,5 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { getSupabaseServerClient } from "@lastbrain/core/server";
+import { logger } from "@lastbrain/core";
 
 /**
  * POST /api/admin/users/[id]/notifications
@@ -44,7 +45,7 @@ export async function POST(
       .single();
 
     if (error) {
-      console.error("Error creating notification:", error);
+      logger.error("Error creating notification:", error);
       return NextResponse.json(
         { error: "Database Error", message: error.message },
         { status: 500 }
@@ -56,7 +57,7 @@ export async function POST(
       notification: data,
     });
   } catch (error) {
-    console.error("Error in send notification endpoint:", error);
+    logger.error("Error in send notification endpoint:", error);
     return NextResponse.json(
       {
         error: "Internal Server Error",

package/src/api/admin/users/[id].ts

@@ -1,5 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { getSupabaseServerClient } from "@lastbrain/core/server";
+import { logger } from "@lastbrain/core";
 
 /**
  * GET /api/admin/users/[id]
@@ -27,7 +28,7 @@ export async function GET(
     );
 
     if (userError) {
-      console.error("Error fetching user details:", userError);
+      logger.error("Error fetching user details:", userError);
       return NextResponse.json(
         { error: "Database Error", message: userError.message },
         { status: 500 }
@@ -40,7 +41,7 @@ export async function GET(
 
     return NextResponse.json(userDetails);
   } catch (error) {
-    console.error("Error in admin user details endpoint:", error);
+    logger.error("Error in admin user details endpoint:", error);
     return NextResponse.json(
       {
         error: "Internal Server Error",

package/src/api/admin/users/reactivate/[id].ts

@@ -0,0 +1,88 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getSupabaseServiceClient } from "@lastbrain/core/server";
+import { logger } from "@lastbrain/core";
+
+/**
+ * POST /api/admin/users/reactivate/[id]
+ * Attempt to reactivate a user by clearing the suspended flag in app metadata (service role required)
+ */
+export async function POST(
+  request: NextRequest,
+  context: { params: Promise<{ id: string }> }
+) {
+  try {
+    const supabase = await getSupabaseServiceClient();
+    const { id: userId } = await context.params;
+
+    if (!userId) {
+      return NextResponse.json(
+        { error: "User ID is required" },
+        { status: 400 }
+      );
+    }
+
+    // Try using the Admin auth API if available
+    try {
+      // @ts-expect-error - supabase-js may expose auth.admin.updateUserById
+      if (supabase.auth?.admin?.updateUserById) {
+        // set app_metadata.suspended = false
+        const { data, error } = await (
+          supabase.auth as any
+        ).admin.updateUserById(userId, {
+          app_metadata: { suspended: false },
+        });
+
+        if (error) {
+          logger.error(
+            "Error reactivating user (admin.updateUserById):",
+            error
+          );
+          return NextResponse.json(
+            { error: "Database Error", message: error.message },
+            { status: 500 }
+          );
+        }
+
+        return NextResponse.json({ success: true, user: data });
+      }
+    } catch (err) {
+      logger.debug("auth.admin.updateUserById not available or failed:", err);
+    }
+
+    // Fallback: try to update auth.users via SQL (may require service role privileges)
+    try {
+      const update = {
+        raw_app_meta_data: { suspended: false },
+      };
+
+      const { data, error } = await supabase
+        .from("users")
+        .update(update)
+        .eq("id", userId)
+        .select()
+        .single();
+
+      if (error) {
+        logger.error("Fallback reactivate user failed:", error);
+        return NextResponse.json(
+          { error: "Database Error", message: error.message },
+          { status: 500 }
+        );
+      }
+
+      return NextResponse.json({ success: true, user: data });
+    } catch (err) {
+      logger.error("Final reactivate fallback error:", err);
+      return NextResponse.json(
+        { error: "Internal Server Error", message: String(err) },
+        { status: 500 }
+      );
+    }
+  } catch (error) {
+    logger.error("Error in reactivate user endpoint:", error);
+    return NextResponse.json(
+      { error: "Internal Server Error", message: "Failed to reactivate user" },
+      { status: 500 }
+    );
+  }
+}

package/src/api/admin/users/suspend/[id].ts

@@ -0,0 +1,85 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getSupabaseServiceClient } from "@lastbrain/core/server";
+import { logger } from "@lastbrain/core";
+
+/**
+ * POST /api/admin/users/suspend/[id]
+ * Attempt to suspend a user by setting a suspended flag in app metadata (service role required)
+ */
+export async function POST(
+  request: NextRequest,
+  context: { params: Promise<{ id: string }> }
+) {
+  try {
+    const supabase = await getSupabaseServiceClient();
+    const { id: userId } = await context.params;
+
+    if (!userId) {
+      return NextResponse.json(
+        { error: "User ID is required" },
+        { status: 400 }
+      );
+    }
+
+    // Try using the Admin auth API if available
+    try {
+      // @ts-expect-error - supabase-js may expose auth.admin.updateUserById
+      if (supabase.auth?.admin?.updateUserById) {
+        // set app_metadata.suspended = true
+        const { data, error } = await (
+          supabase.auth as any
+        ).admin.updateUserById(userId, {
+          app_metadata: { suspended: true },
+        });
+
+        if (error) {
+          logger.error("Error suspending user (admin.updateUserById):", error);
+          return NextResponse.json(
+            { error: "Database Error", message: error.message },
+            { status: 500 }
+          );
+        }
+
+        return NextResponse.json({ success: true, user: data });
+      }
+    } catch (err) {
+      logger.debug("auth.admin.updateUserById not available or failed:", err);
+    }
+
+    // Fallback: try to update auth.users via SQL (may require service role privileges)
+    try {
+      const update = {
+        raw_app_meta_data: { suspended: true },
+      };
+
+      const { data, error } = await supabase
+        .from("users")
+        .update(update)
+        .eq("id", userId)
+        .select()
+        .single();
+
+      if (error) {
+        logger.error("Fallback suspend user failed:", error);
+        return NextResponse.json(
+          { error: "Database Error", message: error.message },
+          { status: 500 }
+        );
+      }
+
+      return NextResponse.json({ success: true, user: data });
+    } catch (err) {
+      logger.error("Final suspend fallback error:", err);
+      return NextResponse.json(
+        { error: "Internal Server Error", message: String(err) },
+        { status: 500 }
+      );
+    }
+  } catch (error) {
+    logger.error("Error in suspend user endpoint:", error);
+    return NextResponse.json(
+      { error: "Internal Server Error", message: "Failed to suspend user" },
+      { status: 500 }
+    );
+  }
+}

package/src/api/admin/users-by-source.ts

@@ -1,3 +1,4 @@
+import { logger } from "@lastbrain/core";
 import { getSupabaseServiceClient } from "@lastbrain/core/server";
 import { NextRequest, NextResponse } from "next/server";
 
@@ -78,7 +79,7 @@ export async function GET(request: NextRequest) {
       { status: 200 }
     );
   } catch (error) {
-    console.error("Error fetching users by signup source:", error);
+    logger.error("Error fetching users by signup source:", error);
     return NextResponse.json(
       { error: "Erreur interne du serveur" },
       { status: 500 }

package/src/api/admin/users.ts

@@ -1,5 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { getSupabaseServerClient } from "@lastbrain/core/server";
+import { logger } from "@lastbrain/core";
 
 /**
  * GET /api/admin/users
@@ -29,7 +30,7 @@ export async function GET(request: NextRequest) {
     );
 
     if (usersError) {
-      console.error("Error fetching users:", usersError);
+      logger.error("Error fetching users:", usersError);
       return NextResponse.json(
         { error: "Database Error", message: usersError.message },
         { status: 500 }
@@ -37,6 +38,62 @@ export async function GET(request: NextRequest) {
     }
 
     // The RPC function returns the complete response with data and pagination
+    // Ensure each user has a normalized `app_metadata` field derived from
+    // `raw_app_meta_data` (RPCs may differ in the exact shape returned).
+    if (result && Array.isArray((result as any).data)) {
+      try {
+        const mapped = (result as any).data.map((u: any) => {
+          const out = { ...u };
+
+          // Try multiple possible locations for app metadata returned by different RPCs
+          const rawCandidate =
+            out.raw_app_meta_data ??
+            out.metadata ??
+            out.raw_user_meta_data ??
+            out.app_metadata ??
+            null;
+
+          // rawCandidate can be an object or a JSON string
+          let parsedRaw: any = rawCandidate;
+          if (typeof rawCandidate === "string") {
+            try {
+              parsedRaw = JSON.parse(rawCandidate);
+            } catch (e) {
+              parsedRaw = rawCandidate;
+            }
+          }
+
+          // If parsedRaw contains an `app_metadata` object, prefer it.
+          // Otherwise, if parsedRaw itself looks like metadata (contains suspended or provider keys), use it.
+          let derived: any = null;
+          if (parsedRaw && typeof parsedRaw === "object") {
+            if (
+              parsedRaw.app_metadata &&
+              typeof parsedRaw.app_metadata === "object"
+            ) {
+              derived = parsedRaw.app_metadata;
+            } else {
+              // parsedRaw may already be the app metadata
+              derived = parsedRaw;
+            }
+          }
+
+          // Ensure out.app_metadata is an object when possible
+          if (derived && typeof derived === "object") {
+            out.app_metadata = { ...(out.app_metadata || {}), ...derived };
+          } else if (out.app_metadata == null) {
+            out.app_metadata = null;
+          }
+
+          return out;
+        });
+
+        (result as any).data = mapped;
+      } catch (e) {
+        logger.debug("Failed to normalize app_metadata for users list:", e);
+      }
+    }
+
     return NextResponse.json(
       result || {
         data: [],
@@ -44,7 +101,7 @@ export async function GET(request: NextRequest) {
       }
     );
   } catch (error) {
-    console.error("Error in admin users endpoint:", error);
+    logger.error("Error in admin users endpoint:", error);
     return NextResponse.json(
       {
         error: "Internal Server Error",

package/src/api/auth/account/email-change.ts

@@ -0,0 +1,54 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getSupabaseServerClient } from "@lastbrain/core/server";
+import { sendEmailChangeConfirmation } from "../../../lib/auth-email-service";
+import { logger } from "@lastbrain/core";
+
+function extractLocale(request: NextRequest): string | undefined {
+  const lang = request.headers
+    .get("accept-language")
+    ?.split(",")?.[0]
+    ?.split("-")?.[0];
+  return lang === "fr" || lang === "en" ? lang : undefined;
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    const locale = extractLocale(request);
+    const supabase = await getSupabaseServerClient();
+    const {
+      data: { user },
+      error: authError,
+    } = await supabase.auth.getUser();
+
+    if (authError || !user) {
+      return NextResponse.json({ error: "Non authentifié" }, { status: 401 });
+    }
+
+    const body = await request.json();
+    const newEmail = body?.newEmail as string;
+
+    if (!newEmail) {
+      return NextResponse.json(
+        { error: "Nouvel email requis" },
+        { status: 400 }
+      );
+    }
+
+    await sendEmailChangeConfirmation({
+      email: user.email || "",
+      newEmail,
+      displayName: (user.user_metadata as any)?.full_name,
+      locale,
+      ownerId: user.id,
+      redirectTo: `${request.nextUrl.origin}/api/public/callback?next=/confirm`,
+    });
+
+    return NextResponse.json({ message: "Lien de confirmation envoyé" });
+  } catch (error) {
+    logger.error("email-change error:", error);
+    return NextResponse.json(
+      { error: "Impossible d'envoyer le lien de confirmation" },
+      { status: 500 }
+    );
+  }
+}

package/src/api/auth/account/reset-password.ts

@@ -0,0 +1,47 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getSupabaseServerClient } from "@lastbrain/core/server";
+import { sendPasswordResetEmail } from "../../../lib/auth-email-service";
+import { logger } from "@lastbrain/core";
+import { resolveSiteUrl } from "../../../lib/site-url";
+
+function extractLocale(request: NextRequest): string | undefined {
+  const lang = request.headers
+    .get("accept-language")
+    ?.split(",")?.[0]
+    ?.split("-")?.[0];
+  return lang === "fr" || lang === "en" ? lang : undefined;
+}
+
+const DEFAULT_LOCALE = "fr";
+
+export async function POST(request: NextRequest) {
+  try {
+    const locale = extractLocale(request);
+    const supabase = await getSupabaseServerClient();
+    const {
+      data: { user },
+      error,
+    } = await supabase.auth.getUser();
+
+    if (error || !user) {
+      return NextResponse.json({ error: "Non authentifié" }, { status: 401 });
+    }
+
+    const resolvedLocale = locale || DEFAULT_LOCALE;
+    await sendPasswordResetEmail({
+      email: user.email || "",
+      displayName: (user.user_metadata as any)?.full_name,
+      ownerId: user.id,
+      redirectTo: `${resolveSiteUrl(request)}/${resolvedLocale}/reset-password`,
+      locale,
+    });
+
+    return NextResponse.json({ message: "Lien de réinitialisation envoyé" });
+  } catch (err) {
+    logger.error("account reset-password error:", err);
+    return NextResponse.json(
+      { error: "Impossible d'envoyer le lien de réinitialisation" },
+      { status: 500 }
+    );
+  }
+}

package/src/api/auth/check-username.ts

@@ -0,0 +1,52 @@
+/**
+ * Check username availability
+ * GET /api/auth/check-username?username=xxx&owner_id=xxx
+ */
+
+import { NextRequest, NextResponse } from "next/server";
+import { getSupabaseServiceClient } from "@lastbrain/core/server";
+
+export async function GET(req: NextRequest) {
+  try {
+    const { searchParams } = new URL(req.url);
+    const username = searchParams.get("username");
+    const owner_id = searchParams.get("owner_id");
+
+    if (!username) {
+      return NextResponse.json(
+        { available: false, error: "Username required" },
+        { status: 400 }
+      );
+    }
+
+    const supabase = getSupabaseServiceClient();
+
+    // Check if username exists (case-insensitive), excluding current user
+    let query = supabase
+      .from("user_profil")
+      .select("username")
+      .ilike("username", username)
+      .limit(1);
+
+    if (owner_id) {
+      query = query.neq("owner_id", owner_id);
+    }
+
+    const { data, error } = await query;
+
+    if (error) {
+      return NextResponse.json(
+        { available: false, error: error.message },
+        { status: 500 }
+      );
+    }
+
+    return NextResponse.json({ available: !data || data.length === 0 });
+  } catch (error) {
+    console.error("[check-username] Error:", error);
+    return NextResponse.json(
+      { available: false, error: "Internal server error" },
+      { status: 500 }
+    );
+  }
+}

package/src/api/auth/establish-session.ts

@@ -0,0 +1,32 @@
+/**
+ * Establish server-side session with cookies
+ * Called after client-side setSession() to ensure HTTP-only cookies are set
+ */
+import { logger } from "@lastbrain/core";
+import { getSupabaseServerClient } from "@lastbrain/core/server";
+
+export async function POST(request: Request) {
+  try {
+    const supabase = await getSupabaseServerClient();
+
+    // Verify session exists on server
+    const {
+      data: { user },
+      error: userError,
+    } = await supabase.auth.getUser();
+
+    if (userError || !user) {
+      logger.error("❌ No user session on server:", userError);
+      return Response.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
+    // Cookies are automatically set by Supabase middleware
+    return Response.json({ success: true, user: user.id });
+  } catch (error) {
+    logger.debug("💥 Error establishing session:", error);
+    return Response.json(
+      { error: "Failed to establish session" },
+      { status: 500 }
+    );
+  }
+}