nextworks 0.0.1 → 0.1.0-alpha.0

package/dist/kits/data/app/api/posts/[id]/route.ts

@@ -0,0 +1,83 @@
+import { prisma } from "@/lib/prisma";
+import { z } from "zod";
+import { postSchema } from "@/lib/validation/forms";
+import { jsonOk, jsonFail, jsonFromZod } from "@/lib/server/result";
+import { getServerSession } from "next-auth";
+import { authOptions } from "@/lib/auth";
+
+// Ensure Prisma runs in Node.js (not Edge)
+export const runtime = "nodejs";
+
+type RouteContext = { params: Promise<{ id: string }> };
+
+export async function PUT(req: Request, { params }: RouteContext) {
+  try {
+    const { id } = await params;
+
+    // Require authenticated session
+    const session = await getServerSession(authOptions);
+    if (!session?.user) {
+      return jsonFail("Unauthorized", { status: 401 });
+    }
+
+    // Only admins or the post author may update
+    const post = await prisma.post.findUnique({ where: { id } });
+    if (!post) return jsonFail("Not found", { status: 404 });
+
+    const isAdmin = (session.user as { role?: string }).role === "admin";
+    const isAuthor = (session.user as { id?: string }).id === post.authorId;
+    if (!isAdmin && !isAuthor) {
+      return jsonFail("Forbidden", { status: 403 });
+    }
+
+    // Validate only the fields we allow to update. Make them optional so partial updates (e.g. { published: true }) work.
+    const updateSchema = postSchema
+      .pick({ title: true, content: true, published: true })
+      .partial();
+    const body = await req.json();
+    const data = updateSchema.parse(body);
+
+    // Build Prisma update object only with provided fields to avoid overwriting with undefined
+    const updateData: any = {};
+    if (data.title !== undefined) updateData.title = data.title;
+    if (data.content !== undefined) updateData.content = data.content ?? null;
+    if (data.published !== undefined) updateData.published = data.published;
+
+    const updated = await prisma.post.update({
+      where: { id },
+      data: updateData,
+    });
+    return jsonOk(updated, { status: 200, message: "Post updated" });
+  } catch (error: unknown) {
+    if (error instanceof z.ZodError) {
+      return jsonFromZod(error, { status: 400, message: "Validation failed" });
+    }
+    return jsonFail("Failed to update post", { status: 500 });
+  }
+}
+
+export async function DELETE(_req: Request, { params }: RouteContext) {
+  try {
+    const { id } = await params; // await params
+
+    const session = await getServerSession(authOptions);
+    if (!session?.user) {
+      return jsonFail("Unauthorized", { status: 401 });
+    }
+
+    const post = await prisma.post.findUnique({ where: { id } });
+    if (!post) return jsonFail("Not found", { status: 404 });
+
+    const isAdmin = (session.user as { role?: string }).role === "admin";
+    const isAuthor = (session.user as { id?: string }).id === post.authorId;
+    if (!isAdmin && !isAuthor) {
+      return jsonFail("Forbidden", { status: 403 });
+    }
+
+    await prisma.post.delete({ where: { id } }); // If Int: id: Number(id)
+    return jsonOk({ ok: true }, { status: 200, message: "Post deleted" });
+  } catch (e) {
+    console.error("DELETE /api/posts/[id] error:", e);
+    return jsonFail("Failed to delete post", { status: 500 });
+  }
+}

package/dist/kits/data/app/api/posts/route.ts

@@ -0,0 +1,138 @@
+import { NextResponse } from "next/server";
+import { ZodError, z } from "zod";
+import { prisma } from "@/lib/prisma";
+import { postSchema } from "@/lib/validation/forms";
+import { getServerSession } from "next-auth";
+import { authOptions } from "@/lib/auth";
+import { jsonOk, jsonFail, jsonFromZod } from "@/lib/server/result";
+
+// Ensure Prisma runs in Node.js (not Edge)
+export const runtime = "nodejs";
+
+export async function GET(req: Request) {
+  try {
+    const url = new URL(req.url);
+    const page = Math.max(1, Number(url.searchParams.get("page") ?? "1"));
+    const perPage = Math.min(
+      200,
+      Math.max(1, Number(url.searchParams.get("perPage") ?? "8")),
+    );
+    const q = url.searchParams.get("q") ?? undefined;
+    const sort = url.searchParams.get("sort") ?? "createdAt_desc";
+    const sortField = url.searchParams.get("sortField") ?? "createdAt";
+    const sortDir =
+      (url.searchParams.get("sortDir") as "asc" | "desc") ?? "desc";
+
+    const skip = (page - 1) * perPage;
+
+    const where: any = {};
+    if (q) {
+      where.title = { contains: q, mode: "insensitive" };
+    }
+
+    // Filter by published state if requested: published=published|draft
+    const publishedParam = url.searchParams.get("published");
+    if (publishedParam === "published") {
+      where.published = true;
+    } else if (publishedParam === "draft") {
+      where.published = false;
+    }
+
+    const orderBy: any = {};
+    // Allow server to order by title or createdAt for now. Defaults to createdAt
+    if (sortField === "title") {
+      orderBy.title = sortDir === "asc" ? "asc" : "desc";
+    } else {
+      orderBy.createdAt = sortDir === "asc" ? "asc" : "desc";
+    }
+
+    const [total, items] = await Promise.all([
+      prisma.post.count({ where }),
+      prisma.post.findMany({
+        where,
+        orderBy,
+        skip,
+        take: perPage,
+        include: { author: { select: { name: true, email: true } } },
+      }),
+    ]);
+
+    return jsonOk({ items, total, page, perPage });
+  } catch (error: unknown) {
+    console.error("GET /api/posts error:", error);
+    return jsonFail("Failed to fetch posts", { status: 500 });
+  }
+}
+
+/**
+ * Create a new post.
+ * DX: authorId is optional. If omitted, we default to the currently signed-in user.
+ * - If authorId is provided in the payload, it is used as-is.
+ * - Otherwise we read the NextAuth session and use session.user.id.
+ * - If neither is available (no session and no authorId), we return 400 to preserve data integrity.
+ */
+export async function POST(req: Request) {
+  try {
+    // Allow authenticated users to create posts. Admins may create on behalf of others.
+    const session = await getServerSession(authOptions);
+    if (!session?.user) {
+      return jsonFail("Not authenticated", { status: 401 });
+    }
+
+    // 1) Parse and validate the request body. Server-side we allow authorId to be blank/omitted
+    //    because we can infer it from the authenticated session.
+    const body = await req.json();
+    const serverPostSchema = postSchema.extend({
+      // Make authorId optional for this API (UI may still require it via postSchema)
+      authorId: postSchema.shape.authorId.optional().or(z.literal("")),
+    });
+    const data = serverPostSchema.parse(body);
+
+    // 2) Resolve the authorId: prefer explicit authorId (only if admin or same as session user), else default to current session user
+    const providedAuthorId =
+      data.authorId && data.authorId.length > 0 ? data.authorId : undefined;
+
+    const sessionUserId = (session.user as { id?: string } | undefined)?.id;
+    const sessionIsAdmin =
+      (session.user as { role?: string } | undefined)?.role === "admin";
+
+    if (providedAuthorId) {
+      // If a non-admin tries to set someone else as the author, reject for safety.
+      if (!sessionIsAdmin && providedAuthorId !== sessionUserId) {
+        return jsonFail("Forbidden: cannot set authorId to another user", {
+          status: 403,
+        });
+      }
+    }
+
+    const resolvedAuthorId = providedAuthorId ?? sessionUserId;
+
+    if (!resolvedAuthorId) {
+      return jsonFail(
+        "authorId is required. Provide an authorId or sign in so we can default to your user id.",
+        {
+          status: 400,
+          errors: {
+            authorId: "Author ID is required or sign in to use your user ID",
+          },
+          code: "MISSING_AUTHOR",
+        },
+      );
+    }
+
+    const created = await prisma.post.create({
+      data: {
+        title: data.title,
+        content: data.content || null,
+        authorId: resolvedAuthorId,
+        published: data.published ?? false,
+      },
+    });
+    return jsonOk(created, { status: 201, message: "Post created" });
+  } catch (error: unknown) {
+    if (error instanceof ZodError) {
+      return jsonFromZod(error, { status: 400, message: "Validation failed" });
+    }
+    return jsonFail("Failed to create post", { status: 500 });
+  }
+}

package/dist/kits/data/app/api/seed-demo/route.ts

@@ -0,0 +1,45 @@
+import { NextRequest } from "next/server";
+import { prisma } from "@/lib/prisma";
+import { jsonOk, jsonFail } from "@/lib/server/result";
+import { getServerSession } from "next-auth";
+import { authOptions } from "@/lib/auth";
+
+export const runtime = "nodejs";
+
+export async function POST(req: NextRequest) {
+  try {
+    const session = await getServerSession(authOptions);
+    if (!session?.user?.id) {
+      return jsonFail("Not authenticated", { status: 401 });
+    }
+
+    const userId = session.user.id;
+
+    // Create 3 sample posts for the current user
+    const posts = await prisma.post.createMany({
+      data: [
+        {
+          title: "Welcome to Nextworks",
+          content: "This is a seeded post.",
+          authorId: userId,
+        },
+        {
+          title: "Seeded Demo Post",
+          content: "Another seeded post for demo purposes.",
+          authorId: userId,
+        },
+        {
+          title: "Try editing me",
+          content: "Edit/delete this post to test the CRUD flows.",
+          authorId: userId,
+        },
+      ],
+      skipDuplicates: true,
+    });
+
+    return jsonOk({ created: posts }, { message: "Demo data seeded" });
+  } catch (e) {
+    console.error(e);
+    return jsonFail("Failed to seed demo data");
+  }
+}

package/dist/kits/data/app/api/users/[id]/route.ts

@@ -0,0 +1,127 @@
+import { NextRequest } from "next/server";
+import { prisma } from "@/lib/prisma";
+import type { Prisma } from "@prisma/client";
+import { jsonOk, jsonFail } from "@/lib/server/result";
+import { getServerSession } from "next-auth";
+import { authOptions } from "@/lib/auth";
+
+// Ensure Prisma runs in Node.js (not Edge)
+export const runtime = "nodejs";
+
+type RouteContext = { params: Promise<{ id: string }> };
+
+// Type guards/helpers (kept minimal here)
+const hasErrorCode = (e: unknown, code: string): boolean =>
+  typeof e === "object" &&
+  e !== null &&
+  "code" in e &&
+  typeof (e as { code?: unknown }).code === "string" &&
+  (e as { code: string }).code === code;
+
+export async function GET(_req: NextRequest, { params }: RouteContext) {
+  try {
+    const { id } = await params; // async params in Next.js 15
+
+    const user = await prisma.user.findUnique({
+      where: { id },
+      select: { id: true, name: true, email: true, role: true },
+    });
+
+    if (!user) {
+      return jsonFail("Not found", { status: 404 });
+    }
+
+    return jsonOk(user);
+  } catch (e) {
+    console.error("GET /api/users/[id] error:", e);
+    return jsonFail("Failed to fetch user", { status: 500 });
+  }
+}
+
+export async function PUT(req: NextRequest, { params }: RouteContext) {
+  try {
+    // Only admins may update other users. Allow self-update as well.
+    const session = await getServerSession(authOptions);
+    if (!session?.user) return jsonFail("Unauthorized", { status: 401 });
+
+    const { id } = await params;
+    const isAdmin = (session.user as { role?: string }).role === "admin";
+    const isSelf = (session.user as { id?: string }).id === id;
+    if (!isAdmin && !isSelf) return jsonFail("Forbidden", { status: 403 });
+
+    const body: unknown = await req.json();
+    if (typeof body !== "object" || body === null) {
+      return jsonFail("Body must be a JSON object", { status: 400 });
+    }
+
+    // Validate with Zod (imported lazily to keep this route light)
+    const { userUpdateSchema } = await import("@/lib/validation/forms");
+    try {
+      const parsed = userUpdateSchema.parse(body);
+
+      // Build Prisma-compatible update object
+      const data: Prisma.UserUpdateInput = {};
+      if (parsed.name !== undefined)
+        data.name = parsed.name === "" ? null : parsed.name;
+      if (parsed.email !== undefined) data.email = parsed.email;
+      if (parsed.image !== undefined)
+        data.image = parsed.image === "" ? null : parsed.image;
+      if (parsed.password !== undefined) {
+        // Hash password before saving
+        const { hashPassword } = await import("@/lib/hash");
+        data.password = await hashPassword(parsed.password as string);
+      }
+      if (parsed.emailVerified !== undefined)
+        data.emailVerified = parsed.emailVerified as any;
+
+      const updated = await prisma.user.update({
+        where: { id },
+        data,
+      });
+
+      return jsonOk(updated, { status: 200, message: "User updated" });
+    } catch (err) {
+      // Zod errors
+      if (err && typeof err === "object" && "issues" in (err as any)) {
+        const { jsonFromZod } = await import("@/lib/server/result");
+        return jsonFromZod(err as any, {
+          status: 400,
+          message: "Validation failed",
+        });
+      }
+      throw err;
+    }
+  } catch (e) {
+    console.error("PUT /api/users/[id] error:", e);
+    if (hasErrorCode(e, "P2025")) {
+      return jsonFail("Not found", { status: 404 });
+    }
+    return jsonFail("Failed to update user", { status: 500 });
+  }
+}
+
+export async function DELETE(_req: NextRequest, { params }: RouteContext) {
+  try {
+    const { requireAdminApi } = await import("@/lib/auth-helpers");
+    const session = await requireAdminApi();
+    if (!session) return jsonFail("Forbidden", { status: 403 });
+
+    const { id } = await params;
+
+    // Clean up dependent records first to avoid FK violations
+    await prisma.$transaction([
+      prisma.account.deleteMany({ where: { userId: id } }),
+      prisma.session.deleteMany({ where: { userId: id } }),
+      prisma.post.deleteMany({ where: { authorId: id } }),
+      prisma.user.delete({ where: { id } }),
+    ]);
+
+    return jsonOk({ ok: true }, { status: 200, message: "User deleted" });
+  } catch (e) {
+    console.error("DELETE /api/users/[id] error:", e);
+    if (hasErrorCode(e, "P2025")) {
+      return jsonFail("Not found", { status: 404 });
+    }
+    return jsonFail("Failed to delete user", { status: 500 });
+  }
+}

package/dist/kits/data/app/api/users/check-email/route.ts

@@ -0,0 +1,18 @@
+import { NextRequest } from "next/server";
+import { prisma } from "@/lib/prisma";
+import { jsonOk, jsonFail } from "@/lib/server/result";
+
+export const runtime = "nodejs";
+
+export async function POST(req: NextRequest) {
+  try {
+    const body = await req.json().catch(() => null);
+    const email = body?.email;
+    if (!email) return jsonFail("Missing email", { status: 400 });
+
+    const user = await prisma.user.findUnique({ where: { email } });
+    return jsonOk({ exists: !!user });
+  } catch (e) {
+    return jsonFail("Failed to check email", { status: 500 });
+  }
+}

package/dist/kits/data/app/api/users/check-unique/route.ts

@@ -0,0 +1,27 @@
+import { NextRequest } from "next/server";
+import { prisma } from "@/lib/prisma";
+import { jsonOk, jsonFail } from "@/lib/server/result";
+
+export const runtime = "nodejs";
+
+export async function POST(req: NextRequest) {
+  try {
+    const body = await req.json().catch(() => null);
+    const field = body?.field;
+    const value = body?.value;
+    if (!field || !value) return jsonFail("Missing field or value", { status: 400 });
+
+    // Only allow specific fields for security
+    if (!["email", "username"].includes(field)) {
+      return jsonFail("Unsupported field", { status: 400 });
+    }
+
+    let where: any = {};
+    where[field] = value;
+
+    const user = await prisma.user.findUnique({ where });
+    return jsonOk({ unique: !user });
+  } catch (e) {
+    return jsonFail("Failed to check uniqueness", { status: 500 });
+  }
+}

package/dist/kits/data/app/api/users/route.ts

@@ -0,0 +1,79 @@
+import { ZodError } from "zod";
+import { prisma } from "@/lib/prisma";
+import { userSchema } from "@/lib/validation/forms";
+import { getServerSession } from "next-auth";
+import { authOptions } from "@/lib/auth";
+import {
+  jsonOk,
+  jsonFail,
+  jsonFromZod,
+  jsonFromPrisma,
+} from "@/lib/server/result";
+
+export const runtime = "nodejs";
+
+export async function GET(req: Request) {
+  // Restrict listing users to admins only to avoid leaking emails/passwords.
+  const { requireAdminApi } = await import("@/lib/auth-helpers");
+  const session = await requireAdminApi();
+  if (!session) {
+    return jsonFail("Forbidden", { status: 403 });
+  }
+
+  // Simple server-side paging: ?page=1&perPage=20
+  const url = new URL(req.url);
+  const page = Math.max(1, Number(url.searchParams.get("page") ?? "1"));
+  const perPage = Math.min(
+    200,
+    Math.max(1, Number(url.searchParams.get("perPage") ?? "20")),
+  );
+
+  const skip = (page - 1) * perPage;
+
+  // Return only safe public fields for users (no password, tokens, etc.)
+  const [total, items] = await Promise.all([
+    prisma.user.count(),
+    prisma.user.findMany({
+      orderBy: { createdAt: "desc" },
+      skip,
+      take: perPage,
+      select: {
+        id: true,
+        email: true,
+        name: true,
+        image: true,
+        role: true,
+        createdAt: true,
+        emailVerified: true,
+      },
+    }),
+  ]);
+
+  return jsonOk({ items, total, page, perPage });
+}
+
+export async function POST(req: Request) {
+  try {
+    // Only admins may create users via admin API
+    const { requireAdminApi } = await import("@/lib/auth-helpers");
+    const session = await requireAdminApi();
+    if (!session) {
+      return jsonFail("Forbidden", { status: 403 });
+    }
+
+    const body = await req.json();
+    const data = userSchema.parse(body);
+    const created = await prisma.user.create({
+      data: { email: data.email, name: data.name || null },
+    });
+    return jsonOk(created, { status: 201, message: "User created" });
+  } catch (error: unknown) {
+    if (error instanceof ZodError) {
+      return jsonFromZod(error, { status: 400, message: "Validation failed" });
+    }
+    if ((error as unknown as { code?: string })?.code === "P2002") {
+      return jsonFromPrisma(error);
+    }
+    return jsonFail("Failed to create user", { status: 500 });
+  }
+}

package/dist/kits/data/app/examples/demo/README.md

@@ -0,0 +1,4 @@
+Demo pages for the Data kit.
+
+- create-post-form.tsx and page.tsx are lightweight examples showing how to POST to /api/posts.
+- Use the seed endpoint or scripts to populate demo data.

package/dist/kits/data/app/examples/demo/create-post-form.tsx

@@ -0,0 +1,106 @@
+"use client";
+
+import React from "react";
+import { useForm } from "react-hook-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { postSchema } from "@/lib/validation/forms";
+import { z } from "zod";
+import { useRouter } from "next/navigation";
+import { Form } from "@/components/ui/form/form";
+import { FormField } from "@/components/ui/form/form-field";
+import { FormItem } from "@/components/ui/form/form-item";
+import { FormLabel } from "@/components/ui/form/form-label";
+import { FormControl } from "@/components/ui/form/form-control";
+import { FormMessage } from "@/components/ui/form/form-message";
+import { Input } from "@/components/ui/input";
+import { Textarea } from "@/components/ui/textarea";
+import { Button } from "@/components/ui/button";
+import { mapApiErrorsToForm } from "@/lib/forms/map-errors";
+import { toast } from "sonner";
+
+import { useSession } from "next-auth/react";
+
+export default function CreatePostForm() {
+  // Relax the schema for this demo form: authorId is optional here
+  const postFormSchema = postSchema.extend({
+    authorId: postSchema.shape.authorId.optional().or(z.literal("")),
+  });
+
+  const methods = useForm({
+    resolver: zodResolver(postFormSchema),
+    defaultValues: { title: "", content: "" },
+  });
+  const { control, handleSubmit, reset } = methods;
+
+  const session = useSession();
+  const router = useRouter();
+
+  const onSubmit = async (values: any) => {
+    if (session.status !== "authenticated") {
+      toast.error(
+        "You must be signed in to create a post. Use the Sign up / Log in links above.",
+      );
+      return;
+    }
+    try {
+      const res = await fetch("/api/posts", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(values),
+      });
+      const payload = await res.json().catch(() => null);
+      if (!res.ok || !payload?.success) {
+        const msg = payload ? mapApiErrorsToForm(methods, payload) : undefined;
+        toast.error(msg || payload?.message || "Create failed");
+        return;
+      }
+      reset();
+      toast.success("Post created");
+      // Refresh the server-rendered list below
+      router.refresh();
+    } catch (e) {
+      toast.error("Create failed");
+    }
+  };
+
+  return (
+    <div className="bg-card rounded-md p-6">
+      <h3 className="mb-3 text-lg font-semibold">
+        Create a post (requires sign in)
+      </h3>
+      <Form methods={methods}>
+        <form onSubmit={handleSubmit(onSubmit)} className="space-y-3">
+          <FormField
+            control={control}
+            name="title"
+            render={({ field }) => (
+              <FormItem>
+                <FormLabel>Title</FormLabel>
+                <FormControl>
+                  <Input {...field} />
+                </FormControl>
+                <FormMessage />
+              </FormItem>
+            )}
+          />
+
+          <FormField
+            control={control}
+            name="content"
+            render={({ field }) => (
+              <FormItem>
+                <FormLabel>Content</FormLabel>
+                <FormControl>
+                  <Textarea {...field} rows={4} />
+                </FormControl>
+                <FormMessage />
+              </FormItem>
+            )}
+          />
+
+          <Button type="submit">Create Post</Button>
+        </form>
+      </Form>
+    </div>
+  );
+}