nextworks 0.1.0-alpha.11 → 0.1.0-alpha.14

package/dist/kits/auth-core/app/api/users/[id]/route.ts

@@ -1,127 +1,134 @@
-import { NextRequest } from "next/server";
-import { prisma } from "@/lib/prisma";
-import type { Prisma } from "@prisma/client";
-import { jsonOk, jsonFail } from "@/lib/server/result";
-import { getServerSession } from "next-auth";
-import { authOptions } from "@/lib/auth";
-
-// Ensure Prisma runs in Node.js (not Edge)
-export const runtime = "nodejs";
-
-type RouteContext = { params: Promise<{ id: string }> };
-
-// Type guards/helpers (kept minimal here)
-const hasErrorCode = (e: unknown, code: string): boolean =>
-  typeof e === "object" &&
-  e !== null &&
-  "code" in e &&
-  typeof (e as { code?: unknown }).code === "string" &&
-  (e as { code: string }).code === code;
-
-export async function GET(_req: NextRequest, { params }: RouteContext) {
-  try {
-    const { id } = await params; // async params in Next.js 15
-
-    const user = await prisma.user.findUnique({
-      where: { id },
-      select: { id: true, name: true, email: true, role: true },
-    });
-
-    if (!user) {
-      return jsonFail("Not found", { status: 404 });
-    }
-
-    return jsonOk(user);
-  } catch (e) {
-    console.error("GET /api/users/[id] error:", e);
-    return jsonFail("Failed to fetch user", { status: 500 });
-  }
-}
-
-export async function PUT(req: NextRequest, { params }: RouteContext) {
-  try {
-    // Only admins may update other users. Allow self-update as well.
-    const session = await getServerSession(authOptions);
-    if (!session?.user) return jsonFail("Unauthorized", { status: 401 });
-
-    const { id } = await params;
-    const isAdmin = (session.user as { role?: string }).role === "admin";
-    const isSelf = (session.user as { id?: string }).id === id;
-    if (!isAdmin && !isSelf) return jsonFail("Forbidden", { status: 403 });
-
-    const body: unknown = await req.json();
-    if (typeof body !== "object" || body === null) {
-      return jsonFail("Body must be a JSON object", { status: 400 });
-    }
-
-    // Validate with Zod (imported lazily to keep this route light)
-    const { userUpdateSchema } = await import("@/lib/validation/forms");
-    try {
-      const parsed = userUpdateSchema.parse(body);
-
-      // Build Prisma-compatible update object
-      const data: Prisma.UserUpdateInput = {};
-      if (parsed.name !== undefined)
-        data.name = parsed.name === "" ? null : parsed.name;
-      if (parsed.email !== undefined) data.email = parsed.email;
-      if (parsed.image !== undefined)
-        data.image = parsed.image === "" ? null : parsed.image;
-      if (parsed.password !== undefined) {
-        // Hash password before saving
-        const { hashPassword } = await import("@/lib/hash");
-        data.password = await hashPassword(parsed.password as string);
-      }
-      if (parsed.emailVerified !== undefined)
-        data.emailVerified = parsed.emailVerified as any;
-
-      const updated = await prisma.user.update({
-        where: { id },
-        data,
-      });
-
-      return jsonOk(updated, { status: 200, message: "User updated" });
-    } catch (err) {
-      // Zod errors
-      if (err && typeof err === "object" && "issues" in (err as any)) {
-        const { jsonFromZod } = await import("@/lib/server/result");
-        return jsonFromZod(err as any, {
-          status: 400,
-          message: "Validation failed",
-        });
-      }
-      throw err;
-    }
-  } catch (e) {
-    console.error("PUT /api/users/[id] error:", e);
-    if (hasErrorCode(e, "P2025")) {
-      return jsonFail("Not found", { status: 404 });
-    }
-    return jsonFail("Failed to update user", { status: 500 });
-  }
-}
-
-export async function DELETE(_req: NextRequest, { params }: RouteContext) {
-  try {
-    const { requireAdminApi } = await import("@/lib/auth-helpers");
-    const session = await requireAdminApi();
-    if (!session) return jsonFail("Forbidden", { status: 403 });
-
-    const { id } = await params;
-
-    // Clean up dependent records first to avoid FK violations
-    await prisma.$transaction([
-      prisma.account.deleteMany({ where: { userId: id } }),
-      prisma.session.deleteMany({ where: { userId: id } }),
-      prisma.post.deleteMany({ where: { authorId: id } }),
-      prisma.user.delete({ where: { id } }),
-    ]);
-
-    return jsonOk({ ok: true }, { status: 200, message: "User deleted" });
-  } catch (e) {
-    console.error("DELETE /api/users/[id] error:", e);
-    if (hasErrorCode(e, "P2025")) {
-      return jsonFail("Not found", { status: 404 });
-    }
-    return jsonFail("Failed to delete user", { status: 500 });
-  }
-}
+import { NextRequest } from "next/server";
+import { prisma } from "@/lib/prisma";
+import { jsonOk, jsonFail } from "@/lib/server/result";
+import { getServerSession } from "next-auth";
+import { authOptions } from "@/lib/auth";
+
+// Ensure Prisma runs in Node.js (not Edge)
+export const runtime = "nodejs";
+
+type RouteContext = { params: Promise<{ id: string }> };
+
+// Type guards/helpers (kept minimal here)
+const hasErrorCode = (e: unknown, code: string): boolean =>
+  typeof e === "object" &&
+  e !== null &&
+  "code" in e &&
+  typeof (e as { code?: unknown }).code === "string" &&
+  (e as { code: string }).code === code;
+
+export async function GET(_req: NextRequest, { params }: RouteContext) {
+  try {
+    const { id } = await params; // async params in Next.js 15
+
+    const user = await prisma.user.findUnique({
+      where: { id },
+      select: { id: true, name: true, email: true, role: true },
+    });
+
+    if (!user) {
+      return jsonFail("Not found", { status: 404 });
+    }
+
+    return jsonOk(user);
+  } catch (e) {
+    console.error("GET /api/users/[id] error:", e);
+    return jsonFail("Failed to fetch user", { status: 500 });
+  }
+}
+
+export async function PUT(req: NextRequest, { params }: RouteContext) {
+  try {
+    // Only admins may update other users. Allow self-update as well.
+    const session = await getServerSession(authOptions);
+    if (!session?.user) return jsonFail("Unauthorized", { status: 401 });
+
+    const { id } = await params;
+    const isAdmin = (session.user as { role?: string }).role === "admin";
+    const isSelf = (session.user as { id?: string }).id === id;
+    if (!isAdmin && !isSelf) return jsonFail("Forbidden", { status: 403 });
+
+    const body: unknown = await req.json();
+    if (typeof body !== "object" || body === null) {
+      return jsonFail("Body must be a JSON object", { status: 400 });
+    }
+
+    // Validate with Zod (imported lazily to keep this route light)
+    const { userUpdateSchema } = await import("@/lib/validation/forms");
+    try {
+      const parsed = userUpdateSchema.parse(body);
+
+      // Build Prisma-compatible update object (avoid `as any` + incremental mutation)
+      const data = {
+        ...(parsed.name !== undefined
+          ? { name: parsed.name === "" ? null : parsed.name }
+          : {}),
+        ...(parsed.email !== undefined ? { email: parsed.email } : {}),
+        ...(parsed.image !== undefined
+          ? { image: parsed.image === "" ? null : parsed.image }
+          : {}),
+        ...(parsed.password !== undefined
+          ? {
+              password: await (async () => {
+                const { hashPassword } = await import("@/lib/hash");
+                // `password` is present in this branch; help TS narrow from `string | undefined`.
+                return hashPassword(parsed.password!);
+              })(),
+            }
+          : {}),
+        ...(parsed.emailVerified !== undefined
+          ? { emailVerified: parsed.emailVerified }
+          : {}),
+      } satisfies Parameters<typeof prisma.user.update>[0]["data"];
+
+      const updated = await prisma.user.update({
+        where: { id },
+        data,
+      });
+
+      return jsonOk(updated, { status: 200, message: "User updated" });
+    } catch (err) {
+      // Zod errors
+      if (err && typeof err === "object" && "issues" in (err as any)) {
+        const { jsonFromZod } = await import("@/lib/server/result");
+        return jsonFromZod(err as any, {
+          status: 400,
+          message: "Validation failed",
+        });
+      }
+      throw err;
+    }
+  } catch (e) {
+    console.error("PUT /api/users/[id] error:", e);
+    if (hasErrorCode(e, "P2025")) {
+      return jsonFail("Not found", { status: 404 });
+    }
+    return jsonFail("Failed to update user", { status: 500 });
+  }
+}
+
+export async function DELETE(_req: NextRequest, { params }: RouteContext) {
+  try {
+    const { requireAdminApi } = await import("@/lib/auth-helpers");
+    const session = await requireAdminApi();
+    if (!session) return jsonFail("Forbidden", { status: 403 });
+
+    const { id } = await params;
+
+    // Clean up dependent records first to avoid FK violations
+    await prisma.$transaction([
+      prisma.account.deleteMany({ where: { userId: id } }),
+      prisma.session.deleteMany({ where: { userId: id } }),
+      prisma.post.deleteMany({ where: { authorId: id } }),
+      prisma.user.delete({ where: { id } }),
+    ]);
+
+    return jsonOk({ ok: true }, { status: 200, message: "User deleted" });
+  } catch (e) {
+    console.error("DELETE /api/users/[id] error:", e);
+    if (hasErrorCode(e, "P2025")) {
+      return jsonFail("Not found", { status: 404 });
+    }
+    return jsonFail("Failed to delete user", { status: 500 });
+  }
+}

package/dist/kits/auth-core/app/auth/reset-password/page.tsx

@@ -1,187 +1,186 @@
-"use client";
-
-import React, { useEffect, useState } from "react";
-import { useSearchParams, useRouter } from "next/navigation";
-import { useForm } from "react-hook-form";
-import { zodResolver } from "@hookform/resolvers/zod";
-import { resetPasswordSchema } from "@/lib/validation/forms";
-import { Input } from "@/components/ui/input";
-import { Button } from "@/components/ui/button";
-import { Form } from "@/components/ui/form/form";
-import { FormField } from "@/components/ui/form/form-field";
-import { FormItem } from "@/components/ui/form/form-item";
-import { FormLabel } from "@/components/ui/form/form-label";
-import { FormControl } from "@/components/ui/form/form-control";
-import { FormMessage } from "@/components/ui/form/form-message";
-import { toast } from "sonner";
-import { signOut } from "next-auth/react";
-
-export default function ResetPasswordPage() {
-  // Do not gate rendering on process.env here — rendering must be consistent
-  // between server and client to avoid hydration mismatches. The API routes
-  // already enforce the feature guard (returning 404) so we let the client
-  // always render and surface the API's response.
-  const searchParams = useSearchParams();
-  const router = useRouter();
-  const token = searchParams.get("token") || "";
-  const [valid, setValid] = useState<boolean | null>(null);
-
-  const methods = useForm({
-    resolver: zodResolver(resetPasswordSchema) as any,
-    defaultValues: { token, password: "", confirmPassword: "" },
-  });
-  const {
-    handleSubmit,
-    control,
-    formState: { isSubmitting },
-  } = methods;
-
-  useEffect(() => {
-    (async () => {
-      if (!token) return setValid(false);
-      try {
-        const res = await fetch(
-          `/api/auth/reset-password?token=${encodeURIComponent(token)}`,
-        );
-        if (res.ok) {
-          const json = await res.json();
-          setValid(!!json.valid);
-        } else {
-          setValid(false);
-        }
-      } catch {
-        setValid(false);
-      }
-    })();
-  }, [token]);
-
-  const onSubmit = async (data: any) => {
-    try {
-      const res = await fetch("/api/auth/reset-password", {
-        method: "POST",
-        body: JSON.stringify(data),
-        headers: { "Content-Type": "application/json" },
-      });
-      if (res.ok) {
-        toast.success("Password updated. You can now sign in.");
-        try {
-          // Ensure any existing session is cleared so the login page doesn't
-          // immediately redirect away. This also avoids confusion during testing.
-          await signOut({ redirect: false });
-        } catch (e) {
-          // ignore signOut failures but log for debugging
-          // eslint-disable-next-line no-console
-          console.error("signOut failed:", e);
-        }
-        // Poll /api/auth/session until it returns null, or timeout after 2s.
-        // This avoids the race where signOut is accepted server-side but the
-        // client still believes it's authenticated due to caching or timing.
-        const waitForSignOut = async (timeout = 2000, interval = 200) => {
-          const start = Date.now();
-          while (Date.now() - start < timeout) {
-            try {
-              const r = await fetch("/api/auth/session");
-              if (r.ok) {
-                const json = await r.json();
-                if (!json) {
-                  // session cleared
-                  window.location.href = "/auth/login?signup=1";
-                  return;
-                }
-              }
-            } catch (e) {
-              // ignore transient fetch errors
-            }
-            // eslint-disable-next-line no-await-in-loop
-            await new Promise((res) => setTimeout(res, interval));
-          }
-          // Timeout: navigate anyway to ensure user sees login
-          window.location.href = "/auth/login?signup=1";
-        };
-        waitForSignOut();
-      } else {
-        const json = await res.json();
-        toast.error(json?.message || "Failed to reset password");
-      }
-    } catch (e) {
-      toast.error("Failed to reset password");
-    }
-  };
-
-  if (valid === null)
-    return (
-      <div className="mx-auto w-full max-w-md pt-6">Checking token...</div>
-    );
-  if (valid === false)
-    return (
-      <div className="mx-auto w-full max-w-md pt-6">
-        Invalid or expired token.
-      </div>
-    );
-
-  return (
-    <div className="mx-auto w-full max-w-md pt-6">
-      <h2 className="text-foreground text-center text-2xl font-bold">
-        Reset password
-      </h2>
-      <p className="text-muted-foreground mt-1 text-center text-sm">
-        Set a new password for your account.
-      </p>
-
-      <Form methods={methods}>
-        <form
-          onSubmit={handleSubmit(onSubmit)}
-          className="border-border bg-card space-y-4 rounded-lg border p-6 shadow-sm"
-        >
-          <FormField
-            control={control}
-            name="password"
-            render={({ field: f }) => (
-              <FormItem>
-                <FormLabel>New password</FormLabel>
-                <FormControl>
-                  <Input
-                    id="password"
-                    type="password"
-                    placeholder="At least 6 characters"
-                    {...f}
-                  />
-                </FormControl>
-                <FormMessage />
-              </FormItem>
-            )}
-          />
-
-          <FormField
-            control={control}
-            name="confirmPassword"
-            render={({ field: f }) => (
-              <FormItem>
-                <FormLabel>Confirm password</FormLabel>
-                <FormControl>
-                  <Input
-                    id="confirmPassword"
-                    type="password"
-                    placeholder="Repeat password"
-                    {...f}
-                  />
-                </FormControl>
-                <FormMessage />
-              </FormItem>
-            )}
-          />
-
-          <FormField
-            control={control}
-            name="token"
-            render={({ field: f }) => <input type="hidden" {...f} />}
-          />
-
-          <Button type="submit" disabled={isSubmitting} className="w-full">
-            Set password
-          </Button>
-        </form>
-      </Form>
-    </div>
-  );
-}
+"use client";
+
+import React, { useEffect, useState } from "react";
+import { useSearchParams } from "next/navigation";
+import { useForm } from "react-hook-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { resetPasswordSchema } from "@/lib/validation/forms";
+import { Input } from "@/components/ui/input";
+import { Button } from "@/components/ui/button";
+import { Form } from "@/components/ui/form/form";
+import { FormField } from "@/components/ui/form/form-field";
+import { FormItem } from "@/components/ui/form/form-item";
+import { FormLabel } from "@/components/ui/form/form-label";
+import { FormControl } from "@/components/ui/form/form-control";
+import { FormMessage } from "@/components/ui/form/form-message";
+import { toast } from "sonner";
+import { signOut } from "next-auth/react";
+
+export default function ResetPasswordPage() {
+  // Do not gate rendering on process.env here — rendering must be consistent
+  // between server and client to avoid hydration mismatches. The API routes
+  // already enforce the feature guard (returning 404) so we let the client
+  // always render and surface the API's response.
+  const searchParams = useSearchParams();
+  const token = searchParams.get("token") || "";
+  const [valid, setValid] = useState<boolean | null>(null);
+
+  type ResetPasswordValues = typeof resetPasswordSchema._type;
+
+  const methods = useForm<ResetPasswordValues>({
+    resolver: zodResolver(resetPasswordSchema),
+    defaultValues: { token, password: "", confirmPassword: "" },
+  });
+  const {
+    handleSubmit,
+    control,
+    formState: { isSubmitting },
+  } = methods;
+
+  useEffect(() => {
+    (async () => {
+      if (!token) return setValid(false);
+      try {
+        const res = await fetch(
+          `/api/auth/reset-password?token=${encodeURIComponent(token)}`,
+        );
+        if (res.ok) {
+          const json = await res.json();
+          setValid(!!json.valid);
+        } else {
+          setValid(false);
+        }
+      } catch {
+        setValid(false);
+      }
+    })();
+  }, [token]);
+
+  const onSubmit = async (data: ResetPasswordValues) => {
+    try {
+      const res = await fetch("/api/auth/reset-password", {
+        method: "POST",
+        body: JSON.stringify(data),
+        headers: { "Content-Type": "application/json" },
+      });
+      if (res.ok) {
+        toast.success("Password updated. You can now sign in.");
+        try {
+          // Ensure any existing session is cleared so the login page doesn't
+          // immediately redirect away. This also avoids confusion during testing.
+          await signOut({ redirect: false });
+        } catch (e: unknown) {
+          // ignore signOut failures but log for debugging
+          console.error("signOut failed:", e);
+        }
+        // Poll /api/auth/session until it returns null, or timeout after 2s.
+        // This avoids the race where signOut is accepted server-side but the
+        // client still believes it's authenticated due to caching or timing.
+        const waitForSignOut = async (timeout = 2000, interval = 200) => {
+          const start = Date.now();
+          while (Date.now() - start < timeout) {
+            try {
+              const r = await fetch("/api/auth/session");
+              if (r.ok) {
+                const json = await r.json();
+                if (!json) {
+                  // session cleared
+                  window.location.href = "/auth/login?signup=1";
+                  return;
+                }
+              }
+            } catch {
+              // ignore transient fetch errors
+            }
+            await new Promise((res) => setTimeout(res, interval));
+          }
+          // Timeout: navigate anyway to ensure user sees login
+          window.location.href = "/auth/login?signup=1";
+        };
+        waitForSignOut();
+      } else {
+        const json = await res.json();
+        toast.error(json?.message || "Failed to reset password");
+      }
+    } catch {
+      toast.error("Failed to reset password");
+    }
+  };
+
+  if (valid === null)
+    return (
+      <div className="mx-auto w-full max-w-md pt-6">Checking token...</div>
+    );
+  if (valid === false)
+    return (
+      <div className="mx-auto w-full max-w-md pt-6">
+        Invalid or expired token.
+      </div>
+    );
+
+  return (
+    <div className="mx-auto w-full max-w-md pt-6">
+      <h2 className="text-foreground text-center text-2xl font-bold">
+        Reset password
+      </h2>
+      <p className="text-muted-foreground mt-1 text-center text-sm">
+        Set a new password for your account.
+      </p>
+
+      <Form methods={methods}>
+        <form
+          onSubmit={handleSubmit(onSubmit)}
+          className="border-border bg-card space-y-4 rounded-lg border p-6 shadow-sm"
+        >
+          <FormField
+            control={control}
+            name="password"
+            render={({ field: f }) => (
+              <FormItem>
+                <FormLabel>New password</FormLabel>
+                <FormControl>
+                  <Input
+                    id="password"
+                    type="password"
+                    placeholder="At least 6 characters"
+                    {...f}
+                  />
+                </FormControl>
+                <FormMessage />
+              </FormItem>
+            )}
+          />
+
+          <FormField
+            control={control}
+            name="confirmPassword"
+            render={({ field: f }) => (
+              <FormItem>
+                <FormLabel>Confirm password</FormLabel>
+                <FormControl>
+                  <Input
+                    id="confirmPassword"
+                    type="password"
+                    placeholder="Repeat password"
+                    {...f}
+                  />
+                </FormControl>
+                <FormMessage />
+              </FormItem>
+            )}
+          />
+
+          <FormField
+            control={control}
+            name="token"
+            render={({ field: f }) => <input type="hidden" {...f} />}
+          />
+
+          <Button type="submit" disabled={isSubmitting} className="w-full">
+            Set password
+          </Button>
+        </form>
+      </Form>
+    </div>
+  );
+}