nobalmako 1.0.0

package/src/app/api/auth/forgot-password/route.ts

@@ -0,0 +1,47 @@
+import { NextRequest, NextResponse } from 'next/server';
+import crypto from 'crypto';
+import { db } from '@/lib/db';
+import { users } from '@/lib/schema';
+import { eq } from 'drizzle-orm';
+import { sendEmail, emailTemplates } from '@/lib/email';
+
+export async function POST(request: NextRequest) {
+  try {
+    const { email } = await request.json();
+
+    if (!email) {
+      return NextResponse.json({ error: 'Email is required' }, { status: 400 });
+    }
+
+    const [user] = await db
+      .select()
+      .from(users)
+      .where(eq(users.email, email.toLowerCase()))
+      .limit(1);
+
+    // For security reasons, don't reveal if user exists
+    if (!user) {
+      return NextResponse.json({ message: 'If an account exists, a reset link has been sent' });
+    }
+
+    const resetToken = crypto.randomBytes(32).toString('hex');
+    const resetTokenExpiry = new Date(Date.now() + 3600000); // 1 hour from now
+
+    await db.update(users)
+      .set({ 
+        resetToken, 
+        resetTokenExpiry,
+        updatedAt: new Date()
+      })
+      .where(eq(users.id, user.id));
+
+    // Send the email
+    const template = emailTemplates.passwordReset(user.name, resetToken);
+    await sendEmail({ to: user.email, ...template });
+
+    return NextResponse.json({ message: 'If an account exists, a reset link has been sent' });
+  } catch (error) {
+    console.error('Forgot password error:', error);
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+  }
+}

package/src/app/api/auth/login/route.ts

@@ -0,0 +1,99 @@
+import { NextRequest, NextResponse } from 'next/server';
+import bcrypt from 'bcryptjs';
+import jwt from 'jsonwebtoken';
+import { db } from '@/lib/db';
+import { users } from '@/lib/schema';
+import { eq } from 'drizzle-orm';
+import speakeasy from 'speakeasy';
+
+const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key';
+
+export async function POST(request: NextRequest) {
+  try {
+    const { email, password, mfaToken } = await request.json();
+
+    if (!email || !password) {
+      return NextResponse.json(
+        { error: 'Email and password are required' },
+        { status: 400 }
+      );
+    }
+
+    // Find user by email
+    const [user] = await db
+      .select()
+      .from(users)
+      .where(eq(users.email, email))
+      .limit(1);
+
+    if (!user) {
+      return NextResponse.json(
+        { error: 'Invalid credentials' },
+        { status: 401 }
+      );
+    }
+
+    // Verify password
+    const isValidPassword = await bcrypt.compare(password, user.password);
+    if (!isValidPassword) {
+      return NextResponse.json(
+        { error: 'Invalid credentials' },
+        { status: 401 }
+      );
+    }
+
+    // Verify MFA if enabled
+    if (user.mfaEnabled) {
+      if (!mfaToken) {
+        return NextResponse.json({ 
+          mfaRequired: true, 
+          message: 'MFA token required' 
+        }, { status: 200 }); // Status 200 but signaling UI to show MFA input
+      }
+
+      const verified = speakeasy.totp.verify({
+        secret: user.mfaSecret!,
+        encoding: 'base32',
+        token: mfaToken,
+      });
+
+      if (!verified) {
+        return NextResponse.json({ error: 'Invalid MFA token' }, { status: 401 });
+      }
+    }
+
+    // Generate JWT token
+    const token = jwt.sign(
+      { userId: user.id, email: user.email },
+      JWT_SECRET,
+      { expiresIn: '7d' }
+    );
+
+    // Create response with token and optional raw token for CLI
+    const response = NextResponse.json({
+      message: 'Login successful',
+      token: token, // Include token in JSON body for CLI/login
+      user: {
+        id: user.id,
+        name: user.name,
+        email: user.email,
+      },
+    });
+
+    // Set HTTP-only cookie
+    response.cookies.set('auth-token', token, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      maxAge: 60 * 60 * 24 * 7, // 7 days
+    });
+
+    return response;
+  } catch (error) {
+    console.error('Login error:', error);
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 }
+    );
+  }
+}

package/src/app/api/auth/logout/route.ts

@@ -0,0 +1,15 @@
+import { NextResponse } from 'next/server';
+
+export async function POST() {
+  const response = NextResponse.json({ message: 'Logged out successfully' });
+
+  // Clear the auth cookie
+  response.cookies.set('auth-token', '', {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    maxAge: 0,
+  });
+
+  return response;
+}

package/src/app/api/auth/me/route.ts

@@ -0,0 +1,23 @@
+import { NextResponse } from 'next/server';
+import { getUserFromToken } from '@/lib/auth';
+
+export async function GET() {
+  try {
+    const user = await getUserFromToken();
+
+    if (!user) {
+      return NextResponse.json(
+        { error: 'Not authenticated' },
+        { status: 401 }
+      );
+    }
+
+    return NextResponse.json({ user });
+  } catch (error) {
+    console.error('Auth check error:', error);
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 }
+    );
+  }
+}

package/src/app/api/auth/mfa/setup/route.ts

@@ -0,0 +1,33 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { getUserFromToken } from '@/lib/auth';
+import { db } from '@/lib/db';
+import { users } from '@/lib/schema';
+import { eq } from 'drizzle-orm';
+import speakeasy from 'speakeasy';
+import QRCode from 'qrcode';
+
+export async function POST(request: NextRequest) {
+  try {
+    const user = await getUserFromToken();
+    if (!user) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+
+    const secret = speakeasy.generateSecret({
+      name: `Nobalmako (${user.email})`,
+    });
+
+    const qrCodeUrl = await QRCode.toDataURL(secret.otpauth_url || '');
+
+    // We don't enable it yet, just store the secret temporarily or return it
+    // For this implementation, we'll store it in the user record
+    await db.update(users)
+      .set({ mfaSecret: secret.base32 })
+      .where(eq(users.id, user.id));
+
+    return NextResponse.json({ 
+      qrCode: qrCodeUrl,
+      secret: secret.base32
+    });
+  } catch (error) {
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+  }
+}

package/src/app/api/auth/mfa/verify/route.ts

@@ -0,0 +1,45 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { getUserFromToken } from '@/lib/auth';
+import { db } from '@/lib/db';
+import { users } from '@/lib/schema';
+import { eq } from 'drizzle-orm';
+import speakeasy from 'speakeasy';
+import { sendEmail, emailTemplates } from '@/lib/email';
+
+export async function POST(request: NextRequest) {
+  try {
+    const user = await getUserFromToken();
+    if (!user) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+
+    const { token } = await request.json();
+    if (!token) return NextResponse.json({ error: 'Token is required' }, { status: 400 });
+
+    const [userData] = await db.select().from(users).where(eq(users.id, user.id)).limit(1);
+    
+    if (!userData.mfaSecret) {
+      return NextResponse.json({ error: 'MFA not setup' }, { status: 400 });
+    }
+
+    const verified = speakeasy.totp.verify({
+      secret: userData.mfaSecret,
+      encoding: 'base32',
+      token,
+    });
+
+    if (verified) {
+      await db.update(users)
+        .set({ mfaEnabled: true })
+        .where(eq(users.id, user.id));
+      
+      // Notify user via email
+      const template = emailTemplates.mfaEnabled(userData.name);
+      await sendEmail({ to: userData.email, ...template });
+      
+      return NextResponse.json({ success: true });
+    } else {
+      return NextResponse.json({ error: 'Invalid token' }, { status: 400 });
+    }
+  } catch (error) {
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+  }
+}

package/src/app/api/auth/register/route.ts

@@ -0,0 +1,140 @@
+import { NextRequest, NextResponse } from 'next/server';
+import bcrypt from 'bcryptjs';
+import crypto from 'crypto';
+import { db } from '@/lib/db';
+import { users, invitations, teamMembers } from '@/lib/schema';
+import { eq, and, gt } from 'drizzle-orm';
+import { sendEmail, emailTemplates } from '@/lib/email';
+
+export async function POST(request: NextRequest) {
+  try {
+    const { name, email, password, confirmPassword, inviteToken } = await request.json();
+
+    if (!name || !email || !password || !confirmPassword) {
+      return NextResponse.json(
+        { error: 'All fields are required' },
+        { status: 400 }
+      );
+    }
+
+    if (password !== confirmPassword) {
+      return NextResponse.json(
+        { error: 'Passwords do not match' },
+        { status: 400 }
+      );
+    }
+
+    if (password.length < 6) {
+      return NextResponse.json(
+        { error: 'Password must be at least 6 characters long' },
+        { status: 400 }
+      );
+    }
+
+    // Check if user already exists
+    const [existingUser] = await db
+      .select()
+      .from(users)
+      .where(eq(users.email, email))
+      .limit(1);
+
+    if (existingUser) {
+      return NextResponse.json(
+        { error: 'User with this email already exists' },
+        { status: 409 }
+      );
+    }
+
+    // Verify invite token if provided
+    let invitationData = null;
+    if (inviteToken) {
+      const [invitation] = await db
+        .select()
+        .from(invitations)
+        .where(and(
+          eq(invitations.token, inviteToken),
+          eq(invitations.status, 'pending'),
+          gt(invitations.expiresAt, new Date())
+        ))
+        .limit(1);
+
+      if (!invitation) {
+        return NextResponse.json(
+          { error: 'Invalid or expired invitation token' },
+          { status: 400 }
+        );
+      }
+      
+      // Ensure the email matches the invitation
+      if (invitation.email.toLowerCase() !== email.toLowerCase()) {
+        return NextResponse.json(
+          { error: 'This invitation was sent to a different email address' },
+          { status: 400 }
+        );
+      }
+      invitationData = invitation;
+    }
+
+    // Hash password
+    const hashedPassword = await bcrypt.hash(password, 12);
+    const verificationToken = crypto.randomBytes(32).toString('hex');
+
+    // Create user and handle invitation in a transaction
+    const result = await db.transaction(async (tx) => {
+      const [newUser] = await tx
+        .insert(users)
+        .values({
+          name,
+          email: email.toLowerCase(),
+          password: hashedPassword,
+          verificationToken,
+        })
+        .returning();
+
+      if (invitationData) {
+        // Add user to team
+        await tx.insert(teamMembers).values({
+          teamId: invitationData.teamId,
+          userId: newUser.id,
+          role: invitationData.role,
+        });
+
+        // Update invitation status
+        await tx.update(invitations)
+          .set({ status: 'accepted', updatedAt: new Date() })
+          .where(eq(invitations.id, invitationData.id));
+      }
+
+      return newUser;
+    });
+
+    // Send Welcome & Verification Emails
+    try {
+      const welcome = emailTemplates.welcome(result.name);
+      const verify = emailTemplates.verification(result.name, verificationToken);
+      
+      await Promise.all([
+        sendEmail({ to: result.email, ...welcome }),
+        sendEmail({ to: result.email, ...verify })
+      ]);
+    } catch (emailError) {
+      console.error('Failed to send registration emails:', emailError);
+      // We don't fail registration if emails fail, but we log it
+    }
+
+    return NextResponse.json({
+      message: 'User created successfully',
+      user: {
+        id: result.id,
+        name: result.name,
+        email: result.email,
+      },
+    });
+  } catch (error) {
+    console.error('Registration error:', error);
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 }
+    );
+  }
+}

package/src/app/api/auth/reset-password/route.ts

@@ -0,0 +1,52 @@
+import { NextRequest, NextResponse } from 'next/server';
+import bcrypt from 'bcryptjs';
+import { db } from '@/lib/db';
+import { users } from '@/lib/schema';
+import { eq, and, gt } from 'drizzle-orm';
+
+export async function POST(request: NextRequest) {
+  try {
+    const { token, password, confirmPassword } = await request.json();
+
+    if (!token || !password || !confirmPassword) {
+      return NextResponse.json({ error: 'All fields are required' }, { status: 400 });
+    }
+
+    if (password !== confirmPassword) {
+      return NextResponse.json({ error: 'Passwords do not match' }, { status: 400 });
+    }
+
+    if (password.length < 6) {
+      return NextResponse.json({ error: 'Password must be at least 6 characters' }, { status: 400 });
+    }
+
+    const [user] = await db
+      .select()
+      .from(users)
+      .where(and(
+        eq(users.resetToken, token),
+        gt(users.resetTokenExpiry, new Date())
+      ))
+      .limit(1);
+
+    if (!user) {
+      return NextResponse.json({ error: 'Invalid or expired reset token' }, { status: 400 });
+    }
+
+    const hashedPassword = await bcrypt.hash(password, 12);
+
+    await db.update(users)
+      .set({ 
+        password: hashedPassword,
+        resetToken: null,
+        resetTokenExpiry: null,
+        updatedAt: new Date()
+      })
+      .where(eq(users.id, user.id));
+
+    return NextResponse.json({ message: 'Password reset successfully' });
+  } catch (error) {
+    console.error('Reset password error:', error);
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+  }
+}

package/src/app/api/auth/update/route.ts

@@ -0,0 +1,71 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { db } from '@/lib/db';
+import { users } from '@/lib/schema';
+import { eq } from 'drizzle-orm';
+import { getUserFromToken } from '@/lib/auth';
+import bcrypt from 'bcryptjs';
+
+export async function PUT(req: NextRequest) {
+  try {
+    const user = await getUserFromToken();
+    if (!user) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+    }
+
+    const { name } = await req.json();
+
+    if (!name) {
+      return NextResponse.json({ error: 'Name is required' }, { status: 400 });
+    }
+
+    await db.update(users)
+      .set({ name })
+      .where(eq(users.id, user.id));
+
+    return NextResponse.json({ success: true });
+  } catch (error) {
+    console.error('Profile update failed:', error);
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+  }
+}
+
+export async function PATCH(req: NextRequest) {
+  try {
+    const user = await getUserFromToken();
+    if (!user) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+    }
+
+    const { currentPassword, newPassword } = await req.json();
+
+    if (!currentPassword || !newPassword) {
+      return NextResponse.json({ error: 'All fields are required' }, { status: 400 });
+    }
+
+    // Get user with password for comparison
+    const [dbUser] = await db.select().from(users).where(eq(users.id, user.id));
+    
+    if (!dbUser) {
+      return NextResponse.json({ error: 'User not found' }, { status: 404 });
+    }
+
+    // Verify current password
+    const isPasswordMatch = await bcrypt.compare(currentPassword, dbUser.password);
+    if (!isPasswordMatch) {
+      return NextResponse.json({ error: 'Incorrect current password' }, { status: 400 });
+    }
+
+    // Hash new password
+    const hashedPassword = await bcrypt.hash(newPassword, 10);
+
+    // Update password
+    await db.update(users)
+      .set({ password: hashedPassword })
+      .where(eq(users.id, user.id));
+
+    return NextResponse.json({ success: true });
+  } catch (error) {
+    console.error('Password change failed:', error);
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+  }
+}

package/src/app/api/auth/verify/route.ts

@@ -0,0 +1,39 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { db } from '@/lib/db';
+import { users } from '@/lib/schema';
+import { eq } from 'drizzle-orm';
+
+export async function GET(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url);
+    const token = searchParams.get('token');
+
+    if (!token) {
+      return NextResponse.json({ error: 'Token is required' }, { status: 400 });
+    }
+
+    const [user] = await db
+      .select()
+      .from(users)
+      .where(eq(users.verificationToken, token))
+      .limit(1);
+
+    if (!user) {
+      return NextResponse.json({ error: 'Invalid or expired token' }, { status: 400 });
+    }
+
+    await db.update(users)
+      .set({ 
+        emailVerified: new Date(),
+        verificationToken: null,
+        updatedAt: new Date()
+      })
+      .where(eq(users.id, user.id));
+
+    // Redirect to dashboard or login with a success message
+    return NextResponse.redirect(new URL('/auth/login?verified=true', request.url));
+  } catch (error) {
+    console.error('Verification error:', error);
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+  }
+}