tremor-tracker/src/app/api/update-user/route.ts

import { NextResponse } from "next/server";
import bcryptjs from "bcryptjs";

import { env } from "@utils/env";
import { prisma } from "@utils/prisma";
import { apiAuthMiddleware } from "@utils/apiAuthMiddleware";

import { passwordStrengthCheck } from "@utils/validation";

export async function POST(req: Request) {
	try {
		const authResult = await apiAuthMiddleware();
		if ("user" in authResult === false) return authResult;

		const { user } = authResult;
		// todo handle requestedRole
		const { userId, email, name, password } = await req.json();

		// Trying to update a different user than themselves
		// Only available to admins
		// todo add senior scientists being able to update their juniors
		if (userId && userId !== user.id) {
			if (user.role !== "ADMIN") {
				return NextResponse.json({ message: "Not authorised" }, { status: 401 });
			}
		}

		// Check if email is already in use by another user
		if (email && email !== user.email) {
			const foundUser = await prisma.user.findUnique({
				where: { email },
			});
			if (foundUser) {
				return NextResponse.json({ message: "This email is already in use" }, { status: 409 });
			}
		}

		// todo move to dedicated function
		// Validate password strength if provided
		let passwordHash = user.passwordHash;
		if (password) {
			const passwordCheckResult = await passwordStrengthCheck(password);
			if (passwordCheckResult === "short") {
				return NextResponse.json({ message: "Password is shorter than 8 characters" }, { status: 400 });
			} else if (passwordCheckResult === "long") {
				return NextResponse.json({ message: "Password is longer than 16 characters" }, { status: 400 });
			} else if (passwordCheckResult === "no lower") {
				return NextResponse.json({ message: "Password must contain lowercase letters" }, { status: 400 });
			} else if (passwordCheckResult === "no upper") {
				return NextResponse.json({ message: "Password must contain uppercase letters" }, { status: 400 });
			} else if (passwordCheckResult === "no digit") {
				return NextResponse.json({ message: "Password must contain a number" }, { status: 400 });
			} else if (passwordCheckResult === "no special") {
				return NextResponse.json({ message: "Password must contain a special character (!@#$%^&*)" }, { status: 400 });
			} else if (passwordCheckResult === "end of function") {
				return NextResponse.json({ message: "Password check script failure" }, { status: 500 });
			}
			passwordHash = await bcryptjs.hash(password, 10);
		}

		const updatedUser = await prisma.user.update({
			where: { id: userId || user.id },
			data: {
				name: name || user.name,
				email: email || user.email,
				passwordHash,
			},
		});

		// Link non-account orders with matching email to the updated user
		if (email && email !== user.email) {
			await prisma.order.updateMany({
				where: {
					email,
					userId: null,
				},
				data: {
					userId: updatedUser.id,
				},
			});
		}

		const fullUser = await prisma.user.findUnique({
			where: { id: updatedUser.id },
			include: {
				earthquakes: true,
				observatories: true,
				artefacts: true,
				purchasedOrders: true,
				requests: true,
				scientist: {
					include: {
						superior: true,
						subordinates: true,
					},
				},
			},
		});

		const { passwordHash: _, ...userSansHash } = fullUser!;

		return NextResponse.json({ message: "User updated successfully", user: userSansHash }, { status: 200 });
	} catch (error) {
		console.error("Error in update-user endpoint:", error);
		return NextResponse.json({ message: "Internal Server Error" }, { status: 500 });
	}
}
Added update-user route and made a few small other changes 2025-05-31 18:55:39 +01:00			`import { NextResponse } from "next/server";`
			`import bcryptjs from "bcryptjs";`

			`import { env } from "@utils/env";`
			`import { prisma } from "@utils/prisma";`
			`import { apiAuthMiddleware } from "@utils/apiAuthMiddleware";`

			`import { passwordStrengthCheck } from "@utils/validation";`

			`export async function POST(req: Request) {`
			`try {`
			`const authResult = await apiAuthMiddleware();`
			`if ("user" in authResult === false) return authResult;`

			`const { user } = authResult;`
Finished off profile page 2025-06-01 13:53:04 +01:00			`// todo handle requestedRole`
			`const { userId, email, name, password } = await req.json();`

			`// Trying to update a different user than themselves`
			`// Only available to admins`
			`// todo add senior scientists being able to update their juniors`
			`if (userId && userId !== user.id) {`
			`if (user.role !== "ADMIN") {`
			`return NextResponse.json({ message: "Not authorised" }, { status: 401 });`
			`}`
			`}`
Added update-user route and made a few small other changes 2025-05-31 18:55:39 +01:00
			`// Check if email is already in use by another user`
			`if (email && email !== user.email) {`
			`const foundUser = await prisma.user.findUnique({`
			`where: { email },`
			`});`
			`if (foundUser) {`
			`return NextResponse.json({ message: "This email is already in use" }, { status: 409 });`
			`}`
			`}`

Finished off profile page 2025-06-01 13:53:04 +01:00			`// todo move to dedicated function`
Added update-user route and made a few small other changes 2025-05-31 18:55:39 +01:00			`// Validate password strength if provided`
			`let passwordHash = user.passwordHash;`
			`if (password) {`
			`const passwordCheckResult = await passwordStrengthCheck(password);`
			`if (passwordCheckResult === "short") {`
			`return NextResponse.json({ message: "Password is shorter than 8 characters" }, { status: 400 });`
			`} else if (passwordCheckResult === "long") {`
			`return NextResponse.json({ message: "Password is longer than 16 characters" }, { status: 400 });`
			`} else if (passwordCheckResult === "no lower") {`
			`return NextResponse.json({ message: "Password must contain lowercase letters" }, { status: 400 });`
			`} else if (passwordCheckResult === "no upper") {`
			`return NextResponse.json({ message: "Password must contain uppercase letters" }, { status: 400 });`
			`} else if (passwordCheckResult === "no digit") {`
			`return NextResponse.json({ message: "Password must contain a number" }, { status: 400 });`
			`} else if (passwordCheckResult === "no special") {`
			`return NextResponse.json({ message: "Password must contain a special character (!@#$%^&*)" }, { status: 400 });`
			`} else if (passwordCheckResult === "end of function") {`
			`return NextResponse.json({ message: "Password check script failure" }, { status: 500 });`
			`}`
			`passwordHash = await bcryptjs.hash(password, 10);`
			`}`

			`const updatedUser = await prisma.user.update({`
Finished off profile page 2025-06-01 13:53:04 +01:00			`where: { id: userId \|\| user.id },`
Added update-user route and made a few small other changes 2025-05-31 18:55:39 +01:00			`data: {`
			`name: name \|\| user.name,`
			`email: email \|\| user.email,`
			`passwordHash,`
			`},`
			`});`

Finished off profile page 2025-06-01 13:53:04 +01:00			`// Link non-account orders with matching email to the updated user`
Added update-user route and made a few small other changes 2025-05-31 18:55:39 +01:00			`if (email && email !== user.email) {`
			`await prisma.order.updateMany({`
			`where: {`
			`email,`
			`userId: null,`
			`},`
			`data: {`
			`userId: updatedUser.id,`
			`},`
			`});`
			`}`

			`const fullUser = await prisma.user.findUnique({`
			`where: { id: updatedUser.id },`
			`include: {`
			`earthquakes: true,`
			`observatories: true,`
			`artefacts: true,`
			`purchasedOrders: true,`
			`requests: true,`
			`scientist: {`
			`include: {`
			`superior: true,`
			`subordinates: true,`
			`},`
			`},`
			`},`
			`});`

			`const { passwordHash: _, ...userSansHash } = fullUser!;`

			`return NextResponse.json({ message: "User updated successfully", user: userSansHash }, { status: 200 });`
			`} catch (error) {`
			`console.error("Error in update-user endpoint:", error);`
			`return NextResponse.json({ message: "Internal Server Error" }, { status: 500 });`
			`}`
			`}`