2025-05-31 18:55:39 +01:00
|
|
|
import { NextResponse } from "next/server";
|
|
|
|
|
import bcryptjs from "bcryptjs";
|
|
|
|
|
|
|
|
|
|
import { env } from "@utils/env";
|
|
|
|
|
import { prisma } from "@utils/prisma";
|
|
|
|
|
import { apiAuthMiddleware } from "@utils/apiAuthMiddleware";
|
|
|
|
|
|
2025-06-03 15:20:52 +01:00
|
|
|
import { validatePassword } from "@utils/validation";
|
2025-05-31 18:55:39 +01:00
|
|
|
|
|
|
|
|
export async function POST(req: Request) {
|
|
|
|
|
try {
|
|
|
|
|
const authResult = await apiAuthMiddleware();
|
|
|
|
|
if ("user" in authResult === false) return authResult;
|
|
|
|
|
|
|
|
|
|
const { user } = authResult;
|
2025-06-01 23:01:37 +01:00
|
|
|
const { userId, email, name, password, requestedRole } = await req.json();
|
2025-06-01 13:53:04 +01:00
|
|
|
|
|
|
|
|
// Trying to update a different user than themselves
|
|
|
|
|
// Only available to admins
|
|
|
|
|
// todo add senior scientists being able to update their juniors
|
|
|
|
|
if (userId && userId !== user.id) {
|
|
|
|
|
if (user.role !== "ADMIN") {
|
|
|
|
|
return NextResponse.json({ message: "Not authorised" }, { status: 401 });
|
|
|
|
|
}
|
|
|
|
|
}
|
2025-05-31 18:55:39 +01:00
|
|
|
|
|
|
|
|
// Check if email is already in use by another user
|
|
|
|
|
if (email && email !== user.email) {
|
|
|
|
|
const foundUser = await prisma.user.findUnique({
|
|
|
|
|
where: { email },
|
|
|
|
|
});
|
|
|
|
|
if (foundUser) {
|
|
|
|
|
return NextResponse.json({ message: "This email is already in use" }, { status: 409 });
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Validate password strength if provided
|
|
|
|
|
let passwordHash = user.passwordHash;
|
|
|
|
|
if (password) {
|
2025-06-03 15:20:52 +01:00
|
|
|
const passwordCheckResult = validatePassword(password);
|
|
|
|
|
if ("message" in passwordCheckResult) {
|
|
|
|
|
return NextResponse.json({ message: passwordCheckResult.message }, { status: passwordCheckResult.status });
|
2025-05-31 18:55:39 +01:00
|
|
|
}
|
|
|
|
|
passwordHash = await bcryptjs.hash(password, 10);
|
|
|
|
|
}
|
|
|
|
|
|
2025-06-01 23:01:37 +01:00
|
|
|
if (requestedRole && ["GUEST", "SCIENTIST", "ADMIN"].includes(requestedRole) && requestedRole !== user.role) {
|
|
|
|
|
await prisma.request.create({
|
|
|
|
|
data: { requestType: requestedRole, requestingUserId: userId || user.id },
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
2025-05-31 18:55:39 +01:00
|
|
|
const updatedUser = await prisma.user.update({
|
2025-06-01 13:53:04 +01:00
|
|
|
where: { id: userId || user.id },
|
2025-05-31 18:55:39 +01:00
|
|
|
data: {
|
|
|
|
|
name: name || user.name,
|
|
|
|
|
email: email || user.email,
|
|
|
|
|
passwordHash,
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
|
2025-06-01 13:53:04 +01:00
|
|
|
// Link non-account orders with matching email to the updated user
|
2025-05-31 18:55:39 +01:00
|
|
|
if (email && email !== user.email) {
|
|
|
|
|
await prisma.order.updateMany({
|
|
|
|
|
where: {
|
|
|
|
|
email,
|
|
|
|
|
userId: null,
|
|
|
|
|
},
|
|
|
|
|
data: {
|
|
|
|
|
userId: updatedUser.id,
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const fullUser = await prisma.user.findUnique({
|
|
|
|
|
where: { id: updatedUser.id },
|
|
|
|
|
include: {
|
|
|
|
|
earthquakes: true,
|
|
|
|
|
observatories: true,
|
|
|
|
|
artefacts: true,
|
|
|
|
|
purchasedOrders: true,
|
|
|
|
|
requests: true,
|
|
|
|
|
scientist: {
|
|
|
|
|
include: {
|
|
|
|
|
superior: true,
|
|
|
|
|
subordinates: true,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const { passwordHash: _, ...userSansHash } = fullUser!;
|
|
|
|
|
|
|
|
|
|
return NextResponse.json({ message: "User updated successfully", user: userSansHash }, { status: 200 });
|
|
|
|
|
} catch (error) {
|
|
|
|
|
console.error("Error in update-user endpoint:", error);
|
|
|
|
|
return NextResponse.json({ message: "Internal Server Error" }, { status: 500 });
|
|
|
|
|
}
|
|
|
|
|
}
|
