src/app/api/public/supplemental-info/%5Btoken%5D/route.ts

import { NextRequest, NextResponse } from 'next/server';
import { z } from 'zod';

import { loadByToken, applySubmission } from '@/lib/services/supplemental-forms.service';
import { errorResponse } from '@/lib/errors';

/**
 * Public — no auth. Loads the prefill data for the form. The token in
 * the URL is the only credential; rejects expired / unknown tokens with
 * 404 (deliberately conflated to avoid leaking which tokens exist).
 */
export async function GET(
  _req: NextRequest,
  ctx: { params: Promise<{ token: string }> },
): Promise<NextResponse> {
  try {
    const { token } = await ctx.params;
    const data = await loadByToken(token);
    if (!data) {
      return NextResponse.json({ error: 'Link not found or expired' }, { status: 404 });
    }
    return NextResponse.json({ data });
  } catch (error) {
    return errorResponse(error);
  }
}

const submissionSchema = z.object({
  fullName: z.string().min(1).max(200),
  address: z.string().max(500).nullable().optional(),
  country: z.string().length(2).nullable().optional(),
  email: z.string().email().nullable().optional(),
  phoneE164: z
    .string()
    .regex(/^\+[1-9]\d{1,14}$/)
    .nullable()
    .optional(),
  phoneCountry: z.string().length(2).nullable().optional(),
  yachtName: z.string().max(200).nullable().optional(),
  yachtLengthFt: z.number().positive().nullable().optional(),
  yachtWidthFt: z.number().positive().nullable().optional(),
  yachtDraftFt: z.number().positive().nullable().optional(),
});

export async function POST(
  req: NextRequest,
  ctx: { params: Promise<{ token: string }> },
): Promise<NextResponse> {
  try {
    const { token } = await ctx.params;
    const body = submissionSchema.parse(await req.json());
    await applySubmission(token, {
      fullName: body.fullName,
      address: body.address ?? null,
      country: body.country ?? null,
      email: body.email ?? null,
      phoneE164: body.phoneE164 ?? null,
      phoneCountry: body.phoneCountry ?? null,
      yachtName: body.yachtName ?? null,
      yachtLengthFt: body.yachtLengthFt ?? null,
      yachtWidthFt: body.yachtWidthFt ?? null,
      yachtDraftFt: body.yachtDraftFt ?? null,
    });
    return NextResponse.json({ data: { success: true } });
  } catch (error) {
    return errorResponse(error);
  }
}
feat(supplemental-info): pre-EOI public form flow Lets a sales rep send a client a one-shot link to fill out the information we need before drafting the EOI (intent, dimensions, signatory, timeline). Token-keyed: single-use, soft-expiring, scoped to one interest + client. Public POST endpoint accepts the form submission; CRM endpoint mints tokens for rep-initiated requests; portal page renders the form for the recipient. Schema: supplemental_form_tokens table (migration 0061) with port_id + interest_id + client_id refs, unique token, consumed_at marker. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-14 03:36:56 +02:00			`import { NextRequest, NextResponse } from 'next/server';`
			`import { z } from 'zod';`

			`import { loadByToken, applySubmission } from '@/lib/services/supplemental-forms.service';`
			`import { errorResponse } from '@/lib/errors';`

			`/**`
			`* Public — no auth. Loads the prefill data for the form. The token in`
			`* the URL is the only credential; rejects expired / unknown tokens with`
			`* 404 (deliberately conflated to avoid leaking which tokens exist).`
			`*/`
			`export async function GET(`
			`_req: NextRequest,`
			`ctx: { params: Promise<{ token: string }> },`
			`): Promise<NextResponse> {`
			`try {`
			`const { token } = await ctx.params;`
			`const data = await loadByToken(token);`
			`if (!data) {`
			`return NextResponse.json({ error: 'Link not found or expired' }, { status: 404 });`
			`}`
			`return NextResponse.json({ data });`
			`} catch (error) {`
			`return errorResponse(error);`
			`}`
			`}`

			`const submissionSchema = z.object({`
			`fullName: z.string().min(1).max(200),`
			`address: z.string().max(500).nullable().optional(),`
			`country: z.string().length(2).nullable().optional(),`
			`email: z.string().email().nullable().optional(),`
			`phoneE164: z`
			`.string()`
			`.regex(/^\+[1-9]\d{1,14}$/)`
			`.nullable()`
			`.optional(),`
			`phoneCountry: z.string().length(2).nullable().optional(),`
			`yachtName: z.string().max(200).nullable().optional(),`
			`yachtLengthFt: z.number().positive().nullable().optional(),`
			`yachtWidthFt: z.number().positive().nullable().optional(),`
			`yachtDraftFt: z.number().positive().nullable().optional(),`
			`});`

			`export async function POST(`
			`req: NextRequest,`
			`ctx: { params: Promise<{ token: string }> },`
			`): Promise<NextResponse> {`
			`try {`
			`const { token } = await ctx.params;`
			`const body = submissionSchema.parse(await req.json());`
			`await applySubmission(token, {`
			`fullName: body.fullName,`
			`address: body.address ?? null,`
			`country: body.country ?? null,`
			`email: body.email ?? null,`
			`phoneE164: body.phoneE164 ?? null,`
			`phoneCountry: body.phoneCountry ?? null,`
			`yachtName: body.yachtName ?? null,`
			`yachtLengthFt: body.yachtLengthFt ?? null,`
			`yachtWidthFt: body.yachtWidthFt ?? null,`
			`yachtDraftFt: body.yachtDraftFt ?? null,`
			`});`
			`return NextResponse.json({ data: { success: true } });`
			`} catch (error) {`
			`return errorResponse(error);`
			`}`
			`}`