fix(auth): set-password endpoint accepts both invite and reset tokens
The /set-password page is the landing target for two unrelated email
flows:
1. CRM admin invite → `crm_user_invites` row, consumed via
`consumeCrmInvite` (creates the better-auth user + profile).
2. Forgot-password → better-auth verification row, consumed via
`auth.api.resetPassword` (rotates the password on an existing
user).
The endpoint previously only handled (1). A user clicking a
reset-password link landed on the same page but hit a token-not-found
error because their token isn't in the invite table.
Try the invite path first (the historical behaviour); on NotFoundError
fall through to better-auth's resetPassword. Both stores rejecting
returns a single unified `INVITE_OR_RESET_INVALID` error matching the
page's existing error-rendering shape.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,7 +1,8 @@
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
import { z } from 'zod';
|
||||
|
||||
import { errorResponse } from '@/lib/errors';
|
||||
import { auth } from '@/lib/auth';
|
||||
import { errorResponse, NotFoundError } from '@/lib/errors';
|
||||
import { consumeCrmInvite } from '@/lib/services/crm-invite.service';
|
||||
import { enforcePublicRateLimit, parseBody } from '@/lib/api/route-helpers';
|
||||
|
||||
@@ -11,14 +12,46 @@ const bodySchema = z.object({
|
||||
});
|
||||
|
||||
export async function POST(req: NextRequest): Promise<NextResponse> {
|
||||
// 10/hour/IP — bounds brute-force against the CRM invite token.
|
||||
// 10/hour/IP — bounds brute-force against either token store.
|
||||
const limited = await enforcePublicRateLimit(req, 'portalToken');
|
||||
if (limited) return limited;
|
||||
|
||||
try {
|
||||
const { token, password } = await parseBody(req, bodySchema);
|
||||
const result = await consumeCrmInvite({ token, password });
|
||||
return NextResponse.json({ data: { email: result.email } });
|
||||
|
||||
// Two distinct token issuers can land users on /set-password:
|
||||
// 1. CRM admin invite → `crm_user_invites` row, consumed via
|
||||
// `consumeCrmInvite` (creates the better-auth user + profile).
|
||||
// 2. Forgot-password → better-auth verification row, consumed via
|
||||
// `auth.api.resetPassword` (rotates the password on an existing
|
||||
// user).
|
||||
// Try the CRM-invite path first. If the token isn't in that table
|
||||
// (NotFoundError), fall through to better-auth — these are mutually
|
||||
// exclusive token spaces, so at most one will accept it.
|
||||
try {
|
||||
const result = await consumeCrmInvite({ token, password });
|
||||
return NextResponse.json({ data: { email: result.email } });
|
||||
} catch (err) {
|
||||
if (!(err instanceof NotFoundError)) throw err;
|
||||
}
|
||||
|
||||
try {
|
||||
await auth.api.resetPassword({
|
||||
body: { newPassword: password, token },
|
||||
});
|
||||
return NextResponse.json({ data: { email: null } });
|
||||
} catch {
|
||||
// Both stores rejected the token; surface a clean unified error
|
||||
// (matches the `{ error: string }` shape the page consumes via
|
||||
// `body.error`).
|
||||
return NextResponse.json(
|
||||
{
|
||||
error: 'This link is invalid or has expired. Request a new one.',
|
||||
code: 'INVITE_OR_RESET_INVALID',
|
||||
},
|
||||
{ status: 400 },
|
||||
);
|
||||
}
|
||||
} catch (err) {
|
||||
return errorResponse(err);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user