letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(profile): /settings/profile page + change-password endpoint

Browse Source 
The user-menu's Profile link previously 404'd, and CRM users had no way
to change their password from inside the app.

- /api/v1/me/password POST wraps better-auth changePassword, surfaces a
  friendlier "Current password is incorrect" on the typical failure
  mode, and writes an audit_log row with metadata.revokedOtherSessions.
- /{port}/settings/profile renders display name + email + change-password
  card with current/new/confirm fields and a 'Sign out other devices'
  toggle.

End-to-end verified: wrong current pw → 400 with mapped message;
correct → 200 + audit row; revert → 200.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt Ciaccio
2026-05-06 14:57:35 +02:00
parent 1b78eadd36
commit d19b74b935
3 changed files with 289 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/app/(dashboard)/[portSlug]/settings/profile/page.tsx Normal file
View File

@@ -0,0 +1,5 @@
import { UserProfile } from '@/components/settings/user-profile';
export default function ProfilePage() {
return <UserProfile />;
}

54
src/app/api/v1/me/password/route.ts Normal file
View File

@@ -0,0 +1,54 @@
import { NextResponse } from 'next/server';
import { z } from 'zod';
import { auth } from '@/lib/auth';
import { withAuth } from '@/lib/api/helpers';
import { parseBody } from '@/lib/api/route-helpers';
import { createAuditLog } from '@/lib/audit';
import { errorResponse, ValidationError } from '@/lib/errors';
const bodySchema = z.object({
currentPassword: z.string().min(1, 'Current password is required'),
newPassword: z.string().min(9, 'Password must be at least 9 characters'),
revokeOtherSessions: z.boolean().optional(),
});
export const POST = withAuth(async (req, ctx) => {
try {
const body = await parseBody(req, bodySchema);
const result = await auth.api.changePassword({
body: {
currentPassword: body.currentPassword,
newPassword: body.newPassword,
revokeOtherSessions: body.revokeOtherSessions,
},
headers: req.headers,
});
void createAuditLog({
portId: ctx.portId || null,
userId: ctx.userId,
action: 'password_change',
entityType: 'user',
entityId: ctx.userId,
metadata: {
revokedOtherSessions: !!body.revokeOtherSessions,
},
ipAddress: ctx.ipAddress,
userAgent: ctx.userAgent,
});
return NextResponse.json({ data: { ok: true, user: result.user } });
} catch (err) {
if (err && typeof err === 'object' && 'message' in err) {
const msg = String((err as { message?: unknown }).message ?? '');
if (
msg.toLowerCase().includes('invalid password') ||
msg.toLowerCase().includes('incorrect')
) {
return errorResponse(new ValidationError('Current password is incorrect'));
}
}
return errorResponse(err);
}
});

230
src/components/settings/user-profile.tsx Normal file
View File

@@ -0,0 +1,230 @@
'use client';
import { useState, useEffect } from 'react';
import { Save } from 'lucide-react';
import { Button } from '@/components/ui/button';
import { Input } from '@/components/ui/input';
import { Label } from '@/components/ui/label';
import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@/components/ui/card';
import { PageHeader } from '@/components/shared/page-header';
import { apiFetch } from '@/lib/api/client';
interface MeUser {
id?: string;
email?: string;
name?: string;
}
export function UserProfile() {
const [me, setMe] = useState<MeUser | null>(null);
const [displayName, setDisplayName] = useState('');
const [savingProfile, setSavingProfile] = useState(false);
const [profileMessage, setProfileMessage] = useState<{ kind: 'ok' | 'err'; text: string } | null>(
null,
);
const [currentPassword, setCurrentPassword] = useState('');
const [newPassword, setNewPassword] = useState('');
const [confirmPassword, setConfirmPassword] = useState('');
const [revokeOthers, setRevokeOthers] = useState(true);
const [savingPassword, setSavingPassword] = useState(false);
const [passwordMessage, setPasswordMessage] = useState<{
kind: 'ok' | 'err';
text: string;
} | null>(null);
useEffect(() => {
void load();
}, []);
async function load() {
const res = await apiFetch<{ data: { user?: MeUser } }>('/api/v1/me');
setMe(res.data.user ?? null);
setDisplayName(res.data.user?.name ?? '');
}
async function saveProfile() {
setSavingProfile(true);
setProfileMessage(null);
try {
await apiFetch('/api/v1/me', {
method: 'PATCH',
body: { displayName: displayName || undefined },
});
setProfileMessage({ kind: 'ok', text: 'Profile saved' });
} catch (err) {
setProfileMessage({
kind: 'err',
text: err instanceof Error ? err.message : 'Failed to save profile',
});
} finally {
setSavingProfile(false);
}
}
async function changePassword(e: React.FormEvent) {
e.preventDefault();
setPasswordMessage(null);
if (newPassword.length < 9) {
setPasswordMessage({ kind: 'err', text: 'New password must be at least 9 characters' });
return;
}
if (newPassword !== confirmPassword) {
setPasswordMessage({ kind: 'err', text: 'New password and confirmation do not match' });
return;
}
setSavingPassword(true);
try {
await apiFetch('/api/v1/me/password', {
method: 'POST',
body: { currentPassword, newPassword, revokeOtherSessions: revokeOthers },
});
setCurrentPassword('');
setNewPassword('');
setConfirmPassword('');
setPasswordMessage({
kind: 'ok',
text: revokeOthers
? 'Password changed. Other sessions have been signed out.'
: 'Password changed.',
});
} catch (err) {
setPasswordMessage({
kind: 'err',
text: err instanceof Error ? err.message : 'Failed to change password',
});
} finally {
setSavingPassword(false);
}
}
return (
<div>
<PageHeader title="Profile" description="Your account details and password" />
<div className="space-y-6 mt-6">
<Card>
<CardHeader>
<CardTitle>Account</CardTitle>
<CardDescription>Identity and display preferences for your CRM account</CardDescription>
</CardHeader>
<CardContent className="space-y-4">
<div>
<Label>Email</Label>
<Input value={me?.email ?? ''} readOnly className="mt-1" />
<p className="text-xs text-muted-foreground mt-1">
Email is your sign-in identifier and cannot be changed here.
</p>
</div>
<div>
<Label htmlFor="displayName">Display name</Label>
<Input
id="displayName"
value={displayName}
onChange={(e) => setDisplayName(e.target.value)}
placeholder="How your name appears in comments, audit log, and emails"
className="mt-1"
/>
</div>
<div className="flex items-center gap-3">
<Button onClick={saveProfile} disabled={savingProfile} size="sm">
<Save className="h-3.5 w-3.5 mr-1.5" />
Save profile
</Button>
{profileMessage ? (
<span
className={
profileMessage.kind === 'ok' ? 'text-sm text-green-600' : 'text-sm text-red-600'
}
>
{profileMessage.text}
</span>
) : null}
</div>
</CardContent>
</Card>
<Card>
<CardHeader>
<CardTitle>Change password</CardTitle>
<CardDescription>
Minimum 9 characters. You&rsquo;ll be prompted to sign in again on your other devices
if you check the box below.
</CardDescription>
</CardHeader>
<CardContent>
<form onSubmit={changePassword} className="space-y-4 max-w-md">
<div>
<Label htmlFor="currentPassword">Current password</Label>
<Input
id="currentPassword"
type="password"
autoComplete="current-password"
required
value={currentPassword}
onChange={(e) => setCurrentPassword(e.target.value)}
className="mt-1"
/>
</div>
<div>
<Label htmlFor="newPassword">New password</Label>
<Input
id="newPassword"
type="password"
autoComplete="new-password"
required
minLength={9}
value={newPassword}
onChange={(e) => setNewPassword(e.target.value)}
className="mt-1"
/>
</div>
<div>
<Label htmlFor="confirmPassword">Confirm new password</Label>
<Input
id="confirmPassword"
type="password"
autoComplete="new-password"
required
minLength={9}
value={confirmPassword}
onChange={(e) => setConfirmPassword(e.target.value)}
className="mt-1"
/>
</div>
<div className="flex items-center gap-2">
<input
id="revokeOthers"
type="checkbox"
checked={revokeOthers}
onChange={(e) => setRevokeOthers(e.target.checked)}
className="h-4 w-4"
/>
<Label htmlFor="revokeOthers" className="text-sm font-normal cursor-pointer">
Sign out of other devices
</Label>
</div>
<div className="flex items-center gap-3">
<Button type="submit" disabled={savingPassword} size="sm">
Change password
</Button>
{passwordMessage ? (
<span
className={
passwordMessage.kind === 'ok'
? 'text-sm text-green-600'
: 'text-sm text-red-600'
}
>
{passwordMessage.text}
</span>
) : null}
</div>
</form>
</CardContent>
</Card>
</div>
</div>
);
}