letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
6aaccb6d33741168aab38a3a23d0bfa6bf950868
pn-new-crm/src/app/api/auth/set-password/route.ts
Matt 3ae86f2854 fix(auth): set-password endpoint accepts both invite and reset tokens 
The /set-password page is the landing target for two unrelated email
flows:
  1. CRM admin invite → `crm_user_invites` row, consumed via
     `consumeCrmInvite` (creates the better-auth user + profile).
  2. Forgot-password → better-auth verification row, consumed via
     `auth.api.resetPassword` (rotates the password on an existing
     user).

The endpoint previously only handled (1). A user clicking a
reset-password link landed on the same page but hit a token-not-found
error because their token isn't in the invite table.

Try the invite path first (the historical behaviour); on NotFoundError
fall through to better-auth's resetPassword. Both stores rejecting
returns a single unified `INVITE_OR_RESET_INVALID` error matching the
page's existing error-rendering shape.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 19:06:32 +02:00

59 lines
2.1 KiB
TypeScript
Raw Blame History

import { NextRequest, NextResponse } from 'next/server';
import { z } from 'zod';
import { auth } from '@/lib/auth';
import { errorResponse, NotFoundError } from '@/lib/errors';
import { consumeCrmInvite } from '@/lib/services/crm-invite.service';
import { enforcePublicRateLimit, parseBody } from '@/lib/api/route-helpers';
const bodySchema = z.object({
token: z.string().min(1),
password: z.string().min(9),
});
export async function POST(req: NextRequest): Promise<NextResponse> {
// 10/hour/IP — bounds brute-force against either token store.
const limited = await enforcePublicRateLimit(req, 'portalToken');
if (limited) return limited;
try {
const { token, password } = await parseBody(req, bodySchema);
// Two distinct token issuers can land users on /set-password:
// 1. CRM admin invite → `crm_user_invites` row, consumed via
// `consumeCrmInvite` (creates the better-auth user + profile).
// 2. Forgot-password → better-auth verification row, consumed via
// `auth.api.resetPassword` (rotates the password on an existing
// user).
// Try the CRM-invite path first. If the token isn't in that table
// (NotFoundError), fall through to better-auth — these are mutually
// exclusive token spaces, so at most one will accept it.
try {
const result = await consumeCrmInvite({ token, password });
return NextResponse.json({ data: { email: result.email } });
} catch (err) {
if (!(err instanceof NotFoundError)) throw err;
}
try {
await auth.api.resetPassword({
body: { newPassword: password, token },
});
return NextResponse.json({ data: { email: null } });
} catch {
// Both stores rejected the token; surface a clean unified error
// (matches the `{ error: string }` shape the page consumes via
// `body.error`).
return NextResponse.json(
{
error: 'This link is invalid or has expired. Request a new one.',
code: 'INVITE_OR_RESET_INVALID',
},
{ status: 400 },
);
}
} catch (err) {
return errorResponse(err);
}
}
Reference in New Issue View Git Blame Copy Permalink