|
| 1 | +import { NextRequest, NextResponse } from 'next/server'; |
| 2 | +import { AuditAction } from '@prisma/client'; |
| 3 | +import { z } from 'zod'; |
| 4 | +import { auth } from '@/auth'; |
| 5 | +import { prisma } from '@/lib/prisma'; |
| 6 | +import { generateSecureToken, hashToken } from '@/lib/security'; |
| 7 | +import { writeAuditLog } from '@/lib/audit'; |
| 8 | + |
| 9 | +const accessActionSchema = z.object({ |
| 10 | + action: z.enum(['lock', 'unlock', 'force-reset']), |
| 11 | +}); |
| 12 | + |
| 13 | +async function assertAdmin() { |
| 14 | + const session = await auth(); |
| 15 | + if (session?.user?.role !== 'ADMIN') { |
| 16 | + return { |
| 17 | + session, |
| 18 | + response: NextResponse.json({ error: 'Only admins can manage staff access' }, { status: 403 }), |
| 19 | + }; |
| 20 | + } |
| 21 | + |
| 22 | + return { session, response: null }; |
| 23 | +} |
| 24 | + |
| 25 | +async function isLastActiveAdmin(userId: string) { |
| 26 | + const activeAdmins = await prisma.user.count({ |
| 27 | + where: { |
| 28 | + role: 'ADMIN', |
| 29 | + isActive: true, |
| 30 | + OR: [ |
| 31 | + { accountLockedUntil: null }, |
| 32 | + { accountLockedUntil: { lte: new Date() } }, |
| 33 | + ], |
| 34 | + id: { not: userId }, |
| 35 | + }, |
| 36 | + }); |
| 37 | + |
| 38 | + return activeAdmins === 0; |
| 39 | +} |
| 40 | + |
| 41 | +export async function POST( |
| 42 | + request: NextRequest, |
| 43 | + { params }: { params: Promise<{ id: string }> }, |
| 44 | +) { |
| 45 | + const { session, response } = await assertAdmin(); |
| 46 | + if (response) return response; |
| 47 | + |
| 48 | + const { id } = await params; |
| 49 | + const { action } = accessActionSchema.parse(await request.json()); |
| 50 | + const target = await prisma.user.findUnique({ |
| 51 | + where: { id }, |
| 52 | + select: { |
| 53 | + id: true, |
| 54 | + name: true, |
| 55 | + email: true, |
| 56 | + role: true, |
| 57 | + isActive: true, |
| 58 | + }, |
| 59 | + }); |
| 60 | + |
| 61 | + if (!target || !['ADMIN', 'HEALTHCARE_PROVIDER', 'RECEPTIONIST'].includes(target.role)) { |
| 62 | + return NextResponse.json({ error: 'Staff account not found' }, { status: 404 }); |
| 63 | + } |
| 64 | + |
| 65 | + if (session?.user?.id === id) { |
| 66 | + return NextResponse.json( |
| 67 | + { error: 'You cannot change access controls for your own account from this panel' }, |
| 68 | + { status: 400 }, |
| 69 | + ); |
| 70 | + } |
| 71 | + |
| 72 | + if (target.role === 'ADMIN' && (action === 'lock' || action === 'force-reset') && await isLastActiveAdmin(id)) { |
| 73 | + return NextResponse.json( |
| 74 | + { error: 'At least one active unlocked admin account is required' }, |
| 75 | + { status: 400 }, |
| 76 | + ); |
| 77 | + } |
| 78 | + |
| 79 | + if (action === 'unlock') { |
| 80 | + const user = await prisma.user.update({ |
| 81 | + where: { id }, |
| 82 | + data: { |
| 83 | + accountLockedUntil: null, |
| 84 | + failedLoginAttempts: 0, |
| 85 | + }, |
| 86 | + select: { |
| 87 | + id: true, |
| 88 | + name: true, |
| 89 | + email: true, |
| 90 | + role: true, |
| 91 | + isActive: true, |
| 92 | + accountLockedUntil: true, |
| 93 | + passwordResetExpires: true, |
| 94 | + failedLoginAttempts: true, |
| 95 | + }, |
| 96 | + }); |
| 97 | + |
| 98 | + await writeAuditLog({ |
| 99 | + request, |
| 100 | + userId: session?.user?.id, |
| 101 | + action: AuditAction.AUTH_EVENT, |
| 102 | + resource: 'StaffUser', |
| 103 | + resourceId: id, |
| 104 | + metadata: { adminAction: 'unlock-staff-account', targetEmail: target.email }, |
| 105 | + }); |
| 106 | + |
| 107 | + return NextResponse.json({ user }); |
| 108 | + } |
| 109 | + |
| 110 | + if (action === 'lock') { |
| 111 | + const lockedUntil = new Date('2099-12-31T23:59:59.000Z'); |
| 112 | + const user = await prisma.user.update({ |
| 113 | + where: { id }, |
| 114 | + data: { |
| 115 | + accountLockedUntil: lockedUntil, |
| 116 | + failedLoginAttempts: 0, |
| 117 | + }, |
| 118 | + select: { |
| 119 | + id: true, |
| 120 | + name: true, |
| 121 | + email: true, |
| 122 | + role: true, |
| 123 | + isActive: true, |
| 124 | + accountLockedUntil: true, |
| 125 | + passwordResetExpires: true, |
| 126 | + failedLoginAttempts: true, |
| 127 | + }, |
| 128 | + }); |
| 129 | + |
| 130 | + await writeAuditLog({ |
| 131 | + request, |
| 132 | + userId: session?.user?.id, |
| 133 | + action: AuditAction.AUTH_EVENT, |
| 134 | + resource: 'StaffUser', |
| 135 | + resourceId: id, |
| 136 | + metadata: { adminAction: 'lock-staff-account', targetEmail: target.email }, |
| 137 | + }); |
| 138 | + |
| 139 | + return NextResponse.json({ user }); |
| 140 | + } |
| 141 | + |
| 142 | + const resetToken = generateSecureToken(); |
| 143 | + const resetExpires = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000); |
| 144 | + const resetUrl = new URL('/auth/reset-password', request.nextUrl.origin); |
| 145 | + resetUrl.searchParams.set('token', resetToken); |
| 146 | + |
| 147 | + const user = await prisma.user.update({ |
| 148 | + where: { id }, |
| 149 | + data: { |
| 150 | + passwordResetToken: hashToken(resetToken), |
| 151 | + passwordResetExpires: resetExpires, |
| 152 | + accountLockedUntil: resetExpires, |
| 153 | + failedLoginAttempts: 0, |
| 154 | + }, |
| 155 | + select: { |
| 156 | + id: true, |
| 157 | + name: true, |
| 158 | + email: true, |
| 159 | + role: true, |
| 160 | + isActive: true, |
| 161 | + accountLockedUntil: true, |
| 162 | + passwordResetExpires: true, |
| 163 | + failedLoginAttempts: true, |
| 164 | + }, |
| 165 | + }); |
| 166 | + |
| 167 | + await writeAuditLog({ |
| 168 | + request, |
| 169 | + userId: session?.user?.id, |
| 170 | + action: AuditAction.AUTH_EVENT, |
| 171 | + resource: 'StaffUser', |
| 172 | + resourceId: id, |
| 173 | + metadata: { |
| 174 | + adminAction: 'force-password-reset', |
| 175 | + targetEmail: target.email, |
| 176 | + resetExpires: resetExpires.toISOString(), |
| 177 | + }, |
| 178 | + }); |
| 179 | + |
| 180 | + return NextResponse.json({ |
| 181 | + user, |
| 182 | + resetUrl: resetUrl.toString(), |
| 183 | + resetExpires, |
| 184 | + }); |
| 185 | +} |
0 commit comments