MOPC/MOPC-Portal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6b40fe7726ae9137ae274cdb423d0fae3381c630
MOPC-Portal/src/app/api/auth/check-email/route.ts

38 lines
1.2 KiB
TypeScript
Raw Normal View History

fix: admin role change, logo access, magic link validation, login help - Add updateTeamMemberRole mutation for admins to change team member roles - Allow any team member (not just lead) to change project logo - Add visible "Add logo"/"Change" label under logo for discoverability - Pre-check email existence before sending magic link (show error) - Add "forgot which email" contact link on login page Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 16:37:45 +01:00
import { NextRequest, NextResponse } from 'next/server'
import { prisma } from '@/lib/prisma'
fix: security hardening + performance refactoring (code review batch 1) - IDOR fix: deliberation vote now verifies juryMemberId === ctx.user.id - Rate limiting: tRPC middleware (100/min), AI endpoints (5/hr), auth IP-based (10/15min) - 6 compound indexes added to Prisma schema - N+1 eliminated in processRoundClose (batch updateMany/createMany) - N+1 eliminated in batchCheckRequirementsAndTransition (3 batch queries) - Service extraction: juror-reassignment.ts (578 lines) - Dead code removed: award.ts, cohort.ts, decision.ts (680 lines) - 35 bare catch blocks replaced across 16 files - Fire-and-forget async calls fixed - Notification false positive bug fixed Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 16:18:24 +01:00
import { checkRateLimit } from '@/lib/rate-limit'
fix: admin role change, logo access, magic link validation, login help - Add updateTeamMemberRole mutation for admins to change team member roles - Allow any team member (not just lead) to change project logo - Add visible "Add logo"/"Change" label under logo for discoverability - Pre-check email existence before sending magic link (show error) - Add "forgot which email" contact link on login page Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 16:37:45 +01:00
/**
* Pre-check whether an email exists before sending a magic link.
* This is a closed platform (no self-registration) so revealing
* email existence is acceptable and helps users who mistype.
fix: security hardening + performance refactoring (code review batch 1) - IDOR fix: deliberation vote now verifies juryMemberId === ctx.user.id - Rate limiting: tRPC middleware (100/min), AI endpoints (5/hr), auth IP-based (10/15min) - 6 compound indexes added to Prisma schema - N+1 eliminated in processRoundClose (batch updateMany/createMany) - N+1 eliminated in batchCheckRequirementsAndTransition (3 batch queries) - Service extraction: juror-reassignment.ts (578 lines) - Dead code removed: award.ts, cohort.ts, decision.ts (680 lines) - 35 bare catch blocks replaced across 16 files - Fire-and-forget async calls fixed - Notification false positive bug fixed Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 16:18:24 +01:00
* Rate-limited to 10 requests per 15 minutes per IP.
fix: admin role change, logo access, magic link validation, login help - Add updateTeamMemberRole mutation for admins to change team member roles - Allow any team member (not just lead) to change project logo - Add visible "Add logo"/"Change" label under logo for discoverability - Pre-check email existence before sending magic link (show error) - Add "forgot which email" contact link on login page Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 16:37:45 +01:00
*/
export async function POST(req: NextRequest) {
try {
fix: security hardening + performance refactoring (code review batch 1) - IDOR fix: deliberation vote now verifies juryMemberId === ctx.user.id - Rate limiting: tRPC middleware (100/min), AI endpoints (5/hr), auth IP-based (10/15min) - 6 compound indexes added to Prisma schema - N+1 eliminated in processRoundClose (batch updateMany/createMany) - N+1 eliminated in batchCheckRequirementsAndTransition (3 batch queries) - Service extraction: juror-reassignment.ts (578 lines) - Dead code removed: award.ts, cohort.ts, decision.ts (680 lines) - 35 bare catch blocks replaced across 16 files - Fire-and-forget async calls fixed - Notification false positive bug fixed Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 16:18:24 +01:00
const ip = req.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? 'unknown'
const rateResult = checkRateLimit(`check-email:${ip}`, 10, 15 * 60 * 1000)
if (!rateResult.success) {
return NextResponse.json(
{ exists: false, error: 'Too many requests' },
{ status: 429 },
)
}
fix: admin role change, logo access, magic link validation, login help - Add updateTeamMemberRole mutation for admins to change team member roles - Allow any team member (not just lead) to change project logo - Add visible "Add logo"/"Change" label under logo for discoverability - Pre-check email existence before sending magic link (show error) - Add "forgot which email" contact link on login page Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 16:37:45 +01:00
const { email } = await req.json()
if (!email || typeof email !== 'string') {
return NextResponse.json({ exists: false }, { status: 400 })
}
const user = await prisma.user.findUnique({
where: { email: email.toLowerCase().trim() },
select: { status: true },
})
const exists = !!user && user.status !== 'SUSPENDED'
return NextResponse.json({ exists })
} catch {
return NextResponse.json({ exists: false }, { status: 500 })
}
}
Reference in New Issue Copy Permalink