Initial commit

app/api/invites/accept/route.ts

@@ -0,0 +1,72 @@
+import { db } from '@/lib/db'
+import { invites, users } from '@/lib/db/schema'
+import { eq, and, isNull, gt } from 'drizzle-orm'
+import { NextRequest, NextResponse } from 'next/server'
+import bcrypt from 'bcryptjs'
+
+export async function POST(request: NextRequest) {
+  const { token, fullName, password } = await request.json()
+
+  if (!token || !fullName || !password) {
+    return NextResponse.json({ error: 'Missing required fields' }, { status: 400 })
+  }
+
+  if (password.length < 8) {
+    return NextResponse.json(
+      { error: 'Password must be at least 8 characters' },
+      { status: 400 }
+    )
+  }
+
+  // Validate invite
+  const inviteResult = await db
+    .select()
+    .from(invites)
+    .where(eq(invites.token, token))
+    .limit(1)
+
+  const invite = inviteResult[0]
+
+  if (!invite) {
+    return NextResponse.json({ error: 'Invalid invite link' }, { status: 400 })
+  }
+  if (invite.usedAt) {
+    return NextResponse.json({ error: 'This invite has already been used' }, { status: 400 })
+  }
+  if (new Date(invite.expiresAt) < new Date()) {
+    return NextResponse.json({ error: 'This invite has expired' }, { status: 400 })
+  }
+
+  // Check if user with this email already exists
+  const existingUser = await db
+    .select({ id: users.id })
+    .from(users)
+    .where(eq(users.email, invite.email))
+    .limit(1)
+
+  if (existingUser.length > 0) {
+    return NextResponse.json(
+      { error: 'An account with this email already exists' },
+      { status: 409 }
+    )
+  }
+
+  const passwordHash = await bcrypt.hash(password, 12)
+
+  const newUser = await db
+    .insert(users)
+    .values({
+      email: invite.email,
+      passwordHash,
+      fullName: fullName.trim(),
+    })
+    .returning({ id: users.id })
+
+  // Mark invite as used
+  await db
+    .update(invites)
+    .set({ usedAt: new Date(), usedBy: newUser[0].id })
+    .where(eq(invites.token, token))
+
+  return NextResponse.json({ success: true })
+}

app/api/invites/route.ts

@@ -0,0 +1,76 @@
+import { auth } from '@/auth'
+import { db } from '@/lib/db'
+import { invites, users } from '@/lib/db/schema'
+import { eq, and, isNull, gt } from 'drizzle-orm'
+import { NextRequest, NextResponse } from 'next/server'
+
+async function requireAdmin() {
+  const session = await auth()
+  if (!session?.user?.id) return null
+  const role = (session.user as { role: string }).role
+  if (role !== 'admin') return null
+  return session.user
+}
+
+export async function POST(request: NextRequest) {
+  const admin = await requireAdmin()
+  if (!admin) return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+
+  const { email } = await request.json()
+  if (!email || typeof email !== 'string') {
+    return NextResponse.json({ error: 'Valid email required' }, { status: 400 })
+  }
+
+  const normalizedEmail = email.toLowerCase().trim()
+
+  // Check for existing pending invite
+  const existing = await db
+    .select({ id: invites.id })
+    .from(invites)
+    .where(
+      and(
+        eq(invites.email, normalizedEmail),
+        isNull(invites.usedAt),
+        gt(invites.expiresAt, new Date())
+      )
+    )
+    .limit(1)
+
+  if (existing.length > 0) {
+    return NextResponse.json(
+      { error: 'A pending invite already exists for this email' },
+      { status: 409 }
+    )
+  }
+
+  const result = await db
+    .insert(invites)
+    .values({ email: normalizedEmail, createdBy: admin.id })
+    .returning()
+
+  return NextResponse.json({ invite: result[0] }, { status: 201 })
+}
+
+export async function GET() {
+  const admin = await requireAdmin()
+  if (!admin) return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+
+  const result = await db
+    .select()
+    .from(invites)
+    .orderBy(invites.createdAt)
+
+  return NextResponse.json({ invites: result.reverse() })
+}
+
+export async function DELETE(request: NextRequest) {
+  const admin = await requireAdmin()
+  if (!admin) return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+
+  const { id } = await request.json()
+  if (!id) return NextResponse.json({ error: 'Invite ID required' }, { status: 400 })
+
+  await db.delete(invites).where(eq(invites.id, id))
+
+  return NextResponse.json({ success: true })
+}