import { NextRequest, NextResponse } from "next/server"; import { auth } from "@/src/lib/auth"; import { getUserById, updateUserPassword } from "@/src/lib/models/user"; import { createAuditEvent } from "@/src/lib/models/audit"; import bcrypt from "bcryptjs"; export async function POST(request: NextRequest) { try { const session = await auth(); if (!session?.user?.id) { return NextResponse.json({ error: "Unauthorized" }, { status: 401 }); } const body = await request.json(); const { currentPassword, newPassword } = body; if (!newPassword || newPassword.length < 12) { return NextResponse.json( { error: "New password must be at least 12 characters long" }, { status: 400 } ); } const userId = Number(session.user.id); const user = await getUserById(userId); if (!user) { return NextResponse.json({ error: "User not found" }, { status: 404 }); } // If user has a password, verify current password if (user.password_hash) { if (!currentPassword) { return NextResponse.json( { error: "Current password is required" }, { status: 400 } ); } const isValid = bcrypt.compareSync(currentPassword, user.password_hash); if (!isValid) { return NextResponse.json( { error: "Current password is incorrect" }, { status: 401 } ); } } // Hash new password const newPasswordHash = bcrypt.hashSync(newPassword, 12); // Update password await updateUserPassword(userId, newPasswordHash); // Audit log await createAuditEvent({ userId, action: user.password_hash ? "password_changed" : "password_set", entityType: "user", entityId: userId, summary: user.password_hash ? "User changed their password" : "User set a password", }); return NextResponse.json({ success: true, message: "Password updated successfully" }); } catch (error) { console.error("Password change error:", error); return NextResponse.json( { error: "Failed to change password" }, { status: 500 } ); } }