jhodi.avizara/Grapevine_Disease_Detection
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
Grapevine_Disease_Detection/vineye-admin/app/api/mobile/auth/sign-out/route.ts
Yanis 792e969c00 feat(api/mobile): auth sync/me/sign-out + scans + bearer plugin 
Connect the React Native app to the admin backend so users and scans flow
into the panel and bans take effect on the device.

- Activate the bearer() plugin in lib/auth.ts so mobile clients can pass
  the better-auth session token via Authorization: Bearer header
- Add requireMobileAuth() helper in lib/auth-guard.ts that resolves the
  session, re-fetches the user from DB (banned flag is on User, not in
  the Session payload) and returns 403 with banned/bannedReason for
  banned accounts
- Extend CORS in middleware.ts to allow POST + Authorization header on
  /api/mobile/* (preflight was failing before)
- New routes:
  POST /api/mobile/auth/sync       — passwordless mobile auth via
    deterministic password derived from sha256(email + deviceId + pepper).
    Tries signIn first, falls back to signUp on USER_NOT_FOUND. Returns
    409 when the email exists with a different deviceId.
  GET  /api/mobile/auth/me         — current user enriched with
    banned/bannedReason/role/xp/level
  POST /api/mobile/auth/sign-out   — best-effort session revocation
  POST /api/mobile/scans           — create a scan, resolves diseaseSlug
    to diseaseId, never accepts an imageUrl from the device (V1 keeps
    photos local-only)
  GET  /api/mobile/scans           — own scans, 50 most recent

Validated end-to-end via curl: signUp → me → repeat sync (idempotent) →
post scan → ban via DB → me reflects banned: true → POST scans returns
403 + banned/bannedReason.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-01 12:02:45 +02:00

23 lines
669 B
TypeScript
Raw Permalink Blame History

import { NextRequest } from "next/server";
import { auth } from "@/lib/auth";
const CORS_HEADERS = {
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "POST, OPTIONS",
"Access-Control-Allow-Headers": "Content-Type, Authorization",
"X-API-Version": "1.0",
};
export async function OPTIONS() {
return new Response(null, { status: 204, headers: CORS_HEADERS });
}
export async function POST(request: NextRequest) {
try {
await auth.api.signOut({ headers: request.headers });
} catch {
// best-effort: even if revocation fails the mobile clears its token
}
return new Response(null, { status: 204, headers: CORS_HEADERS });
}
Reference in a new issue View git blame Copy permalink