Spaces:

Yozora721
/

pnp-chatbot-admin-v1

Sleeping

App Files Files Community

FauziIsyrinApridal commited on Aug 16

Commit

43be92e

1 Parent(s): 7ca96c1

revisi 8

Browse files

Files changed (2) hide show

middleware.ts +20 -5
utils/forgotPassword.ts +52 -4

middleware.ts CHANGED Viewed

@@ -23,22 +23,36 @@ export async function middleware(request: NextRequest) {
         },
         set(name: string, value: string, options: CookieOptions) {
           request.cookies.set({ name, value, ...options });
-          response = NextResponse.next({ request: { headers: request.headers } });
           response.cookies.set({ name, value, ...options });
         },
         remove(name: string, options: CookieOptions) {
           request.cookies.set({ name, value: "", ...options });
-          response = NextResponse.next({ request: { headers: request.headers } });
           response.cookies.set({ name, value: "", ...options });
         },
       },
-    }
   );
   const { data } = await supabase.auth.getUser();
-  const role = data?.user?.user_metadata?.role;
-  if (!data?.user || role !== "admin") {
     const url = request.nextUrl.clone();
     url.pathname = "/login";
     url.searchParams.set("error", "not_admin");
@@ -53,3 +67,4 @@ export const config = {
     "/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
   ],
 };

         },
         set(name: string, value: string, options: CookieOptions) {
           request.cookies.set({ name, value, ...options });
+          response = NextResponse.next({
+            request: { headers: request.headers },
+          });
           response.cookies.set({ name, value, ...options });
         },
         remove(name: string, options: CookieOptions) {
           request.cookies.set({ name, value: "", ...options });
+          response = NextResponse.next({
+            request: { headers: request.headers },
+          });
           response.cookies.set({ name, value: "", ...options });
         },
       },
+    },
   );
   const { data } = await supabase.auth.getUser();
+  const user = data?.user;
+  const role = user?.user_metadata?.role;
+  // If not authenticated, send to login without error flag
+  if (!user) {
+    const url = request.nextUrl.clone();
+    url.pathname = "/login";
+    url.searchParams.delete("error");
+    return NextResponse.redirect(url);
+  }
+  // If authenticated but not admin, show not_admin
+  if (role !== "admin") {
     const url = request.nextUrl.clone();
     url.pathname = "/login";
     url.searchParams.set("error", "not_admin");
     "/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
   ],
 };

utils/forgotPassword.ts CHANGED Viewed

@@ -1,7 +1,10 @@
 "use server";
 import { createClient } from "@/utils/supabase/server";
-export type ForgotResult = { ok: true; message: string } | { ok: false; message: string };
 export async function sendResetEmail(email: string): Promise<ForgotResult> {
   const supabase = createClient();
@@ -10,9 +13,51 @@ export async function sendResetEmail(email: string): Promise<ForgotResult> {
     return { ok: false, message: "Email tidak valid" };
   }
   // Determine redirect URL for the password reset flow
-  const siteUrl = process.env.NEXT_PUBLIC_SITE_URL?.replace(/\/$/, "") ||
-    (process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : "http://localhost:3000");
   const redirectTo = `${siteUrl}/reset-password`;
   const { error } = await supabase.auth.resetPasswordForEmail(email, {
@@ -23,5 +68,8 @@ export async function sendResetEmail(email: string): Promise<ForgotResult> {
     return { ok: false, message: "Gagal mengirim email reset. Coba lagi." };
   }
-  return { ok: true, message: "Email reset telah dikirim. Periksa kotak masuk Anda." };
 }

 "use server";
 import { createClient } from "@/utils/supabase/server";
+import { createClient as createSupabaseClient } from "@supabase/supabase-js";
+export type ForgotResult =
+  | { ok: true; message: string }
+  | { ok: false; message: string };
 export async function sendResetEmail(email: string): Promise<ForgotResult> {
   const supabase = createClient();
     return { ok: false, message: "Email tidak valid" };
   }
+  // Admin-only: verify the email belongs to an admin user before sending reset link
+  try {
+    const adminClient = createSupabaseClient(
+      process.env.NEXT_PUBLIC_SUPABASE_URL!,
+      process.env.SUPABASE_SERVICE_KEY!,
+    );
+    // list users and find by email (no direct getUserByEmail in v2)
+    let page = 1;
+    const perPage = 200;
+    let foundRole: unknown = null;
+    while (true) {
+      const { data, error } = await adminClient.auth.admin.listUsers({ page, perPage });
+      if (error) throw error;
+      const users = data?.users || [];
+      const match = users.find((u) => u.email?.toLowerCase() === email.toLowerCase());
+      if (match) {
+        foundRole = match.user_metadata?.role;
+        break;
+      }
+      if (!data || users.length < perPage) break; // no more pages
+      page += 1;
+      // safety cap to avoid excessive loops
+      if (page > 50) break;
+    }
+    if (foundRole !== "admin") {
+      // Do not reveal whether the email exists; return a generic message
+      return {
+        ok: false,
+        message: "Akun tidak diizinkan melakukan reset di aplikasi admin.",
+      };
+    }
+  } catch {
+    // Fail closed: if role check fails, do not proceed
+    return {
+      ok: false,
+      message: "Gagal memverifikasi akun. Coba lagi.",
+    };
+  }
   // Determine redirect URL for the password reset flow
+  const siteUrl =
+    process.env.NEXT_PUBLIC_SITE_URL?.replace(/\/$/, "") ||
+    (process.env.VERCEL_URL
+      ? `https://${process.env.VERCEL_URL}`
+      : "http://localhost:3000");
   const redirectTo = `${siteUrl}/reset-password`;
   const { error } = await supabase.auth.resetPasswordForEmail(email, {
     return { ok: false, message: "Gagal mengirim email reset. Coba lagi." };
   }
+  return {
+    ok: true,
+    message: "Email reset telah dikirim. Periksa kotak masuk Anda.",
+  };
 }