src/app/api/user/2fa/route.ts


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97

import { NextRequest, NextResponse } from "next/server"
import { getServerSession } from "next-auth"
import { authenticator } from "otplib"
import QRCode from "qrcode"
import dbConnect from "@/lib/mongodb"
import User from "@/model/User"
import { authOptions } from "@/lib/auth"

export async function POST(req: NextRequest) {
  try {
    const session = await getServerSession(authOptions)
    if (!session?.user?.id) {
      return NextResponse.json({ error: "Unauthorized" }, { status: 401 })
    }

    const { code, secret } = await req.json()

    if (!code || !secret) {
      return NextResponse.json(
        { error: "Code and secret are required" },
        { status: 400 }
      )
    }

    const isValid = authenticator.check(code, secret)

    if (!isValid) {
      return NextResponse.json(
        { error: "Invalid two-factor code" },
        { status: 400 }
      )
    }

    await dbConnect()
    await User.findByIdAndUpdate(session.user.id, {
      twoFactorEnabled: true,
      twoFactorSecret: secret,
    })

    return NextResponse.json({ success: true })
  } catch (error) {
    console.error("2FA enable error:", error)
    return NextResponse.json(
      { error: "Failed to enable two-factor authentication" },
      { status: 500 }
    )
  }
}

export async function DELETE() {
  try {
    const session = await getServerSession(authOptions)
    if (!session?.user?.id) {
      return NextResponse.json({ error: "Unauthorized" }, { status: 401 })
    }

    await dbConnect()
    await User.findByIdAndUpdate(session.user.id, {
      twoFactorEnabled: false,
      $unset: { twoFactorSecret: 1 },
    })

    return NextResponse.json({ success: true })
  } catch (error) {
    console.error("2FA disable error:", error)
    return NextResponse.json(
      { error: "Failed to disable two-factor authentication" },
      { status: 500 }
    )
  }
}

// Generate new secret and QR code for setup
export async function PUT() {
  try {
    const session = await getServerSession(authOptions)
    if (!session?.user?.email) {
      return NextResponse.json({ error: "Unauthorized" }, { status: 401 })
    }

    const secret = authenticator.generateSecret()
    const otpauth = authenticator.keyuri(
      session.user.email,
      "Next-Boilerplate",
      secret
    )
    const qrCode = await QRCode.toDataURL(otpauth)

    return NextResponse.json({ secret, qrCode })
  } catch (error) {
    console.error("2FA setup error:", error)
    return NextResponse.json(
      { error: "Failed to generate two-factor setup" },
      { status: 500 }
    )
  }
}