Add admin panel with member management and password reset

Features: - Admin panel at /settings/members for workspace owners - View all workspace members with roles and last login - Create new users directly (with temporary password) - Change member roles (Owner/Editor/Viewer) - Reset user passwords (forces change on next login) - Remove members from workspace - Force password reset flow on login - Track last login timestamp for users API Routes: - GET/POST /api/workspaces/[id]/members - GET/PATCH/DELETE /api/workspaces/[id]/members/[memberId] - POST /api/workspaces/[id]/members/[memberId]/reset-password - POST /api/auth/change-password Schema changes: - Added lastLoginAt DateTime? to User model - Added forcePasswordReset Boolean to User model Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-05-25 13:51:40 +08:00 · 2026-01-24 01:22:10 +00:00
parent f9a7b68a99
commit 66cb1ea095
10 changed files with 1135 additions and 11 deletions
--- a/src/app/api/workspaces/[id]/members/route.ts
+++ b/src/app/api/workspaces/[id]/members/route.ts
@@ -0,0 +1,197 @@
+import { NextResponse } from 'next/server'
+import { prisma } from '@/lib/db/prisma'
+import { withAuth, type AuthenticatedRequest, hashPassword } from '@/lib/auth'
+import { checkWorkspaceAccess } from '@/lib/db/workspace-access'
+import { z } from 'zod'
+
+// GET /api/workspaces/[id]/members - List all members
+export const GET = withAuth(async (
+  req: AuthenticatedRequest,
+  { params }: { params: Promise<Record<string, string>> }
+) => {
+  try {
+    const { id: workspaceId } = await params
+
+    // Check access (must be at least a member)
+    const access = await checkWorkspaceAccess(workspaceId, req.session.user.id)
+    if (!access) {
+      return NextResponse.json({ error: 'Access denied' }, { status: 403 })
+    }
+
+    const members = await prisma.workspaceMember.findMany({
+      where: { workspaceId },
+      include: {
+        user: {
+          select: {
+            id: true,
+            name: true,
+            email: true,
+            lastLoginAt: true,
+            forcePasswordReset: true,
+            createdAt: true,
+          },
+        },
+      },
+      orderBy: { createdAt: 'asc' },
+    })
+
+    return NextResponse.json({
+      members: members.map((m) => ({
+        id: m.id,
+        role: m.role,
+        joinedAt: m.createdAt,
+        user: m.user,
+      })),
+    })
+  } catch (error) {
+    console.error('List members error:', error)
+    return NextResponse.json({ error: 'Failed to list members' }, { status: 500 })
+  }
+})
+
+const createUserSchema = z.object({
+  name: z.string().min(1, 'Name is required'),
+  email: z.string().email('Invalid email'),
+  password: z.string().min(8, 'Password must be at least 8 characters'),
+  role: z.enum(['OWNER', 'EDITOR', 'VIEWER']).default('VIEWER'),
+  forcePasswordReset: z.boolean().default(true),
+})
+
+// POST /api/workspaces/[id]/members - Create a new user and add to workspace
+export const POST = withAuth(async (
+  req: AuthenticatedRequest,
+  { params }: { params: Promise<Record<string, string>> }
+) => {
+  try {
+    const { id: workspaceId } = await params
+
+    // Check access (must be owner)
+    const access = await checkWorkspaceAccess(workspaceId, req.session.user.id)
+    if (!access || access.role !== 'OWNER') {
+      return NextResponse.json({ error: 'Only owners can create users' }, { status: 403 })
+    }
+
+    const body = await req.json()
+    const result = createUserSchema.safeParse(body)
+
+    if (!result.success) {
+      return NextResponse.json(
+        { error: 'Invalid input', details: result.error.flatten() },
+        { status: 400 }
+      )
+    }
+
+    const { name, email, password, role, forcePasswordReset } = result.data
+
+    // Check if user already exists
+    const existingUser = await prisma.user.findUnique({
+      where: { email: email.toLowerCase() },
+    })
+
+    if (existingUser) {
+      // Check if already a member
+      const existingMember = await prisma.workspaceMember.findUnique({
+        where: {
+          workspaceId_userId: {
+            workspaceId,
+            userId: existingUser.id,
+          },
+        },
+      })
+
+      if (existingMember) {
+        return NextResponse.json(
+          { error: 'User is already a member of this workspace' },
+          { status: 400 }
+        )
+      }
+
+      // Add existing user to workspace
+      const member = await prisma.workspaceMember.create({
+        data: {
+          workspaceId,
+          userId: existingUser.id,
+          role,
+        },
+        include: {
+          user: {
+            select: {
+              id: true,
+              name: true,
+              email: true,
+              lastLoginAt: true,
+              forcePasswordReset: true,
+              createdAt: true,
+            },
+          },
+        },
+      })
+
+      return NextResponse.json({
+        member: {
+          id: member.id,
+          role: member.role,
+          joinedAt: member.createdAt,
+          user: member.user,
+        },
+        message: 'Existing user added to workspace',
+      })
+    }
+
+    // Create new user and add to workspace
+    const passwordHash = await hashPassword(password)
+
+    const user = await prisma.user.create({
+      data: {
+        name,
+        email: email.toLowerCase(),
+        passwordHash,
+        forcePasswordReset,
+        workspaceMembers: {
+          create: {
+            workspaceId,
+            role,
+          },
+        },
+      },
+      select: {
+        id: true,
+        name: true,
+        email: true,
+        lastLoginAt: true,
+        forcePasswordReset: true,
+        createdAt: true,
+        workspaceMembers: {
+          where: { workspaceId },
+          select: {
+            id: true,
+            role: true,
+            createdAt: true,
+          },
+        },
+      },
+    })
+
+    const member = user.workspaceMembers[0]
+
+    return NextResponse.json({
+      member: {
+        id: member.id,
+        role: member.role,
+        joinedAt: member.createdAt,
+        user: {
+          id: user.id,
+          name: user.name,
+          email: user.email,
+          lastLoginAt: user.lastLoginAt,
+          forcePasswordReset: user.forcePasswordReset,
+          createdAt: user.createdAt,
+        },
+      },
+      message: 'User created and added to workspace',
+    }, { status: 201 })
+  } catch (error) {
+    console.error('Create user error:', error)
+    return NextResponse.json({ error: 'Failed to create user' }, { status: 500 })
+  }
+})