Fixed Issue #6

.gitignore

@@ -32,6 +32,7 @@ yarn-error.log*
 
 # env files (can opt-in for committing if needed)
 .env*
+.env.local
 
 # vercel
 .vercel

app/HomeWrapper.tsx

@@ -0,0 +1,30 @@
+"use client"
+
+import { useSession } from "next-auth/react"
+import { useRouter } from "next/navigation"
+import { useEffect } from "react"
+
+export default function HomeWrapper({ children }: { children: React.ReactNode }) {
+  const { data: session, status } = useSession()
+  const router = useRouter()
+
+  useEffect(() => {
+    if (status === "loading") return
+
+    if (session?.user?.needsPassword) {
+      router.replace("/set-password?email=" + session.user.email)
+    }
+  }, [session, status, router])
+
+  if (status === "loading") {
+    return (
+      <div className="flex min-h-screen items-center justify-center">
+        <p className="text-sm text-muted">Loading...</p>
+      </div>
+    )
+  }
+
+  if (session?.user?.needsPassword) return null
+
+  return <>{children}</>
+}

app/access-denied/page.tsx

@@ -0,0 +1,30 @@
+"use client"
+
+import Link from "next/link"
+
+export default function AccessDeniedPage() {
+  return (
+    <div className="flex min-h-screen items-center justify-center">
+      <div className="mx-auto max-w-md rounded-xl border border-border bg-background p-8 text-center">
+        <h2 className="text-xl font-semibold">Access Denied</h2>
+        <p className="mt-3 text-sm text-muted">
+          Only <span className="font-medium text-foreground">@iiitl.ac.in</span> accounts are allowed to access this platform.
+        </p>
+        <div className="mt-6 flex flex-col gap-3">
+          <Link
+            href="/login"
+            className="inline-flex h-10 items-center justify-center rounded-md bg-brand px-6 text-sm font-semibold text-white hover:bg-brand-700"
+          >
+            Back to sign in
+          </Link>
+          <Link
+            href="/register"
+            className="inline-flex h-10 items-center justify-center rounded-md bg-brand px-6 text-sm font-semibold text-white hover:bg-brand-700"
+          >
+            Back to sign up
+          </Link>
+        </div>
+      </div>
+    </div>
+  )
+}

app/api/auth/[...nextauth]/route.ts

@@ -0,0 +1,3 @@
+
+
+export { GET, POST } from "@/lib/auth"

app/api/forgot-password/route.ts

@@ -0,0 +1,59 @@
+import { NextResponse } from "next/server"
+import { connectDB } from "@/lib/db"
+import { PasswordResetToken, hashToken } from "@/models/PasswordResetToken"
+import clientPromise from "@/lib/mongodb"
+import { Resend } from "resend"
+import crypto from "crypto"
+
+const resend = new Resend(process.env.RESEND_API_KEY)
+
+export async function POST(req: Request) {
+  try {
+    const { email } = await req.json()
+    const canonical = email?.trim().toLowerCase()
+
+    if (!canonical || !/@iiitl\.ac\.in$/i.test(canonical)) {
+      return NextResponse.json({ error: "Invalid email." }, { status: 400 })
+    }
+
+    const client = await clientPromise
+    const db = client.db()
+    const user = await db.collection("users").findOne({ email: canonical })
+
+    if (!user || !user.password) {
+      return NextResponse.json({ success: true })
+    }
+
+    await connectDB()
+
+    await PasswordResetToken.deleteOne({ email: canonical })
+
+    const rawToken = crypto.randomBytes(32).toString("hex")
+
+    await PasswordResetToken.create({
+      email:     canonical,
+      tokenHash: hashToken(rawToken),
+      expiresAt: new Date(Date.now() + 15 * 60 * 1000),
+    })
+
+    // Do NOT log resetUrl — it contains a bearer token that grants account access
+    const resetUrl = `${process.env.NEXTAUTH_URL}/reset-password?token=${rawToken}`
+
+    await resend.emails.send({
+      from:    process.env.EMAIL_FROM!,
+      to:      canonical,
+      subject: "Reset your IIITL Alumni password",
+      html: `
+        <p>You requested a password reset.</p>
+        <p>Click the link below to set a new password. This link expires in 15 minutes.</p>
+        <a href="${resetUrl}">${resetUrl}</a>
+        <p>If you didn't request this, you can ignore this email.</p>
+      `,
+    })
+
+    return NextResponse.json({ success: true })
+  } catch (err) {
+    console.error("FORGOT PASSWORD ERROR:", err)
+    return NextResponse.json({ error: "Internal server error" }, { status: 500 })
+  }
+}

app/api/login/route.ts

@@ -0,0 +1,66 @@
+import { NextResponse } from "next/server"
+import clientPromise from "@/lib/mongodb"
+import bcrypt from "bcryptjs"
+import { cookies } from "next/headers"
+import { randomUUID } from "crypto"
+import { logEvent } from "@/lib/logger"
+
+export async function POST(req: Request) {
+  try {
+    const { email, password } = await req.json()
+
+    if (!email || !password) {
+      return NextResponse.json({ error: "Missing fields" }, { status: 400 })
+    }
+
+    const canonical = email.trim().toLowerCase()
+
+    if (!/@iiitl\.ac\.in$/i.test(canonical)) {
+      await logEvent(canonical, "LOGIN_REJECTED_INVALID_DOMAIN")
+      return NextResponse.json({ error: "Invalid credentials." }, { status: 401 })
+    }
+
+    const client = await clientPromise
+    const db = client.db()
+
+    const user = await db.collection("users").findOne({ email: canonical })
+    if (!user || !user.password) {
+      return NextResponse.json({ error: "Invalid email or password." }, { status: 400 })
+    }
+
+    const isValid = await bcrypt.compare(password, user.password)
+    if (!isValid) {
+      return NextResponse.json({ error: "Invalid email or password." }, { status: 400 })
+    }
+
+    const sessionToken = randomUUID()
+    const expires = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000)
+
+    await db.collection("sessions").insertOne({
+      sessionToken,
+      userId:  user._id,
+      expires,
+    })
+
+
+    const useSecureCookies = process.env.NODE_ENV === "production"
+    const cookieName = useSecureCookies
+      ? "__Secure-next-auth.session-token"
+      : "next-auth.session-token"
+
+    const cookieStore = await cookies()
+    cookieStore.set(cookieName, sessionToken, {
+      httpOnly: true,
+      sameSite: "lax",
+      secure:   useSecureCookies,
+      path:     "/",
+      expires,
+    })
+
+    return NextResponse.json({ success: true })
+
+  } catch (err: unknown) {
+    console.error("Login Error:", err)
+    return NextResponse.json({ error: "An internal error occurred. Please try again." }, { status: 500 })
+  }
+}

app/api/rate-limit/route.ts

@@ -0,0 +1,34 @@
+import { NextResponse } from "next/server"
+import { checkRateLimit } from "@/lib/rateLimit"
+
+export async function POST(req: Request) {
+  try {
+    const body = await req.json()
+    const { email } = body
+
+    if (!email || typeof email !== "string") {
+      return NextResponse.json(
+        { allowed: false, error: "Invalid email format" },
+        { status: 400 }
+      )
+    }
+
+    const isValidDomain = /@iiitl\.ac\.in$/i.test(email)
+    if (!isValidDomain) {
+      return NextResponse.json(
+        { allowed: false, error: "Email must be a valid @iiitl.ac.in domain" },
+        { status: 400 }
+      )
+    }
+
+    const result = await checkRateLimit(email)
+
+    return NextResponse.json(result)
+  } catch (err) {
+    console.error("Rate limit error:", err)
+    return NextResponse.json(
+      { allowed: false, error: "Malformed request" },
+      { status: 400 }
+    )
+  }
+}

app/api/register/route.ts

@@ -0,0 +1,86 @@
+import { NextResponse } from "next/server"
+import clientPromise from "@/lib/mongodb"
+import bcrypt from "bcryptjs"
+import { logEvent } from "@/lib/logger"
+
+export async function POST(req: Request) {
+  try {
+    const body = await req.json()
+    const { name, email, branch, graduationYear, password } = body
+
+    if (!name || !email || !branch || !password) {
+      // Log missing-fields rejections so abuse patterns are visible
+      await logEvent(email ?? null, "REGISTER_REJECTED_MISSING_FIELDS")
+      return NextResponse.json(
+        { error: "Missing required fields" },
+        { status: 400 }
+      )
+    }
+
+    const canonical = email.trim().toLowerCase()
+
+    if (!/@iiitl\.ac\.in$/i.test(canonical)) {
+      await logEvent(canonical, "REGISTER_REJECTED_INVALID_DOMAIN")
+      return NextResponse.json(
+        { error: "Only @iiitl.ac.in emails are allowed." },
+        { status: 400 }
+      )
+    }
+
+    const client = await clientPromise
+    const db = client.db()
+
+    const existingUser = await db.collection("users").findOne({ email: canonical })
+    if (existingUser) {
+      await logEvent(canonical, "REGISTER_REJECTED_DUPLICATE")
+      if (!existingUser.password) {
+        return NextResponse.json(
+          { error: "Account exists without a password. Please sign in via Magic Link or Google to set one." },
+          { status: 400 }
+        )
+      }
+      return NextResponse.json(
+        { error: "An account with this email already exists." },
+        { status: 400 }
+      )
+    }
+
+    const hash = await bcrypt.hash(password, 10)
+
+    try {
+      await db.collection("users").insertOne({
+        name,
+        email:          canonical,
+        branch,
+        graduationYear,
+        password:       hash,
+        createdAt:      new Date(),
+      })
+    } catch (err: unknown) {
+      // Handle the race where two concurrent requests both pass the findOne
+      // check above and one then hits a duplicate-key error on insert
+      if (
+        typeof err === "object" &&
+        err !== null &&
+        "code" in err &&
+        (err as { code: number }).code === 11000
+      ) {
+        await logEvent(canonical, "REGISTER_REJECTED_DUPLICATE")
+        return NextResponse.json(
+          { error: "An account with this email already exists." },
+          { status: 409 }
+        )
+      }
+      throw err
+    }
+
+    return NextResponse.json({ success: true })
+
+  } catch (err: unknown) {
+    console.error("Registration error:", err)
+    return NextResponse.json(
+      { error: "Internal Server Error" },
+      { status: 500 }
+    )
+  }
+}

app/api/reset-password/route.ts

@@ -0,0 +1,50 @@
+import { NextResponse } from "next/server"
+import { connectDB } from "@/lib/db"
+import { PasswordResetToken, hashToken } from "@/models/PasswordResetToken"
+import clientPromise from "@/lib/mongodb"
+import bcrypt from "bcryptjs"
+
+export async function POST(req: Request) {
+  try {
+    const { token, password } = await req.json()
+
+    if (!token || !password) {
+      return NextResponse.json({ error: "Missing fields." }, { status: 400 })
+    }
+
+    await connectDB()
+
+    // findOneAndDelete: atomically consume the token so two concurrent
+    // requests cannot both pass and write different passwords
+    const record = await PasswordResetToken.findOneAndDelete({
+      tokenHash: hashToken(token),
+      expiresAt: { $gt: new Date() },
+    })
+
+    if (!record) {
+      return NextResponse.json(
+        { error: "Reset link is invalid or has expired." },
+        { status: 400 }
+      )
+    }
+
+    const hashed = await bcrypt.hash(password, 10)
+
+    const client = await clientPromise
+    const db = client.db()
+
+    const result = await db
+      .collection("users")
+      .updateOne({ email: record.email }, { $set: { password: hashed } })
+
+    // Fail explicitly if no account matched — don't silently return 200
+    if (result.matchedCount === 0) {
+      return NextResponse.json({ error: "Account not found." }, { status: 404 })
+    }
+
+    return NextResponse.json({ success: true })
+  } catch (err) {
+    console.error("RESET PASSWORD ERROR:", err)
+    return NextResponse.json({ error: "Internal server error" }, { status: 500 })
+  }
+}