logbuch/app/change-password/actions.ts

'use server';

import { redirect } from 'next/navigation';
import { getSession, createSession } from '@/lib/session';
import { hashPassword } from '@/lib/auth';
import { query } from '@/lib/db';

export async function changePassword(
  _prevState: { error: string } | undefined,
  formData: FormData
): Promise<{ error: string }> {
  const session = await getSession();
  if (!session) redirect('/login');

  const newPassword = formData.get('newPassword') as string;
  const confirmPassword = formData.get('confirmPassword') as string;

  if (!newPassword || newPassword.length < 6) {
    return { error: 'Das Passwort muss mindestens 6 Zeichen lang sein.' };
  }

  if (newPassword === (process.env.DEFAULT_PASSWORD ?? 'welzheim')) {
    return { error: 'Das Standard-Passwort darf nicht als neues Passwort verwendet werden.' };
  }

  if (newPassword !== confirmPassword) {
    return { error: 'Die Passwörter stimmen nicht überein.' };
  }

  const hashed = await hashPassword(newPassword);
  await query(
    'UPDATE beos SET pw = ?, MustChangePassword = 0 WHERE id = ?',
    [hashed, session.beoId]
  );

  await createSession({
    kuerzel: session.kuerzel,
    beoId: session.beoId,
    beoName: session.beoName,
    mustChangePassword: false,
    isAuthenticated: true,
    role: session.role ?? null,
  });

  redirect('/');
}