import { NextRequest, NextResponse } from 'next/server'; import { cookies } from 'next/headers'; import { db } from '@/lib/db'; import { csrfProtection } from '@/lib/csrf'; import { updateProfileSchema, validateRequest } from '@/lib/validationSchemas'; import { rateLimit, getClientIdentifier, RateLimits } from '@/lib/rateLimit'; export async function PATCH(request: NextRequest) { try { // CSRF Protection const csrfCheck = csrfProtection(request); if (!csrfCheck.valid) { return NextResponse.json({ error: csrfCheck.error }, { status: 403 }); } const userId = cookies().get('userId')?.value; // Rate Limiting (user-based) const clientId = userId || getClientIdentifier(request); const rateLimitResult = rateLimit(clientId, RateLimits.PROFILE_UPDATE); if (!rateLimitResult.success) { return NextResponse.json( { error: 'Too many requests. Please try again later.', retryAfter: Math.ceil((rateLimitResult.reset - Date.now()) / 1000) }, { status: 429, headers: { 'X-RateLimit-Limit': rateLimitResult.limit.toString(), 'X-RateLimit-Remaining': rateLimitResult.remaining.toString(), 'X-RateLimit-Reset': rateLimitResult.reset.toString(), } } ); } if (!userId) { return NextResponse.json({ error: 'Unauthorized' }, { status: 401 }); } const body = await request.json(); // Validate request body const validation = await validateRequest(updateProfileSchema, body); if (!validation.success) { return NextResponse.json(validation.error, { status: 400 }); } const { name } = validation.data; // Update user name in database const updatedUser = await db.user.update({ where: { id: userId }, data: { name: name.trim() }, select: { id: true, name: true, email: true, }, }); return NextResponse.json({ success: true, user: updatedUser, }); } catch (error) { console.error('Error updating profile:', error); return NextResponse.json( { error: 'Internal server error' }, { status: 500 } ); } }