master-ai/vibn-frontend/app/api/invites/route.ts

/**
 * POST /api/invites
 *
 * Admin-only. Creates an invite token and returns the invite URL.
 * Closes BETA_LAUNCH_PLAN P4.8.
 *
 * Body: { email?: string, note?: string, maxUses?: number }
 * Auth: Bearer ADMIN_MIGRATE_SECRET
 *
 * curl -X POST https://vibnai.com/api/invites \
 *   -H "x-admin-secret: $ADMIN_MIGRATE_SECRET" \
 *   -d '{"email":"friend@example.com","note":"beta tester"}'
 */
import { NextResponse } from "next/server";
import { query } from "@/lib/db-postgres";
import { withAdminSecret } from "@/lib/server/api-handler";
import { randomBytes } from "crypto";

let tableReady = false;
async function ensureTable() {
  if (tableReady) return;
  await query(`
    CREATE TABLE IF NOT EXISTS invites (
      token       TEXT PRIMARY KEY,
      email       TEXT,
      note        TEXT,
      max_uses    INT NOT NULL DEFAULT 1,
      use_count   INT NOT NULL DEFAULT 0,
      created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
      expires_at  TIMESTAMPTZ,
      redeemed_by TEXT[]     NOT NULL DEFAULT '{}'
    )
  `);
  await query(`CREATE INDEX IF NOT EXISTS invites_email_idx ON invites (email) WHERE email IS NOT NULL`);
  tableReady = true;
}

export const POST = withAdminSecret(
  async (request) => {
    await ensureTable();
    const body = await request.json().catch(() => ({})) as {
      email?: string;
      note?: string;
      maxUses?: number;
      expiresInDays?: number;
    };

    const token = randomBytes(20).toString("hex");
    const maxUses = Math.max(1, Math.min(100, body.maxUses ?? 1));
    const expiresAt = body.expiresInDays
      ? new Date(Date.now() + body.expiresInDays * 86_400_000).toISOString()
      : null;

    await query(
      `INSERT INTO invites (token, email, note, max_uses, expires_at)
       VALUES ($1, $2, $3, $4, $5)`,
      [token, body.email ?? null, body.note ?? null, maxUses, expiresAt],
    );

    const baseUrl =
      process.env.NEXT_PUBLIC_APP_URL ||
      process.env.NEXTAUTH_URL ||
      "https://vibnai.com";

    return NextResponse.json({
      ok: true,
      token,
      inviteUrl: `${baseUrl}/auth?invite=${token}`,
      email: body.email ?? null,
      maxUses,
      expiresAt,
    });
  },
  { secretEnvVar: "ADMIN_MIGRATE_SECRET", altHeader: "x-admin-secret" },
);

export const GET = withAdminSecret(
  async (request) => {
    await ensureTable();
    const { searchParams } = new URL(request.url);
    const limit = Math.min(200, parseInt(searchParams.get("limit") ?? "50", 10));
    const rows = await query(
      `SELECT token, email, note, max_uses, use_count, created_at, expires_at, redeemed_by
       FROM invites ORDER BY created_at DESC LIMIT $1`,
      [limit],
    );
    return NextResponse.json({ invites: rows });
  },
  { secretEnvVar: "ADMIN_MIGRATE_SECRET", altHeader: "x-admin-secret" },
);