Fixes from the code review: - #1 Wire mustChangePassword: dashboard layout redirects to a new /change-password page + /api/account/change-password (verifies current pw, re-hashes, clears the flag, refreshes the session). Provisioned admins can no longer keep the default. - #2 Assert NEXTAUTH_SECRET in production (not during build); set it on authOptions. - #3 Backup page now server-gated to admins (split into server page + client panel), matching the Updates page. - #4 Restore validates input: strict zod schema for the users table (known fields, role enum) + array checks for the rest; returns generic errors instead of String(err). No version bump/changelog — left for you to fold into the next release (you're editing those live). Not pushed, not deployed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
14 lines
507 B
TypeScript
14 lines
507 B
TypeScript
import { Metadata } from "next";
|
|
import { redirect } from "next/navigation";
|
|
import { getSession } from "@/lib/auth";
|
|
import { ChangePasswordForm } from "@/components/account/change-password-form";
|
|
|
|
export const metadata: Metadata = { title: "Change password" };
|
|
export const dynamic = "force-dynamic";
|
|
|
|
export default async function ChangePasswordPage() {
|
|
const session = await getSession();
|
|
if (!session) redirect("/login");
|
|
return <ChangePasswordForm forced={session.user.mustChangePassword} />;
|
|
}
|