diff --git a/src/app/api/circles/[id]/invite/route.ts b/src/app/api/circles/[id]/invite/route.ts index 37a10dd..c942c3d 100644 --- a/src/app/api/circles/[id]/invite/route.ts +++ b/src/app/api/circles/[id]/invite/route.ts @@ -8,26 +8,26 @@ export async function POST( _req: Request, { params }: { params: Promise<{ id: string }> } ) { - const auth = await requireFamily(); - if (!auth.success) return NextResponse.json({ error: auth.error }, { status: auth.status }); - - const familyId = auth.session!.familyId!; - const { id: circleId } = await params; - - // Only admins can create invites - const rows = await sql.unsafe( - `SELECT role FROM circle_members WHERE circle_id = $1 AND family_id = $2`, - [circleId, familyId] - ); - if (!rows[0] || rows[0].role !== "admin") { - return NextResponse.json({ error: "Only circle admins can create invites" }, { status: 403 }); - } - - // Cryptographically random 32-byte token (64 hex chars) — unguessable - const token = randomBytes(32).toString("hex"); - const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000); // 7 days - try { + const auth = await requireFamily(); + if (!auth.success) return NextResponse.json({ error: auth.error }, { status: auth.status }); + + const familyId = auth.session!.familyId!; + const { id: circleId } = await params; + + // Only admins can create invites + const rows = await sql.unsafe( + `SELECT role FROM circle_members WHERE circle_id = $1 AND family_id = $2`, + [circleId, familyId] + ); + if (!rows[0] || rows[0].role !== "admin") { + return NextResponse.json({ error: "Only circle admins can create invites" }, { status: 403 }); + } + + // Cryptographically random 32-byte token (64 hex chars) — unguessable + const token = randomBytes(32).toString("hex"); + const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000); // 7 days + const [invite] = await sql.unsafe( `INSERT INTO circle_invites (circle_id, token, created_by, expires_at) VALUES ($1, $2, $3, $4)