msgapp/src/app/api/me/password/route.ts

import { NextResponse } from "next/server";
import prisma from "@/lib/prisma";
import { getUserIdOrAdmin } from "@/lib/auth";
import { verifyPassword, hashPassword } from "@/lib/password";

export async function PUT(req: Request) {
  const userId = await getUserIdOrAdmin(req);
  if (!userId) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  try {
    const body = await req.json();
    const currentPassword: string | undefined = body?.currentPassword;
    const newPassword: string | undefined = body?.newPassword;
    if (!currentPassword || !newPassword) {
      return NextResponse.json({ error: "currentPassword and newPassword required" }, { status: 400 });
    }
    if (newPassword.length < 8 || newPassword.length > 100) {
      return NextResponse.json({ error: "password length invalid" }, { status: 400 });
    }
    const user = await prisma.user.findUnique({
      where: { userId },
      select: { passwordHash: true },
    });
    if (!user || !user.passwordHash) {
      return NextResponse.json({ error: "invalid user" }, { status: 400 });
    }
    if (!verifyPassword(currentPassword, user.passwordHash)) {
      return NextResponse.json({ error: "현재 비밀번호가 올바르지 않습니다" }, { status: 400 });
    }
    if (verifyPassword(newPassword, user.passwordHash)) {
      // 새 비밀번호가 기존과 동일
      return NextResponse.json({ error: "새 비밀번호가 기존과 동일합니다" }, { status: 400 });
    }
    await prisma.user.update({
      where: { userId },
      data: { passwordHash: hashPassword(newPassword) },
    });
    return NextResponse.json({ ok: true });
  } catch {
    return NextResponse.json({ error: "Bad Request" }, { status: 400 });
  }
}