kovakmedya/lab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: kovakmedya/lab:3de06add716bad7000b57f41e70dda699505db71
Branches Tags
kovakmedya/lab:main
..
compare: kovakmedya/lab:main
Branches Tags
kovakmedya/lab:main

5 Commits
3de06add71 .. main

Author SHA1 Message Date
kovakmedya 2762aceb04 feat(notifications): severity (info/warning) + cover the gaps in the flow matrix 
Modelled the real crown-and-bridge workflow (impression → accept →
framework try-in → bisque try-in → glaze/cila → delivery, with revisions
bouncing back at any try-in stage). Mapped every event in our system to
the appropriate side and tagged the ones a user actually needs to act on
versus normal progress traffic.

DB
  - notifications.severity enum ('info' | 'warning', default 'info').
    Existing rows default to info.

Helper
  - createNotification gains an optional severity param; persists into
    the new column.

Matrix changes (warnings vs infos)
  Lab side:
    - Düzeltme talebi (clinic → lab)          WARNING
    - İş iptal edildi (counterpart action)    WARNING
  Clinic side:
    - Ödeme reddedildi (lab → clinic)         WARNING
    - Bağlantı reddedildi (counterpart → req) WARNING (newly fired —
      rejectConnectionAction now sends a notification, previously silent)
  Everything else (accept, hand-off, prova ready, prova approved,
  delivery, payment submitted/approved, connection request/approved):
  stays at info.

Behaviour additions in actions
  - cancelJobAction now notifies the *other* party. Previously cancelled
    jobs vanished from one side's inbox without warning. severity=warning.
  - rejectConnectionAction notifies the requester (severity=warning) so
    they know the connection didn't come through.
  - requestRevisionAction tags its existing notification as warning.
  - rejectPaymentAction tags its existing notification as warning.

UI
  - Notifications list row: unread warning rows get an amber dot, an
    amber-tinted background, and a 'Dikkat' destructive badge instead
    of the regular 'Yeni' secondary one.
  - Dashboard recent-notifications widget mirrors the same dot + bold
    treatment so warnings stand out at a glance.

Net result: a user opening the bell sees normal traffic muted (still
listed for the 'herkes her şeyden haberdar' guarantee) and the things
that actually need them coloured amber and labeled Dikkat.
 2026-05-23 17:54:47 +03:00
kovakmedya f3442e644a fix(jobs): server-side redirect after each transition + ?flash toast 
User reported that hitting 'İşleme Al' (and every sibling transition
button) succeeded server-side but the UI didn't update — they had to
refresh manually. router.refresh() from the client useEffect was racing
Next 16's RSC payload cache in production and losing.

Replaced the round-trip pattern with the canonical Next approach:
the server action does revalidatePath as before, then calls
redirect(`/jobs/$jobId?flash=<key>`). redirect() throws NEXT_REDIRECT
inside the action, the framework navigates the client, and the
destination page gets a fresh RSC payload — no client-side cache layer
to fight.

Actions wired:
  - acceptJobAction        → ?flash=accepted
  - handToClinicAction     → ?flash=handed
  - approveAtClinicAction  → ?flash=approved
  - requestRevisionAction  → ?flash=revision
  - markDeliveredAction    → ?flash=delivered
  - cancelJobAction        → ?flash=cancelled

Because redirect() never returns, the success branch of every button's
useEffect was now dead code. Trimmed every panel button to only watch
state.error (errors still come back through useActionState the normal
way) and removed the now-unused useRouter / router.refresh wiring.

Toast handling moved to a single client island:
  - components/flash-toast.tsx: reads ?flash, toasts the matching
    Turkish message, then router.replace's the URL without the param
    so a manual reload doesn't re-fire the toast. A useRef guard
    blocks the StrictMode double-mount in dev.
  - Mounted once in (dashboard)/layout.tsx wrapped in <Suspense> per
    Next's requirement for useSearchParams in a layout.

Net result: tap a button, ~400ms later the page is on the new state,
toast confirms it. No manual refresh, no cache mystery.
 2026-05-23 16:54:30 +03:00
kovakmedya 68f82d79c2 feat(kvkk): workspace data export + permanent delete 
KVKK 'veri taşınabilirliği' ve 'unutulma hakkı' için iki uçtan yeni
akış: dışa aktar ve kalıcı sil. İkisi de /settings/workspace altındaki
yeni 'Tehlikeli Bölge' kartına eklendi, sadece owner görür.

Export — GET /api/account/export
  - requireTenant guard.
  - Sırayla tenant-owned tablolar (settings, profiles, connections,
    patients, clinic_pricing, jobs, job_files, history, prosthetics,
    finance_entries, payments, notifications, audit_logs) gezilir.
    Çift sahipli tablolar (jobs, connections, payments, clinic_pricing,
    job_files, history) için iki kez sorgu atılıp $id ile dedupe edilir.
  - { exportedAt, tenantId, tenantKind, requestedBy, data } JSON olarak
    Content-Disposition: attachment ile döner. ~ek dep yok.

Delete — deleteWorkspaceAction (owner-only, server action)
  - Onay: kullanıcının companyName'i birebir yazması gerekir.
  - 1) Storage: tenant logosu + arşivlenmemiş job_files objelerini sil.
  - 2) DB: hard-delete tüm tenant verisi — notifications, audit_logs,
    payments, finance_entries, history, job_files, jobs, clinic_pricing,
    prosthetics, patients, connections, profiles, tenant_settings.
    Her tablo için Query.equal + sayfa sayfa 500'er silme.
  - 3) teams.delete(tenantId) — son aşama, takım yok artık.
  - 4) active-tenant cookie temizle; session bırak (kullanıcı başka
    workspace'e geçebilir veya çıkış yapabilir).
  - redirect('/onboarding').

UI — DangerZone (client)
  - 'JSON indir' butonu: /api/account/export'a fetch, blob download.
  - 'Sil' Dialog: çalışma alanı adı confirm input ile gated; eşit
    olana kadar 'Kalıcı olarak sil' disabled.
 2026-05-22 16:28:30 +03:00
kovakmedya 3e15d9f937 feat(security): two-factor authentication (TOTP) 
Hesap güvenliği için authenticator app (Google Authenticator, 1Password,
Authy etc.) based TOTP. SMS yok — sadece app-based per user request.

Enroll flow (/settings/security)
  - startMfaEnrollAction → account.createMFAAuthenticator('totp'),
    returns otpauth URI + plain secret as backup.
  - MfaPanel client island: starts the flow, shows the QR (rendered via
    api.qrserver.com for zero deps) plus the secret as text. Picks the
    6-digit code → verifyMfaEnrollAction calls
    updateMFAAuthenticator(totp, otp) + updateMFA(true) +
    createMFARecoveryCodes(). The recovery codes are surfaced once on
    success with a 'save these now' warning.
  - disableMfaAction + regenerateRecoveryCodesAction give the same
    panel a disable + 'yeni yedek kodlar' option once MFA is active.
  - settings-nav now has 'Güvenlik' between 'Görünüm' and 'Hesap
    Aktivitesi'.

Sign-in flow
  - signInAction:
      1. createEmailPasswordSession (sets cookie as before)
      2. users.get(userId).mfa? If yes:
         a. otp empty → return { mfaRequired: true, error }
         b. otp present → createMfaChallenge({factor: totp}) +
            updateMfaChallenge(challengeId, otp). Failure tears the
            partial session down and bounces back with mfaRequired.
  - AuthState gained an mfaRequired field. The login form watches it
    and reveals an autofocused 6-digit OTP input on the next render.
    User types the code, submits the form again, the same action
    finishes the challenge and redirects.

Existing accounts without MFA are unaffected — they never hit the
challenge branch.
 2026-05-22 16:25:26 +03:00
kovakmedya 424a323952 feat(settings): user-visible audit log + nav across settings sections 
audit_logs was a write-only firehose: every action wrote to it but
nothing ever read it. Surfaced the last 200 entries on a new
/settings/activity page so workspace admins can audit who did what.

  - lib/appwrite/audit-queries.ts: listAuditLogs(tenantId, limit=100)
    scoped to the caller's tenantId via Query.equal — multi-tenant
    safety preserved.
  - /settings/activity/page.tsx: server-rendered table — time, user,
    action badge (create/update/delete), entity label (TR), changes
    summary. Resolves userIds → displayName via a single bulk lookup
    against TABLES.profiles. Falls back to a truncated id when a
    profile isn't found so the row still reads.

Settings now has a horizontal tab nav too — there were six pages under
/settings with no cross-links between them. Added:
  - settings/layout.tsx wraps every settings page with the new nav.
  - settings/components/settings-nav.tsx (client): pathname-active
    state, scrolls horizontally on mobile. Items: Çalışma Alanı,
    Profilim, Üyeler, Bildirimler, Görünüm, Hesap Aktivitesi.
 2026-05-22 16:18:45 +03:00
24 changed files with 1231 additions and 69 deletions
Expand all files Collapse all files
src/app/(auth)/sign-in/components/login-form-1.tsx
+18
View File
@@ -88,6 +88,24 @@ export function LoginForm1({
/>
</div>
{state.mfaRequired && (
<div className="grid gap-2">
<Label htmlFor="otp">Authenticator kodu</Label>
<Input
id="otp"
name="otp"
inputMode="numeric"
pattern="[0-9]*"
maxLength={6}
autoComplete="one-time-code"
autoFocus
placeholder="000000"
className="font-mono text-lg tracking-widest"
required
/>
</div>
)}
{state.error && (
<p className="text-destructive text-sm text-center" role="alert">
{state.error}
src/app/(dashboard)/dashboard/page.tsx
+15 -4
View File
@@ -249,23 +249,34 @@ export default async function DashboardPage() {
</p>
) : (
<ul className="divide-y">
{data.recentNotifications.map((n) => (
{data.recentNotifications.map((n) => {
const isWarning = n.severity === "warning";
return (
<li
key={n.$id}
className={`flex items-start gap-3 py-2.5 ${n.read ? "opacity-70" : ""}`}
>
<span
className={`mt-1.5 size-2 shrink-0 rounded-full ${n.read ? "bg-muted" : "bg-primary"}`}
className={`mt-1.5 size-2 shrink-0 rounded-full ${
n.read
? "bg-muted"
: isWarning
? "bg-amber-500"
: "bg-primary"
}`}
aria-hidden
/>
<div className="min-w-0 flex-1">
<p className="text-sm leading-tight">{n.message}</p>
<p className={`text-sm leading-tight ${isWarning && !n.read ? "font-medium" : ""}`}>
{n.message}
</p>
<p className="text-muted-foreground mt-0.5 text-xs">
{datetimeFormatter.format(new Date(n.$createdAt))}
</p>
</div>
</li>
))}
);
})}
</ul>
)}
</CardContent>
src/app/(dashboard)/jobs/[jobId]/components/job-actions-panel.tsx
+14 -53
View File
@@ -1,7 +1,6 @@
"use client";
import { useActionState, useEffect, useState } from "react";
import { useRouter } from "next/navigation";
import {
ArrowRight,
Check,
@@ -87,17 +86,13 @@ export function JobActionsPanel({
}
function AcceptButton({ jobId }: { jobId: string }) {
const router = useRouter();
const [state, action, pending] = useActionState(acceptJobAction, initialJobActionState);
useEffect(() => {
if (state.ok) {
toast.success("İş işleme alındı, alt yapı üretimi başladı.");
router.refresh();
} else if (state.error) {
toast.error(state.error);
}
}, [state, router]);
// Success path redirects from the server action, so state.ok never
// shows up here — we only need to surface errors.
if (state.error) toast.error(state.error);
}, [state]);
return (
<form action={action}>
@@ -111,19 +106,12 @@ function AcceptButton({ jobId }: { jobId: string }) {
}
function HandToClinicButton({ job }: { job: Job }) {
const router = useRouter();
const [state, action, pending] = useActionState(handToClinicAction, initialJobActionState);
const [open, setOpen] = useState(false);
useEffect(() => {
if (state.ok) {
toast.success("Klinik tarafına gönderildi.");
setOpen(false);
router.refresh();
} else if (state.error) {
toast.error(state.error);
}
}, [state, router]);
if (state.error) toast.error(state.error);
}, [state]);
const isFinal = job.currentStep === "cila_bitim";
const stageLabel =
@@ -180,19 +168,12 @@ function HandToClinicButton({ job }: { job: Job }) {
}
function ApproveAtClinicButton({ job }: { job: Job }) {
const router = useRouter();
const [state, action, pending] = useActionState(approveAtClinicAction, initialJobActionState);
const [open, setOpen] = useState(false);
useEffect(() => {
if (state.ok) {
toast.success("Prova onaylandı, lab tarafına gönderildi.");
setOpen(false);
router.refresh();
} else if (state.error) {
toast.error(state.error);
}
}, [state, router]);
if (state.error) toast.error(state.error);
}, [state]);
const stageLabel = job.currentStep === "alt_yapi_prova" ? "alt yapı" : "üst yapı";
@@ -242,7 +223,6 @@ function ApproveAtClinicButton({ job }: { job: Job }) {
}
function RequestRevisionButton({ job }: { job: Job }) {
const router = useRouter();
const [state, action, pending] = useActionState(
requestRevisionAction,
initialJobActionState,
@@ -250,14 +230,8 @@ function RequestRevisionButton({ job }: { job: Job }) {
const [open, setOpen] = useState(false);
useEffect(() => {
if (state.ok) {
toast.success("Düzeltme talebi gönderildi.");
setOpen(false);
router.refresh();
} else if (state.error) {
toast.error(state.error);
}
}, [state, router]);
if (state.error) toast.error(state.error);
}, [state]);
return (
<Dialog open={open} onOpenChange={setOpen}>
@@ -304,17 +278,11 @@ function RequestRevisionButton({ job }: { job: Job }) {
}
function DeliverButton({ jobId }: { jobId: string }) {
const router = useRouter();
const [state, action, pending] = useActionState(markDeliveredAction, initialJobActionState);
useEffect(() => {
if (state.ok) {
toast.success("İş teslim alındı.");
router.refresh();
} else if (state.error) {
toast.error(state.error);
}
}, [state, router]);
if (state.error) toast.error(state.error);
}, [state]);
return (
<form action={action}>
@@ -328,19 +296,12 @@ function DeliverButton({ jobId }: { jobId: string }) {
}
function CancelButton({ jobId }: { jobId: string }) {
const router = useRouter();
const [state, action, pending] = useActionState(cancelJobAction, initialJobActionState);
const [open, setOpen] = useState(false);
useEffect(() => {
if (state.ok) {
toast.success("İş iptal edildi.");
setOpen(false);
router.refresh();
} else if (state.error) {
toast.error(state.error);
}
}, [state, router]);
if (state.error) toast.error(state.error);
}, [state]);
return (
<Dialog open={open} onOpenChange={setOpen}>
src/app/(dashboard)/layout.tsx
+5
View File
@@ -1,5 +1,7 @@
import { Suspense } from "react";
import { redirect } from "next/navigation";
import { FlashToast } from "@/components/flash-toast";
import { getActiveContext } from "@/lib/appwrite/active-context";
import { countUnreadNotifications } from "@/lib/appwrite/notification-helpers";
import { getLogoUrl } from "@/lib/appwrite/storage";
@@ -40,6 +42,9 @@ export default async function DashboardLayout({
unreadCount={unreadCount}
>
{children}
<Suspense fallback={null}>
<FlashToast />
</Suspense>
</DashboardShell>
);
}
src/app/(dashboard)/notifications/components/notifications-list.tsx
+18 -4
View File
@@ -66,10 +66,21 @@ function NotificationRow({ row }: { row: Notification }) {
? "/connections"
: null;
const isWarning = row.severity === "warning";
return (
<li className={`flex items-start gap-3 px-3 py-3 ${row.read ? "opacity-70" : ""}`}>
<li
className={`flex items-start gap-3 px-3 py-3 ${row.read ? "opacity-70" : ""} ${
isWarning && !row.read ? "bg-amber-50/60 dark:bg-amber-950/30" : ""
}`}
>
<span
className={`mt-1.5 size-2 shrink-0 rounded-full ${row.read ? "bg-muted" : "bg-primary"}`}
className={`mt-1.5 size-2 shrink-0 rounded-full ${
row.read
? "bg-muted"
: isWarning
? "bg-amber-500"
: "bg-primary"
}`}
aria-hidden
/>
<div className="min-w-0 flex-1">
@@ -79,8 +90,11 @@ function NotificationRow({ row }: { row: Notification }) {
</p>
</div>
{!row.read && (
<Badge variant="secondary" className="text-[10px] uppercase">
Yeni
<Badge
variant={isWarning ? "destructive" : "secondary"}
className="text-[10px] uppercase"
>
{isWarning ? "Dikkat" : "Yeni"}
</Badge>
)}
{link && (
src/app/(dashboard)/settings/activity/page.tsx
+149
View File
@@ -0,0 +1,149 @@
import { redirect } from "next/navigation";
import { Query } from "node-appwrite";
import { Badge } from "@/components/ui/badge";
import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
import {
Table,
TableBody,
TableCell,
TableHead,
TableHeader,
TableRow,
} from "@/components/ui/table";
import { listAuditLogs } from "@/lib/appwrite/audit-queries";
import { DATABASE_ID, TABLES, type Profile } from "@/lib/appwrite/schema";
import { createAdminClient } from "@/lib/appwrite/server";
import { requireTenant } from "@/lib/appwrite/tenant-guard";
export const metadata = {
title: "DLS — Hesap Aktivitesi",
};
const dateFormatter = new Intl.DateTimeFormat("tr-TR", {
day: "2-digit",
month: "2-digit",
year: "numeric",
hour: "2-digit",
minute: "2-digit",
});
const ENTITY_LABELS: Record<string, string> = {
job: "İş",
patient: "Hasta",
prosthetic: "Ürün",
payment: "Ödeme",
clinic_pricing: "Klinik Fiyat",
job_file: "Dosya",
connection: "Bağlantı",
invite: "Davet",
tenant_settings: "Çalışma Alanı",
profile: "Profil",
};
const ACTION_VARIANTS = {
create: { label: "Eklendi", variant: "default" as const },
update: { label: "Güncellendi", variant: "secondary" as const },
delete: { label: "Silindi", variant: "destructive" as const },
};
export default async function ActivityPage() {
let ctx;
try {
ctx = await requireTenant();
} catch {
redirect("/onboarding");
}
const logs = await listAuditLogs(ctx.tenantId, 200);
// Resolve userId → display name in one go so the rows read naturally.
const userIds = Array.from(new Set(logs.map((l) => l.userId)));
const userMap = new Map<string, string>();
if (userIds.length > 0) {
try {
const { tablesDB } = createAdminClient();
const profiles = await tablesDB.listRows({
databaseId: DATABASE_ID,
tableId: TABLES.profiles,
queries: [Query.equal("userId", userIds), Query.limit(200)],
});
for (const p of profiles.rows as unknown as Profile[]) {
if (p.displayName) userMap.set(p.userId, p.displayName);
}
} catch {
// best-effort; rows just show the raw id
}
}
return (
<div className="flex-1 space-y-6 px-6">
<div className="flex flex-col gap-1">
<h1 className="text-2xl font-bold tracking-tight">Hesap Aktivitesi</h1>
<p className="text-muted-foreground text-sm">
Çalışma alanınızda yapılan tüm değişikliklerin kaydı. Son 200 işlem.
</p>
</div>
<Card>
<CardHeader>
<CardTitle>İşlem Kaydı</CardTitle>
<CardDescription>
Otomatik tutulur, silinemez. Şüpheli bir aktivite görürseniz hesabınızı
güvenli olmayan bir cihazdan çıkarmayı düşünün.
</CardDescription>
</CardHeader>
<CardContent>
{logs.length === 0 ? (
<p className="text-muted-foreground py-6 text-center text-sm">
Henüz kayıtlı aktivite yok.
</p>
) : (
<Table>
<TableHeader>
<TableRow>
<TableHead>Zaman</TableHead>
<TableHead>Kullanıcı</TableHead>
<TableHead>İşlem</TableHead>
<TableHead>Nesne</TableHead>
<TableHead>Detay</TableHead>
</TableRow>
</TableHeader>
<TableBody>
{logs.map((l) => {
const v = ACTION_VARIANTS[l.action] ?? {
label: l.action,
variant: "outline" as const,
};
return (
<TableRow key={l.$id}>
<TableCell className="text-muted-foreground text-xs tabular-nums">
{dateFormatter.format(new Date(l.$createdAt))}
</TableCell>
<TableCell className="text-sm">
{userMap.get(l.userId) ?? (
<span className="text-muted-foreground font-mono text-xs">
{l.userId.slice(0, 8)}
</span>
)}
</TableCell>
<TableCell>
<Badge variant={v.variant}>{v.label}</Badge>
</TableCell>
<TableCell className="text-sm">
{ENTITY_LABELS[l.entityType] ?? l.entityType}
</TableCell>
<TableCell className="text-muted-foreground max-w-[360px] truncate text-xs">
{l.changes ? l.changes : <span></span>}
</TableCell>
</TableRow>
);
})}
</TableBody>
</Table>
)}
</CardContent>
</Card>
</div>
);
}
src/app/(dashboard)/settings/components/settings-nav.tsx
+44
View File
@@ -0,0 +1,44 @@
"use client";
import Link from "next/link";
import { usePathname } from "next/navigation";
import { cn } from "@/lib/utils";
const ITEMS: { href: string; label: string }[] = [
{ href: "/settings/workspace", label: "Çalışma Alanı" },
{ href: "/settings/account", label: "Profilim" },
{ href: "/settings/members", label: "Üyeler" },
{ href: "/settings/notifications", label: "Bildirimler" },
{ href: "/settings/appearance", label: "Görünüm" },
{ href: "/settings/security", label: "Güvenlik" },
{ href: "/settings/activity", label: "Hesap Aktivitesi" },
];
export function SettingsNav() {
const pathname = usePathname();
return (
<nav className="overflow-x-auto">
<ul className="border-border flex min-w-max gap-1 border-b">
{ITEMS.map((item) => {
const active = pathname === item.href;
return (
<li key={item.href}>
<Link
href={item.href}
className={cn(
"inline-block border-b-2 px-3 py-2 text-sm transition-colors",
active
? "border-primary text-foreground font-medium"
: "text-muted-foreground hover:text-foreground border-transparent",
)}
>
{item.label}
</Link>
</li>
);
})}
</ul>
</nav>
);
}
src/app/(dashboard)/settings/layout.tsx
+16
View File
@@ -0,0 +1,16 @@
import { SettingsNav } from "./components/settings-nav";
export default function SettingsLayout({
children,
}: {
children: React.ReactNode;
}) {
return (
<div className="flex-1 space-y-6">
<div className="px-6">
<SettingsNav />
</div>
{children}
</div>
);
}
src/app/(dashboard)/settings/security/components/mfa-panel.tsx
+209
View File
@@ -0,0 +1,209 @@
"use client";
import { useActionState, useEffect, useState, useTransition } from "react";
import { useRouter } from "next/navigation";
import { Check, KeyRound, Loader2, ShieldCheck, ShieldOff } from "lucide-react";
import { toast } from "sonner";
import { Badge } from "@/components/ui/badge";
import { Button } from "@/components/ui/button";
import { Input } from "@/components/ui/input";
import { Label } from "@/components/ui/label";
import {
disableMfaAction,
initialMfaActionState,
regenerateRecoveryCodesAction,
startMfaEnrollAction,
verifyMfaEnrollAction,
} from "@/lib/appwrite/mfa-actions";
type EnrollStage =
| { kind: "idle" }
| { kind: "loading" }
| { kind: "verify"; uri: string; secret: string }
| { kind: "done"; recoveryCodes: string[] };
export function MfaPanel({ initiallyEnabled }: { initiallyEnabled: boolean }) {
const router = useRouter();
const [enabled, setEnabled] = useState(initiallyEnabled);
const [stage, setStage] = useState<EnrollStage>({ kind: "idle" });
const [verifyState, verifyAction, verifying] = useActionState(
verifyMfaEnrollAction,
initialMfaActionState,
);
const [busy, startTransition] = useTransition();
useEffect(() => {
if (verifyState.ok && verifyState.recoveryCodes) {
setEnabled(true);
setStage({ kind: "done", recoveryCodes: verifyState.recoveryCodes });
toast.success("2FA etkinleştirildi.");
router.refresh();
} else if (verifyState.error) {
toast.error(verifyState.error);
}
}, [verifyState, router]);
function beginEnroll() {
setStage({ kind: "loading" });
startTransition(async () => {
const res = await startMfaEnrollAction();
if (res.ok && res.uri && res.secret) {
setStage({ kind: "verify", uri: res.uri, secret: res.secret });
} else {
toast.error(res.error ?? "Başlatılamadı.");
setStage({ kind: "idle" });
}
});
}
function onDisable() {
if (
!window.confirm(
"2FA devre dışı bırakılsın mı? Hesabınız sadece şifre ile korunacak.",
)
)
return;
startTransition(async () => {
const res = await disableMfaAction();
if (res.ok) {
setEnabled(false);
setStage({ kind: "idle" });
toast.success("2FA devre dışı bırakıldı.");
router.refresh();
} else {
toast.error(res.error ?? "Devre dışı bırakılamadı.");
}
});
}
function onRegenerateCodes() {
startTransition(async () => {
const res = await regenerateRecoveryCodesAction();
if (res.ok && res.recoveryCodes) {
setStage({ kind: "done", recoveryCodes: res.recoveryCodes });
toast.success("Yeni yedek kodlar oluşturuldu — eskileri geçersiz.");
} else {
toast.error(res.error ?? "Üretilemedi.");
}
});
}
if (enabled && stage.kind !== "done") {
return (
<div className="grid gap-3">
<div className="flex items-center gap-2">
<Badge className="bg-emerald-600 text-white">
<ShieldCheck className="size-3.5" />
Aktif
</Badge>
<span className="text-muted-foreground text-sm">
Authenticator uygulaması ile giriş yapıyorsunuz.
</span>
</div>
<div className="flex flex-wrap gap-2">
<Button variant="outline" onClick={onRegenerateCodes} disabled={busy}>
<KeyRound className="size-4" />
Yedek kodları yenile
</Button>
<Button variant="destructive" onClick={onDisable} disabled={busy}>
{busy ? <Loader2 className="size-4 animate-spin" /> : <ShieldOff className="size-4" />}
Devre dışı bırak
</Button>
</div>
</div>
);
}
if (stage.kind === "done") {
return (
<div className="grid gap-3">
<div className="bg-emerald-50 dark:bg-emerald-950 rounded-md border border-emerald-200 dark:border-emerald-900 p-4">
<p className="flex items-center gap-2 font-medium text-emerald-700 dark:text-emerald-300">
<Check className="size-4" />
Yedek kodlarınız
</p>
<p className="text-muted-foreground mt-1 text-xs">
Telefonunuza erişiminizi kaybederseniz bu kodlardan biriyle giriş
yapabilirsiniz. Her kod tek seferlik. <strong>Şimdi güvenli bir yere kaydedin</strong>
bu sayfadan çıktığınızda tekrar gösterilmez.
</p>
<pre className="bg-background mt-3 grid grid-cols-2 gap-2 rounded-md border p-3 text-sm font-mono">
{stage.recoveryCodes.map((c) => (
<span key={c}>{c}</span>
))}
</pre>
</div>
<Button variant="outline" onClick={() => setStage({ kind: "idle" })}>
Tamamladım
</Button>
</div>
);
}
if (stage.kind === "verify") {
const otpauthQrUrl = `https://api.qrserver.com/v1/create-qr-code/?size=200x200&data=${encodeURIComponent(stage.uri)}`;
return (
<form action={verifyAction} className="grid gap-4">
<div className="grid gap-4 sm:grid-cols-[200px_1fr] sm:items-start">
{/* eslint-disable-next-line @next/next/no-img-element */}
<img
src={otpauthQrUrl}
alt="QR kodu"
className="size-[200px] rounded-md border bg-white p-2"
width={200}
height={200}
/>
<div className="grid gap-2 text-sm">
<p>Authenticator uygulamanızı açın, QR kodu tarayın.</p>
<p className="text-muted-foreground text-xs">
Tarayamıyorsanız bu kodu manuel girin:
</p>
<code className="bg-muted rounded-md p-2 font-mono text-xs">{stage.secret}</code>
</div>
</div>
<div className="grid gap-2">
<Label htmlFor="otp">Uygulamadaki 6 haneli kod</Label>
<Input
id="otp"
name="otp"
inputMode="numeric"
pattern="[0-9]*"
maxLength={6}
placeholder="000000"
required
autoComplete="one-time-code"
className="font-mono text-lg tracking-widest"
/>
{verifyState.error && (
<p className="text-destructive text-xs">{verifyState.error}</p>
)}
</div>
<div className="flex gap-2">
<Button type="button" variant="outline" onClick={() => setStage({ kind: "idle" })}>
Vazgeç
</Button>
<Button type="submit" disabled={verifying}>
{verifying ? <Loader2 className="size-4 animate-spin" /> : <Check className="size-4" />}
Doğrula ve etkinleştir
</Button>
</div>
</form>
);
}
return (
<div className="grid gap-3">
<div className="flex items-center gap-2">
<Badge variant="outline">Pasif</Badge>
<span className="text-muted-foreground text-sm">
Hesabınız yalnızca şifre ile korunuyor.
</span>
</div>
<Button onClick={beginEnroll} disabled={busy || stage.kind === "loading"}>
{(busy || stage.kind === "loading") ? <Loader2 className="size-4 animate-spin" /> : <ShieldCheck className="size-4" />}
İki adımlı doğrulamayı
</Button>
</div>
);
}
src/app/(dashboard)/settings/security/page.tsx
+56
View File
@@ -0,0 +1,56 @@
import { redirect } from "next/navigation";
import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
import { createSessionClient } from "@/lib/appwrite/server";
import { requireTenant } from "@/lib/appwrite/tenant-guard";
import { MfaPanel } from "./components/mfa-panel";
export const metadata = {
title: "DLS — Güvenlik",
};
export default async function SecurityPage() {
let ctx;
try {
ctx = await requireTenant();
} catch {
redirect("/onboarding");
}
// Look up the user's current MFA status straight from the session
// client so the panel knows whether to offer enroll or disable.
let mfaEnabled = false;
try {
const { account } = await createSessionClient();
const user = await account.get();
mfaEnabled = Boolean(user.mfa);
} catch {
// ignore — panel will treat as not enabled
}
return (
<div className="flex-1 space-y-6 px-6">
<div className="flex flex-col gap-1">
<p className="text-muted-foreground text-sm">{ctx.settings?.companyName ?? "Çalışma alanı"}</p>
<h1 className="text-2xl font-bold tracking-tight">Güvenlik</h1>
<p className="text-muted-foreground text-sm">
Hesap erişiminizi koruyan ayarlar. İki adımlı doğrulamayı açtığınızda
giriş yaparken authenticator uygulamanızdaki 6 haneli kod istenir.
</p>
</div>
<Card>
<CardHeader>
<CardTitle>İki Adımlı Doğrulama</CardTitle>
<CardDescription>
Authenticator uygulaması (Google Authenticator, 1Password, Authy, vs.)
ile TOTP. SMS desteklenmiyor.
</CardDescription>
</CardHeader>
<CardContent>
<MfaPanel initiallyEnabled={mfaEnabled} />
</CardContent>
</Card>
</div>
);
}
src/app/(dashboard)/settings/workspace/components/danger-zone.tsx
+141
View File
@@ -0,0 +1,141 @@
"use client";
import { useActionState, useEffect, useState, useTransition } from "react";
import { AlertTriangle, Download, Loader2, Trash2 } from "lucide-react";
import { toast } from "sonner";
import { Button } from "@/components/ui/button";
import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
import {
Dialog,
DialogClose,
DialogContent,
DialogDescription,
DialogFooter,
DialogHeader,
DialogTitle,
} from "@/components/ui/dialog";
import { Input } from "@/components/ui/input";
import { Label } from "@/components/ui/label";
import {
deleteWorkspaceAction,
initialDeleteWorkspaceState,
} from "@/lib/appwrite/account-delete-actions";
export function DangerZone({ companyName }: { companyName: string }) {
const [downloadBusy, startDownload] = useTransition();
const [open, setOpen] = useState(false);
const [confirm, setConfirm] = useState("");
const [state, action, pending] = useActionState(
deleteWorkspaceAction,
initialDeleteWorkspaceState,
);
useEffect(() => {
if (state.error) toast.error(state.error);
}, [state]);
function downloadExport() {
startDownload(async () => {
try {
const res = await fetch("/api/account/export");
if (!res.ok) throw new Error(`HTTP ${res.status}`);
const blob = await res.blob();
const url = URL.createObjectURL(blob);
const a = document.createElement("a");
a.href = url;
a.download = `dls-export-${Date.now()}.json`;
document.body.appendChild(a);
a.click();
a.remove();
URL.revokeObjectURL(url);
toast.success("Veri dışa aktarıldı.");
} catch (e) {
toast.error(e instanceof Error ? e.message : "İndirilemedi.");
}
});
}
return (
<Card className="border-destructive/40">
<CardHeader>
<CardTitle className="flex items-center gap-2 text-base">
<AlertTriangle className="text-destructive size-4" />
Tehlikeli Bölge
</CardTitle>
<CardDescription>
Verinizi dışa aktarın veya çalışma alanını kalıcı olarak silin.
</CardDescription>
</CardHeader>
<CardContent className="grid gap-3">
<div className="flex flex-wrap items-center justify-between gap-3 rounded-md border p-3">
<div className="min-w-0">
<p className="font-medium">Verilerimi indir</p>
<p className="text-muted-foreground text-xs">
Çalışma alanınızdaki tüm veriler (hastalar, işler, ödemeler, geçmiş)
JSON formatında dışa aktarılır. Silmeden önce yedek almanız önerilir.
</p>
</div>
<Button variant="outline" onClick={downloadExport} disabled={downloadBusy}>
{downloadBusy ? <Loader2 className="size-4 animate-spin" /> : <Download className="size-4" />}
JSON indir
</Button>
</div>
<div className="border-destructive/40 flex flex-wrap items-center justify-between gap-3 rounded-md border p-3">
<div className="min-w-0">
<p className="font-medium">Çalışma alanını sil</p>
<p className="text-muted-foreground text-xs">
Tüm hastalar, işler, ödemeler, dosyalar ve geçmiş kalıcı olarak silinir.
Bu işlem geri alınamaz.
</p>
</div>
<Dialog open={open} onOpenChange={setOpen}>
<Button variant="destructive" onClick={() => setOpen(true)}>
<Trash2 className="size-4" />
Sil
</Button>
<DialogContent>
<DialogHeader>
<DialogTitle>Çalışma alanını kalıcı sil</DialogTitle>
<DialogDescription>
Onaylamak için aşağıya <strong>{companyName}</strong> yazın. Bu
işlem hastalar, işler, ödemeler, dosyalar ve tüm geçmişi içerir
ve geri alınamaz.
</DialogDescription>
</DialogHeader>
<form action={action} className="grid gap-3">
<div className="grid gap-2">
<Label htmlFor="confirm">Çalışma alanı adı</Label>
<Input
id="confirm"
name="confirm"
autoComplete="off"
value={confirm}
onChange={(e) => setConfirm(e.target.value)}
placeholder={companyName}
/>
</div>
<DialogFooter>
<DialogClose asChild>
<Button type="button" variant="outline">
Vazgeç
</Button>
</DialogClose>
<Button
type="submit"
variant="destructive"
disabled={pending || confirm.trim() !== companyName}
>
{pending ? <Loader2 className="size-4 animate-spin" /> : <Trash2 className="size-4" />}
Kalıcı olarak sil
</Button>
</DialogFooter>
</form>
</DialogContent>
</Dialog>
</div>
</CardContent>
</Card>
);
}
src/app/(dashboard)/settings/workspace/page.tsx
+5
View File
@@ -3,6 +3,7 @@ import { redirect } from "next/navigation";
import { getLogoUrl } from "@/lib/appwrite/storage";
import { requireTenant } from "@/lib/appwrite/tenant-guard";
import { DangerZone } from "./components/danger-zone";
import { LogoUploader } from "./components/logo-uploader";
import { WorkspaceSettingsForm } from "./components/workspace-form";
@@ -50,6 +51,10 @@ export default async function WorkspaceSettingsPage() {
memberNumber: ctx.settings?.memberNumber ?? "",
}}
/>
{ctx.role === "owner" && (
<DangerZone companyName={ctx.settings?.companyName ?? ""} />
)}
</div>
);
}
src/app/api/account/export/route.ts
+103
View File
@@ -0,0 +1,103 @@
import { NextResponse } from "next/server";
import { Query } from "node-appwrite";
import { DATABASE_ID, TABLES } from "@/lib/appwrite/schema";
import { createAdminClient } from "@/lib/appwrite/server";
import { requireTenant } from "@/lib/appwrite/tenant-guard";
const TENANT_TABLES = [
TABLES.tenantSettings,
TABLES.profiles,
TABLES.connections,
TABLES.patients,
TABLES.clinicPricing,
TABLES.jobs,
TABLES.jobFiles,
TABLES.jobStatusHistory,
TABLES.prosthetics,
TABLES.financeEntries,
TABLES.payments,
TABLES.notifications,
TABLES.auditLogs,
] as const;
const TENANT_FIELDS_BY_TABLE: Record<string, string[]> = {
// Most tables use 'tenantId' or 'clinicTenantId'/'labTenantId' for ownership.
[TABLES.tenantSettings]: ["tenantId"],
[TABLES.profiles]: ["tenantId"],
[TABLES.connections]: ["clinicTenantId", "labTenantId"],
[TABLES.patients]: ["clinicTenantId"],
[TABLES.clinicPricing]: ["labTenantId", "clinicTenantId"],
[TABLES.jobs]: ["clinicTenantId", "labTenantId"],
[TABLES.jobFiles]: ["clinicTenantId", "labTenantId"],
[TABLES.jobStatusHistory]: ["clinicTenantId", "labTenantId"],
[TABLES.prosthetics]: ["tenantId"],
[TABLES.financeEntries]: ["tenantId"],
[TABLES.payments]: ["tenantId", "counterpartTenantId"],
[TABLES.notifications]: ["tenantId"],
[TABLES.auditLogs]: ["tenantId"],
};
/**
* Return a JSON file containing every row this tenant has access to.
* Used for KVKK 'data portability' and as a sanity-check pre-delete.
*/
export async function GET() {
let ctx;
try {
ctx = await requireTenant();
} catch {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
const { tablesDB } = createAdminClient();
const out: Record<string, unknown[]> = {};
for (const table of TENANT_TABLES) {
const fields = TENANT_FIELDS_BY_TABLE[table] ?? ["tenantId"];
try {
// Fetch each row where ANY of the ownership fields equals our tenantId.
// For tables with two fields (jobs, connections, ...) issue both queries
// and dedupe — Appwrite doesn't have OR across distinct equality terms.
const seen = new Set<string>();
const rows: unknown[] = [];
for (const field of fields) {
const result = await tablesDB.listRows({
databaseId: DATABASE_ID,
tableId: table,
queries: [Query.equal(field, ctx.tenantId), Query.limit(500)],
});
for (const r of result.rows) {
const id = (r as { $id?: string }).$id;
if (id && !seen.has(id)) {
seen.add(id);
rows.push(r);
}
}
}
out[table] = rows;
} catch (e) {
out[table] = [
{ error: e instanceof Error ? e.message : "fetch failed" },
];
}
}
const payload = {
exportedAt: new Date().toISOString(),
tenantId: ctx.tenantId,
tenantKind: ctx.kind,
requestedBy: { id: ctx.user.id, email: ctx.user.email, name: ctx.user.name },
data: out,
};
const fileName = `dls-export-${ctx.tenantId}-${Date.now()}.json`;
return new NextResponse(JSON.stringify(payload, null, 2), {
status: 200,
headers: {
"Content-Type": "application/json; charset=utf-8",
"Content-Disposition": `attachment; filename="${fileName}"`,
"Cache-Control": "private, no-store",
},
});
}
src/components/flash-toast.tsx
+44
View File
@@ -0,0 +1,44 @@
"use client";
import { useEffect, useRef } from "react";
import { usePathname, useRouter, useSearchParams } from "next/navigation";
import { toast } from "sonner";
const MESSAGES: Record<string, string> = {
accepted: "İş işleme alındı, alt yapı üretimi başladı.",
handed: "Klinik tarafına gönderildi.",
approved: "Prova onaylandı, lab tarafına geri gönderildi.",
revision: "Düzeltme talebi gönderildi.",
delivered: "İş teslim alındı.",
cancelled: "İş iptal edildi.",
};
/**
* Show a one-shot toast based on ?flash=<key>, then strip the param from
* the URL so a refresh doesn't replay it. Mounted in the dashboard layout
* so it works on every page that server actions might redirect to.
*/
export function FlashToast() {
const router = useRouter();
const pathname = usePathname();
const params = useSearchParams();
const fired = useRef<string | null>(null);
useEffect(() => {
const flash = params.get("flash");
if (!flash) return;
// Avoid double-firing under React Strict Mode in dev.
if (fired.current === flash) return;
fired.current = flash;
const message = MESSAGES[flash] ?? null;
if (message) toast.success(message);
const next = new URLSearchParams(params.toString());
next.delete("flash");
const query = next.toString();
router.replace(query ? `${pathname}?${query}` : pathname, { scroll: false });
}, [params, pathname, router]);
return null;
}
src/lib/appwrite/account-delete-actions.ts
+172
View File
@@ -0,0 +1,172 @@
"use server";
import { revalidatePath } from "next/cache";
import { cookies } from "next/headers";
import { redirect } from "next/navigation";
import { AppwriteException, Query } from "node-appwrite";
import {
BUCKETS,
DATABASE_ID,
TABLES,
type JobFile,
type TenantSettings,
} from "./schema";
import { APPWRITE_SESSION_COOKIE, createAdminClient } from "./server";
import { ACTIVE_TENANT_COOKIE } from "./tenant-types";
import { requireRole, requireTenant } from "./tenant-guard";
export type DeleteWorkspaceState = {
ok: boolean;
error?: string;
};
export const initialDeleteWorkspaceState: DeleteWorkspaceState = { ok: false };
function appwriteError(e: unknown, fallback = "Beklenmeyen bir hata oluştu."): string {
if (e instanceof AppwriteException) return e.message || fallback;
return process.env.NODE_ENV !== "production" && e instanceof Error
? `${fallback} (${e.message})`
: fallback;
}
/** Best-effort delete every row where any of `fields` equals tenantId. */
async function purgeTable(table: string, fields: string[], tenantId: string) {
const { tablesDB } = createAdminClient();
const ids = new Set<string>();
for (const field of fields) {
let offset = 0;
// Page through to handle tables with more than 500 rows.
while (true) {
const result = await tablesDB
.listRows({
databaseId: DATABASE_ID,
tableId: table,
queries: [Query.equal(field, tenantId), Query.limit(500), Query.offset(offset)],
})
.catch(() => ({ rows: [] }));
for (const row of result.rows) {
const id = (row as { $id?: string }).$id;
if (id) ids.add(id);
}
if (result.rows.length < 500) break;
offset += 500;
}
}
await Promise.allSettled(
Array.from(ids).map((id) =>
tablesDB.deleteRow(DATABASE_ID, table, id),
),
);
}
/**
* Hard-delete an entire workspace and everything it owns. Reversible only
* via your own backup — Appwrite has no undo. Caller must be owner of the
* tenant and must confirm by typing the company name back to us.
*/
export async function deleteWorkspaceAction(
_prev: DeleteWorkspaceState,
formData: FormData,
): Promise<DeleteWorkspaceState> {
const confirm = String(formData.get("confirm") ?? "").trim();
let ctx;
try {
ctx = await requireTenant();
requireRole(ctx, ["owner"]);
} catch {
return { ok: false, error: "Yalnızca sahip silebilir." };
}
const expected = ctx.settings?.companyName?.trim() ?? "";
if (!expected || confirm !== expected) {
return {
ok: false,
error: "Onaylamak için çalışma alanı adını birebir yazmanız gerekiyor.",
};
}
const tenantId = ctx.tenantId;
const { tablesDB, storage, teams } = createAdminClient();
// 1) Wipe Storage objects we still own (logo + any non-archived job files).
try {
const settingsRes = await tablesDB.listRows({
databaseId: DATABASE_ID,
tableId: TABLES.tenantSettings,
queries: [Query.equal("tenantId", tenantId), Query.limit(1)],
});
const settings = (settingsRes.rows[0] as unknown as TenantSettings | undefined) ?? null;
if (settings?.logo) {
try {
await storage.deleteFile(BUCKETS.tenantLogos, settings.logo);
} catch {
/* ignore */
}
}
const files = await tablesDB.listRows({
databaseId: DATABASE_ID,
tableId: TABLES.jobFiles,
queries: [
Query.or([
Query.equal("clinicTenantId", tenantId),
Query.equal("labTenantId", tenantId),
]),
Query.limit(1000),
],
});
await Promise.allSettled(
(files.rows as unknown as JobFile[]).map(async (f) => {
if (f.archivedAt) return;
try {
await storage.deleteFile(BUCKETS.jobFiles, f.fileId);
} catch {
/* ignore */
}
}),
);
} catch {
/* best-effort */
}
// 2) Purge all DB tables tied to this tenant. Order doesn't matter
// because everything is hard-deleted.
const tablePurges: Array<[string, string[]]> = [
[TABLES.notifications, ["tenantId"]],
[TABLES.auditLogs, ["tenantId"]],
[TABLES.payments, ["tenantId", "counterpartTenantId"]],
[TABLES.financeEntries, ["tenantId"]],
[TABLES.jobStatusHistory, ["clinicTenantId", "labTenantId"]],
[TABLES.jobFiles, ["clinicTenantId", "labTenantId"]],
[TABLES.jobs, ["clinicTenantId", "labTenantId"]],
[TABLES.clinicPricing, ["labTenantId", "clinicTenantId"]],
[TABLES.prosthetics, ["tenantId"]],
[TABLES.patients, ["clinicTenantId"]],
[TABLES.connections, ["clinicTenantId", "labTenantId"]],
[TABLES.profiles, ["tenantId"]],
[TABLES.tenantSettings, ["tenantId"]],
];
for (const [table, fields] of tablePurges) {
await purgeTable(table, fields, tenantId);
}
// 3) Finally delete the Appwrite Team itself. This boots every member's
// permission to read anything that might have slipped through above.
try {
await teams.delete({ teamId: tenantId });
} catch (e) {
return { ok: false, error: appwriteError(e, "Çalışma alanı silindi ama takım kaldı.") };
}
// Drop session/active-tenant cookies — the user is also effectively
// signed out of this workspace.
const cookieStore = await cookies();
cookieStore.delete(ACTIVE_TENANT_COOKIE);
// Keep the Appwrite session itself so the user can still re-onboard or
// hop to another workspace they own. If they want to drop the session,
// there's already a 'Çıkış yap' button.
void APPWRITE_SESSION_COOKIE; // referenced to avoid unused import
revalidatePath("/");
redirect("/onboarding");
}
src/lib/appwrite/audit-queries.ts
+24
View File
@@ -0,0 +1,24 @@
import "server-only";
import { Query } from "node-appwrite";
import { DATABASE_ID, TABLES, type AuditLog } from "./schema";
import { createAdminClient } from "./server";
import { toPlain } from "./serialize";
export async function listAuditLogs(
tenantId: string,
limit = 100,
): Promise<AuditLog[]> {
const { tablesDB } = createAdminClient();
const result = await tablesDB.listRows({
databaseId: DATABASE_ID,
tableId: TABLES.auditLogs,
queries: [
Query.equal("tenantId", tenantId),
Query.orderDesc("$createdAt"),
Query.limit(limit),
],
});
return toPlain(result.rows as unknown as AuditLog[]);
}
src/lib/appwrite/auth-actions.ts
+47 -1
View File
@@ -2,7 +2,7 @@
import { cookies } from "next/headers";
import { redirect } from "next/navigation";
import { AppwriteException, ID, Query } from "node-appwrite";
import { AppwriteException, AuthenticationFactor, ID, Query } from "node-appwrite";
import { APPWRITE_SESSION_COOKIE, createAdminClient, createSessionClient } from "./server";
import { DATABASE_ID, TABLES, type TenantKind, type TenantSettings } from "./schema";
@@ -85,6 +85,7 @@ async function resolveTenantOnLogin(
export async function signInAction(_prev: AuthState, formData: FormData): Promise<AuthState> {
const email = String(formData.get("email") ?? "").trim();
const password = String(formData.get("password") ?? "");
const otp = String(formData.get("otp") ?? "").trim();
const inviteCode = String(formData.get("inviteCode") ?? "").trim();
const rawKind = String(formData.get("kind") ?? "").trim();
const kind: TenantKind | null =
@@ -107,6 +108,51 @@ export async function signInAction(_prev: AuthState, formData: FormData): Promis
return { ok: false, error: appwriteError(e) };
}
// MFA: if the user has TOTP enabled, the session above is half-confirmed.
// Either pass the OTP they typed in this submission or ask for it.
try {
const { users } = createAdminClient();
const user = await users.get({ userId: sessionUserId });
if (user.mfa) {
if (!otp) {
return {
ok: false,
mfaRequired: true,
error: "Hesabınız 2FA korumalı. Authenticator uygulamasındaki 6 haneli kodu girin.",
};
}
try {
const { account: sessionAccount } = await createSessionClient();
const challenge = await sessionAccount.createMfaChallenge({
factor: AuthenticationFactor.Totp,
});
await sessionAccount.updateMfaChallenge({
challengeId: challenge.$id,
otp,
});
} catch (e) {
// Wrong code or expired challenge — kill the partial session and ask
// them to start over with the OTP visible.
try {
if (sessionId) await users.deleteSession({ userId: sessionUserId, sessionId });
} catch {
/* best-effort */
}
(await cookies()).delete(APPWRITE_SESSION_COOKIE);
return {
ok: false,
mfaRequired: true,
error: "Kod doğrulanamadı, yeniden deneyin.",
};
}
}
} catch (e) {
console.error("[signInAction] MFA check", e);
// Fail-open on MFA check errors only when the user has no MFA configured;
// for safety, surface a generic error here.
return { ok: false, error: "Oturum doğrulanamadı." };
}
// Invite flow short-circuits the kind check — invite code drives team membership
if (inviteCode) {
redirect(`/d/${inviteCode}`);
src/lib/appwrite/auth-types.ts
+2
View File
@@ -1,6 +1,8 @@
export type AuthState = {
ok: boolean;
error?: string;
/** Set when the account has MFA enabled and the OTP field was empty. */
mfaRequired?: boolean;
};
export const initialAuthState: AuthState = { ok: false };
src/lib/appwrite/connection-actions.ts
+9
View File
@@ -278,6 +278,15 @@ export async function rejectConnectionAction(
entityId: connectionId,
changes: { status: "rejected" },
});
// Tell the requester their request was turned down — warning, not info.
const requesterTenant =
conn.clinicTenantId === ctx.tenantId ? conn.labTenantId : conn.clinicTenantId;
void createNotification({
tenantId: requesterTenant,
connectionId,
severity: "warning",
message: `${ctx.settings?.companyName ?? "Karşı taraf"} bağlantı talebinizi reddetti.`,
});
} catch (e) {
return { ok: false, error: appwriteError(e, "Reddedilemedi.") };
}
src/lib/appwrite/job-actions.ts
+20 -6
View File
@@ -1,6 +1,7 @@
"use server";
import { revalidatePath } from "next/cache";
import { redirect } from "next/navigation";
import { AppwriteException, ID, Permission, Query, Role } from "node-appwrite";
import { z } from "zod";
@@ -330,7 +331,9 @@ export async function acceptJobAction(
revalidatePath(`/jobs/${jobId}`);
revalidatePath("/jobs/inbound");
revalidatePath("/jobs/outbound");
return { ok: true };
// Redirect forces a full RSC payload reload — bypasses any client-side
// cache that router.refresh() might otherwise miss.
redirect(`/jobs/${jobId}?flash=accepted`);
}
/**
@@ -498,7 +501,7 @@ export async function handToClinicAction(
revalidatePath("/jobs/inbound");
revalidatePath("/jobs/outbound");
revalidatePath("/finance");
return { ok: true };
redirect(`/jobs/${jobId}?flash=handed`);
}
/**
@@ -581,7 +584,7 @@ export async function approveAtClinicAction(
revalidatePath(`/jobs/${jobId}`);
revalidatePath("/jobs/inbound");
revalidatePath("/jobs/outbound");
return { ok: true };
redirect(`/jobs/${jobId}?flash=approved`);
}
/**
@@ -661,6 +664,7 @@ export async function requestRevisionAction(
void createNotification({
tenantId: job.labTenantId,
jobId,
severity: "warning",
message: `Hasta ${job.patientCode} ${stepLabel} provası için düzeltme istendi: ${note.slice(0, 120)}`,
});
} catch (e) {
@@ -670,7 +674,7 @@ export async function requestRevisionAction(
revalidatePath(`/jobs/${jobId}`);
revalidatePath("/jobs/inbound");
revalidatePath("/jobs/outbound");
return { ok: true };
redirect(`/jobs/${jobId}?flash=revision`);
}
export async function markDeliveredAction(
@@ -727,7 +731,7 @@ export async function markDeliveredAction(
revalidatePath("/jobs/outbound");
revalidatePath("/jobs/inbound");
revalidatePath("/finance");
return { ok: true };
redirect(`/jobs/${jobId}?flash=delivered`);
}
export async function cancelJobAction(
@@ -770,6 +774,16 @@ export async function cancelJobAction(
entityId: jobId,
changes: { status: "cancelled" },
});
// Notify the other side — cancellation is a warning, not normal traffic.
const otherTenantId =
ctx.tenantId === job.clinicTenantId ? job.labTenantId : job.clinicTenantId;
const actor = ctx.kind === "lab" ? "Laboratuvar" : "Klinik";
void createNotification({
tenantId: otherTenantId,
jobId,
severity: "warning",
message: `${actor} hasta ${job.patientCode} işini iptal etti.`,
});
} catch (e) {
return { ok: false, error: appwriteError(e, "İptal edilemedi.") };
}
@@ -777,5 +791,5 @@ export async function cancelJobAction(
revalidatePath(`/jobs/${jobId}`);
revalidatePath("/jobs/inbound");
revalidatePath("/jobs/outbound");
return { ok: true };
redirect(`/jobs/${jobId}?flash=cancelled`);
}
src/lib/appwrite/mfa-actions.ts
+104
View File
@@ -0,0 +1,104 @@
"use server";
import { revalidatePath } from "next/cache";
import { AppwriteException, AuthenticatorType } from "node-appwrite";
import { createSessionClient } from "./server";
export type MfaEnrollState = {
ok: boolean;
error?: string;
/** otpauth:// URI for QR; only set on enroll start. */
uri?: string;
/** Plain TOTP secret as a fallback if the QR can't be scanned. */
secret?: string;
};
export const initialMfaEnrollState: MfaEnrollState = { ok: false };
export type MfaActionState = {
ok: boolean;
error?: string;
/** Recovery codes returned right after enable; show once, never stored again. */
recoveryCodes?: string[];
};
export const initialMfaActionState: MfaActionState = { ok: false };
function appwriteError(e: unknown, fallback = "Beklenmeyen bir hata oluştu."): string {
if (e instanceof AppwriteException) return e.message || fallback;
return process.env.NODE_ENV !== "production" && e instanceof Error
? `${fallback} (${e.message})`
: fallback;
}
/**
* Step 1 of TOTP enroll: produce a fresh secret and otpauth URI for the
* user's authenticator app. Calling this when an authenticator already
* exists yields the same secret back.
*/
export async function startMfaEnrollAction(): Promise<MfaEnrollState> {
try {
const { account } = await createSessionClient();
const res = await account.createMFAAuthenticator(AuthenticatorType.Totp);
return { ok: true, uri: res.uri, secret: res.secret };
} catch (e) {
return { ok: false, error: appwriteError(e, "MFA başlatılamadı.") };
}
}
/**
* Step 2 of TOTP enroll: user scanned the QR, opened their authenticator,
* typed the 6-digit code. We verify, then flip account.mfa = true so
* future sign-ins require the second factor. Returns recovery codes —
* shown once.
*/
export async function verifyMfaEnrollAction(
_prev: MfaActionState,
formData: FormData,
): Promise<MfaActionState> {
const otp = String(formData.get("otp") ?? "").trim();
if (!otp || otp.length < 6) {
return { ok: false, error: "6 haneli kodu girin." };
}
try {
const { account } = await createSessionClient();
await account.updateMFAAuthenticator(AuthenticatorType.Totp, otp);
await account.updateMFA(true);
const codes = await account.createMFARecoveryCodes();
return { ok: true, recoveryCodes: codes.recoveryCodes };
} catch (e) {
return { ok: false, error: appwriteError(e, "Doğrulanamadı.") };
}
}
/**
* Disable MFA: turn the account flag off and remove the TOTP authenticator
* so the user can re-enroll later with a fresh secret. Requires a current
* authenticated session.
*/
export async function disableMfaAction(): Promise<MfaActionState> {
try {
const { account } = await createSessionClient();
await account.updateMFA(false);
try {
await account.deleteMFAAuthenticator(AuthenticatorType.Totp);
} catch {
// Already removed — ignore.
}
revalidatePath("/settings/security");
return { ok: true };
} catch (e) {
return { ok: false, error: appwriteError(e, "Devre dışı bırakılamadı.") };
}
}
export async function regenerateRecoveryCodesAction(): Promise<MfaActionState> {
try {
const { account } = await createSessionClient();
const codes = await account.updateMFARecoveryCodes();
return { ok: true, recoveryCodes: codes.recoveryCodes };
} catch (e) {
return { ok: false, error: appwriteError(e, "Yedek kodlar üretilemedi.") };
}
}
src/lib/appwrite/notification-helpers.ts
+10 -1
View File
@@ -2,7 +2,12 @@ import "server-only";
import { ID, Permission, Query, Role } from "node-appwrite";
import { DATABASE_ID, TABLES, type Notification } from "./schema";
import {
DATABASE_ID,
TABLES,
type Notification,
type NotificationSeverity,
} from "./schema";
import { createAdminClient } from "./server";
import { toPlain } from "./serialize";
@@ -12,6 +17,9 @@ type CreateNotificationInput = {
jobId?: string;
connectionId?: string;
message: string;
/** Defaults to 'info'. Use 'warning' for things that need the user's
* attention (revision, cancellation, rejections). */
severity?: NotificationSeverity;
};
/**
@@ -32,6 +40,7 @@ export async function createNotification(input: CreateNotificationInput): Promis
connectionId: input.connectionId,
message: input.message.slice(0, 500),
read: false,
severity: input.severity ?? "info",
},
[
Permission.read(Role.team(input.tenantId)),
src/lib/appwrite/payment-actions.ts
+1
View File
@@ -269,6 +269,7 @@ export async function rejectPaymentAction(
});
void createNotification({
tenantId: row.tenantId,
severity: "warning",
message: `Ödeme bildiriminiz reddedildi: ${row.amount.toLocaleString("tr-TR")} ${row.currency}.`,
});
} catch (e) {
src/lib/appwrite/schema.ts
+5
View File
@@ -194,6 +194,8 @@ export interface Payment extends Row {
recordedBy: string;
}
export type NotificationSeverity = "info" | "warning";
export interface Notification extends Row {
tenantId: string;
userId?: string;
@@ -201,6 +203,9 @@ export interface Notification extends Row {
connectionId?: string;
message: string;
read: boolean;
/** Visual + filtering hint. 'warning' for things requiring attention
* (revision request, cancellation, payment / connection rejection). */
severity?: NotificationSeverity;
}
export type AuditAction = "create" | "update" | "delete";