Initial commit

app/api/auth/change-password/route.ts

@@ -0,0 +1,45 @@
+import { type NextRequest, NextResponse } from "next/server"
+import { safeQuery } from "@/lib/database"
+import { verifyPassword, hashPassword } from "@/lib/auth"
+
+export async function POST(request: NextRequest) {
+  try {
+    const { nationalId, currentPassword, newPassword } = await request.json()
+
+    // Input validation
+    if (!nationalId || !currentPassword || !newPassword) {
+      return NextResponse.json({ error: "נתונים חסרים" }, { status: 400 })
+    }
+
+    if (newPassword.length < 6) {
+      return NextResponse.json({ error: "הסיסמה החדשה חייבת להכיל לפחות 6 תווים" }, { status: 400 })
+    }
+
+    // Get current user data
+    const users = (await safeQuery("SELECT password FROM users WHERE national_id = ?", [nationalId])) as any[]
+
+    if (users.length === 0) {
+      return NextResponse.json({ error: "משתמש לא נמצא" }, { status: 404 })
+    }
+
+    const user = users[0]
+    const isValidCurrentPassword = await verifyPassword(currentPassword, user.password)
+
+    if (!isValidCurrentPassword) {
+      return NextResponse.json({ error: "הסיסמה הנוכחית שגויה" }, { status: 401 })
+    }
+
+    // Hash new password and update
+    const hashedNewPassword = await hashPassword(newPassword)
+
+    await safeQuery(
+      "UPDATE users SET password = ?, must_change_password = FALSE, password_changed_at = NOW() WHERE national_id = ?",
+      [hashedNewPassword, nationalId],
+    )
+
+    return NextResponse.json({ success: true })
+  } catch (error) {
+    console.error("Change password error:", error)
+    return NextResponse.json({ error: "שגיאה בשינוי סיסמה" }, { status: 500 })
+  }
+}

app/api/auth/login/route.ts

@@ -0,0 +1,53 @@
+import { type NextRequest, NextResponse } from "next/server"
+import { safeQuery } from "@/lib/database"
+import { validateIsraeliID, verifyPassword } from "@/lib/auth"
+
+export async function POST(request: NextRequest) {
+  try {
+    const { nationalId, password } = await request.json()
+
+    // Input validation
+    if (!nationalId || !password) {
+      return NextResponse.json({ error: "נתונים חסרים" }, { status: 400 })
+    }
+
+    if (!validateIsraeliID(nationalId)) {
+      return NextResponse.json({ error: "מספר תעודת זהות לא תקין" }, { status: 400 })
+    }
+
+    // Use parameterized query to prevent SQL injection
+    const users = (await safeQuery(
+      "SELECT national_id, password, name, is_admin, role, field, department, team, in_shelter, last_updated, must_change_password FROM users WHERE national_id = ?",
+      [nationalId],
+    )) as any[]
+
+    if (users.length === 0) {
+      return NextResponse.json({ error: "משתמש לא נמצא" }, { status: 401 })
+    }
+
+    const user = users[0]
+    const isValidPassword = await verifyPassword(password, user.password)
+
+    if (!isValidPassword) {
+      return NextResponse.json({ error: "סיסמה שגויה" }, { status: 401 })
+    }
+
+    return NextResponse.json({
+      user: {
+        national_id: user.national_id,
+        name: user.name,
+        is_admin: user.is_admin,
+        role: user.role,
+        field: user.field,
+        department: user.department,
+        team: user.team,
+        in_shelter: user.in_shelter,
+        last_updated: user.last_updated,
+        must_change_password: user.must_change_password,
+      },
+    })
+  } catch (error) {
+    console.error("Login error:", error)
+    return NextResponse.json({ error: "שגיאה בשרת" }, { status: 500 })
+  }
+}