This commit is contained in:
@@ -5,18 +5,54 @@ import { checkDuplicateDomain } from "@/lib/db";
|
||||
import type { RegistrationInput } from "@/types";
|
||||
import { z } from "zod";
|
||||
|
||||
const registrationSchema = z.object({
|
||||
companyName: z.string().min(2).max(100),
|
||||
givenName: z.string().min(1).max(100),
|
||||
familyName: z.string().min(1).max(100),
|
||||
email: z.string().email(),
|
||||
preferredLanguage: z.enum(["en", "de", "fr", "it"]).optional(),
|
||||
});
|
||||
/**
|
||||
* Registration schema.
|
||||
*
|
||||
* Slice 4 changes
|
||||
* ---------------
|
||||
* - `companyName` is no longer always required. It's required when
|
||||
* `isPersonal` is false/absent, ignored when `isPersonal` is true.
|
||||
* - `isPersonal` flag distinguishes personal accounts. The server
|
||||
* derives the ZITADEL org name from `${givenName} ${familyName}
|
||||
* (Personal)` for personals — the suffix is the canonical marker
|
||||
* that downstream code (onboarding POST, admin views) uses to
|
||||
* distinguish personal orgs from companies. Customers cannot rename
|
||||
* their own org, so the suffix is stable.
|
||||
* - Personal accounts skip the duplicate-domain check entirely. Their
|
||||
* row is also excluded from future domain checks (see
|
||||
* `lib/domain-check.ts::findDuplicateInDb`).
|
||||
*/
|
||||
const registrationSchema = z
|
||||
.object({
|
||||
companyName: z.string().min(2).max(100).optional(),
|
||||
givenName: z.string().min(1).max(100),
|
||||
familyName: z.string().min(1).max(100),
|
||||
email: z.string().email(),
|
||||
preferredLanguage: z.enum(["en", "de", "fr", "it"]).optional(),
|
||||
isPersonal: z.boolean().optional().default(false),
|
||||
})
|
||||
.refine(
|
||||
(data) =>
|
||||
data.isPersonal || (data.companyName && data.companyName.trim().length >= 2),
|
||||
{
|
||||
message: "Company name is required for company registrations",
|
||||
path: ["companyName"],
|
||||
}
|
||||
);
|
||||
|
||||
/** 3 registrations per IP per hour */
|
||||
const RATE_LIMIT = 3;
|
||||
const RATE_WINDOW_MS = 3_600_000; // 1 hour
|
||||
|
||||
/**
|
||||
* Suffix appended to personal-account ZITADEL org names. Used here to
|
||||
* build the org name and elsewhere (session.orgName check) to detect
|
||||
* whether the current user is on a personal org.
|
||||
*
|
||||
* Keep this in sync with `isPersonalOrgName()` in `lib/personal-org.ts`.
|
||||
*/
|
||||
const PERSONAL_ORG_SUFFIX = " (Personal)";
|
||||
|
||||
export async function POST(request: NextRequest) {
|
||||
// --- Rate limiting ---
|
||||
const ip =
|
||||
@@ -53,31 +89,45 @@ export async function POST(request: NextRequest) {
|
||||
}
|
||||
|
||||
const input: RegistrationInput = parsed.data;
|
||||
const isPersonal = input.isPersonal === true;
|
||||
|
||||
// --- Duplicate-domain check ---
|
||||
// --- Duplicate-domain check (skipped for personal accounts) ---
|
||||
//
|
||||
// Block if another active tenant_request or ZITADEL org already exists
|
||||
// for this corporate email domain. Public domains (gmail, gmx, etc.)
|
||||
// are exempted by checkDuplicateDomain.
|
||||
//
|
||||
// We return a structured `code: "duplicate_domain"` with the matched
|
||||
// domain so the client can render the localized message via
|
||||
// register.duplicateDomain (with {domain} interpolation). The fallback
|
||||
// English string is included for non-i18n clients (curl, monitoring).
|
||||
const dup = await checkDuplicateDomain(input.email);
|
||||
if (dup.blocked && dup.domain) {
|
||||
return NextResponse.json(
|
||||
{
|
||||
error: `An account for the email domain ${dup.domain} is already registered. Please contact your company administrator or PieCed IT support.`,
|
||||
code: "duplicate_domain",
|
||||
domain: dup.domain,
|
||||
},
|
||||
{ status: 409 },
|
||||
);
|
||||
// Personal accounts are explicitly allowed to use any email domain
|
||||
// (including corporate). Their tenant_request rows are excluded
|
||||
// from this check by lib/domain-check.ts, so a personal account
|
||||
// doesn't block a later real-company registration on the same
|
||||
// domain.
|
||||
if (!isPersonal) {
|
||||
const dup = await checkDuplicateDomain(input.email);
|
||||
if (dup.blocked && dup.domain) {
|
||||
return NextResponse.json(
|
||||
{
|
||||
error: `An account for the email domain ${dup.domain} is already registered. Please contact your company administrator or PieCed IT support.`,
|
||||
code: "duplicate_domain",
|
||||
domain: dup.domain,
|
||||
},
|
||||
{ status: 409 },
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
// --- Determine the ZITADEL org name ---
|
||||
//
|
||||
// For company: use the customer-supplied companyName (already
|
||||
// validated to be present + ≥2 chars by the schema refinement).
|
||||
// For personal: synthesise from full name + " (Personal)" suffix.
|
||||
// The suffix is the canonical marker for personal orgs.
|
||||
//
|
||||
// ZITADEL does NOT enforce org-name uniqueness, so two "Hans Müller
|
||||
// (Personal)" orgs can coexist; the org id is what matters for our
|
||||
// labelling and lookups, the name is human-readable only.
|
||||
const orgName = isPersonal
|
||||
? `${input.givenName.trim()} ${input.familyName.trim()}${PERSONAL_ORG_SUFFIX}`
|
||||
: input.companyName!.trim();
|
||||
|
||||
const result = await registerCustomer({
|
||||
companyName: input.companyName,
|
||||
companyName: orgName,
|
||||
email: input.email,
|
||||
givenName: input.givenName,
|
||||
familyName: input.familyName,
|
||||
@@ -88,6 +138,7 @@ export async function POST(request: NextRequest) {
|
||||
{
|
||||
orgId: result.orgId,
|
||||
userId: result.userId,
|
||||
isPersonal,
|
||||
message:
|
||||
"Registration successful. You will receive an invitation email to set your password.",
|
||||
},
|
||||
|
||||
Reference in New Issue
Block a user