'use client'; /** * Self-service security center. Renders three independent cards: * * 1. **Change password** — current + new with strength rule (≥8 chars, mixed * case + digit). Backend revokes all other sessions on success. * 2. **Two-factor authentication (TOTP)** — enable by scanning a QR or * typing the secret into an authenticator app, confirm with a 6-digit * code. Disable requires current password. * 3. **Active sessions** — list of every signed-in device with last-active * time + "this device" marker. Revoke any to sign out elsewhere. * * Component is portal-agnostic — same file is shipped to patient, admin, * and doctor portals. */ import { useCallback, useEffect, useState } from 'react'; import { AlertCircle, CheckCircle2, KeyRound, Loader2, Monitor, RefreshCw, ShieldCheck, ShieldOff, Smartphone, Trash2, } from 'lucide-react'; import { Button, GlassCard, Input } from '@sehat/ui'; interface SessionRow { id: string; deviceName: string | null; userAgent: string | null; ipAddress: string | null; createdAt: string; lastUsedAt: string | null; expiresAt: string; isCurrent: boolean; } export interface SecurityPanelProps { /** Current MFA state from the session — used to pick the initial card mode. */ mfaEnabled: boolean; /** Called after a successful change so the host can refresh the user state. */ onChanged?: () => void; } export function SecurityPanel({ mfaEnabled: initialMfaEnabled, onChanged }: SecurityPanelProps) { const [mfaEnabled, setMfaEnabled] = useState(initialMfaEnabled); // Sync if parent refreshes user useEffect(() => setMfaEnabled(initialMfaEnabled), [initialMfaEnabled]); return (

{ setMfaEnabled(next); onChanged?.(); }} />

); } // ===== Change password ===== function ChangePasswordCard({ onChanged }: { onChanged?: () => void }) { const [current, setCurrent] = useState(''); const [next, setNext] = useState(''); const [confirm, setConfirm] = useState(''); const [saving, setSaving] = useState(false); const [error, setError] = useState(null); const [success, setSuccess] = useState(false); async function submit(e: React.FormEvent) { e.preventDefault(); setError(null); setSuccess(false); if (next.length < 8) { setError('New password must be at least 8 characters.'); return; } if (!/(?=.*[a-z])(?=.*[A-Z])(?=.*\d)/.test(next)) { setError('New password must include lowercase, uppercase, and a digit.'); return; } if (next !== confirm) { setError('Confirmation does not match.'); return; } setSaving(true); try { const r = await fetch('/api/auth/change-password', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ currentPassword: current, newPassword: next }), }); if (!r.ok) { const body = await r.json().catch(() => ({})); throw new Error(body.message ?? 'Failed to change password'); } setCurrent(''); setNext(''); setConfirm(''); setSuccess(true); onChanged?.(); } catch (e) { setError((e as Error).message); } finally { setSaving(false); } } return (

Change password

After a successful change, every other device is signed out automatically.

); } // ===== MFA ===== function MfaCard({ enabled, onChange }: { enabled: boolean; onChange: (next: boolean) => void }) { const [phase, setPhase] = useState<'idle' | 'setup' | 'verify' | 'disable'>('idle'); const [secret, setSecret] = useState(''); const [otpauthUrl, setOtpauthUrl] = useState(''); const [code, setCode] = useState(''); const [password, setPassword] = useState(''); const [busy, setBusy] = useState(false); const [error, setError] = useState(null); const [success, setSuccess] = useState(null); async function startSetup() { setBusy(true); setError(null); try { const r = await fetch('/api/auth/mfa/setup', { method: 'POST' }); if (!r.ok) { const body = await r.json().catch(() => ({})); throw new Error(body.message ?? 'Could not start MFA setup'); } const data = (await r.json()) as { secret: string; otpauthUrl: string }; setSecret(data.secret); setOtpauthUrl(data.otpauthUrl); setPhase('verify'); } catch (e) { setError((e as Error).message); } finally { setBusy(false); } } async function confirmSetup(e: React.FormEvent) { e.preventDefault(); setBusy(true); setError(null); try { const r = await fetch('/api/auth/mfa/verify', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ code }), }); if (!r.ok) { const body = await r.json().catch(() => ({})); throw new Error(body.message ?? 'Invalid code'); } setPhase('idle'); setCode(''); setSecret(''); setOtpauthUrl(''); setSuccess('Two-factor authentication is now on.'); onChange(true); } catch (e) { setError((e as Error).message); } finally { setBusy(false); } } async function disable(e: React.FormEvent) { e.preventDefault(); setBusy(true); setError(null); try { const r = await fetch('/api/auth/mfa/disable', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ password }), }); if (!r.ok) { const body = await r.json().catch(() => ({})); throw new Error(body.message ?? 'Could not disable MFA'); } setPassword(''); setPhase('idle'); setSuccess('Two-factor authentication is now off.'); onChange(false); } catch (e) { setError((e as Error).message); } finally { setBusy(false); } } // Google chart QR — simplest dependency-free QR for an otpauth:// URL. const qrUrl = otpauthUrl ? `https://api.qrserver.com/v1/create-qr-code/?size=192x192&data=${encodeURIComponent(otpauthUrl)}` : ''; return (

Two-factor authentication (TOTP)

Use Google Authenticator, 1Password, Authy, or any TOTP-compatible app. Once enabled, every sign-in will require a 6-digit code.

{enabled && phase === 'idle' ? (

) : null} {!enabled && phase === 'idle' ? (

{success ? : null} {error ? : null}

) : null} {phase === 'verify' ? (

1. Scan this QR with your authenticator app

{qrUrl ? ( MFA QR code

) : null}

Can't scan? Type this secret manually:


              {secret}

setCode(e.target.value.replace(/\D/g, '').slice(0, 6))} placeholder="123456" required inputMode="numeric" autoComplete="one-time-code" /> {error ? : null}

) : null} {phase === 'disable' ? (

); } // ===== Sessions ===== function SessionsCard() { const [sessions, setSessions] = useState(null); const [loading, setLoading] = useState(true); const [error, setError] = useState(null); const [revoking, setRevoking] = useState(null); const load = useCallback(async () => { setLoading(true); setError(null); try { const r = await fetch('/api/me/sessions'); if (!r.ok) throw new Error('Could not load sessions'); setSessions(((await r.json()) as SessionRow[]) ?? []); } catch (e) { setError((e as Error).message); } finally { setLoading(false); } }, []); useEffect(() => { void load(); }, [load]); async function revoke(id: string) { setRevoking(id); try { const r = await fetch(`/api/me/sessions/${id}`, { method: 'DELETE' }); if (!r.ok && r.status !== 204) throw new Error('Could not sign out that device'); await load(); } catch (e) { setError((e as Error).message); } finally { setRevoking(null); } } return (

Active devices

These devices are signed in to your account. Revoke any you don't recognise.

{error ? : null} {loading && !sessions ? (

Loading…

) : !sessions || sessions.length === 0 ? (

No active sessions found.

) : (

{s.deviceName ?? 'Unknown device'} {s.isCurrent ? ( This device ) : null}

{s.ipAddress ?? 'IP unknown'} {' · '} Last active {fmtRelative(s.lastUsedAt ?? s.createdAt)}
{s.userAgent ? (
{s.userAgent}
) : null}

)} ); } // ===== Helpers ===== function FormAlert({ kind, text }: { kind: 'error' | 'success'; text: string }) { const Icon = kind === 'error' ? AlertCircle : CheckCircle2; const cls = kind === 'error' ? 'border-error/30 bg-error/10 text-error' : 'border-success/30 bg-success/10 text-success'; return (

{text}

); } function fmtRelative(iso: string): string { const t = new Date(iso).getTime(); if (!Number.isFinite(t)) return iso; const diffMs = Date.now() - t; const min = Math.round(diffMs / 60_000); if (min < 1) return 'just now'; if (min < 60) return `${min} min ago`; const hr = Math.round(min / 60); if (hr < 24) return `${hr} hr ago`; const d = Math.round(hr / 24); if (d < 30) return `${d} day${d === 1 ? '' : 's'} ago`; return new Date(iso).toLocaleDateString(); }