feat: pagina inbox e valida tokens do companion

src/app/api/auth/device/refresh/route.ts

@@ -1,4 +1,4 @@
-import { and, eq, isNull } from "drizzle-orm";
+import { and, eq, gt, isNull } from "drizzle-orm";
 import { NextResponse } from "next/server";
 import { apiTokens } from "@/db/schema";
 import {
@@ -38,6 +38,7 @@ export async function POST(request: Request) {
 				eq(apiTokens.id, payload.tokenId),
 				eq(apiTokens.userId, payload.sub),
 				isNull(apiTokens.revokedAt),
+				gt(apiTokens.expiresAt, new Date()),
 			),
 		});
 
@@ -65,8 +66,9 @@ export async function POST(request: Request) {
 				tokenHash: hashToken(result.accessToken),
 				lastUsedAt: new Date(),
 				lastUsedIp:
-					request.headers.get("x-forwarded-for") ||
-					request.headers.get("x-real-ip"),
+					request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ||
+					request.headers.get("x-real-ip") ||
+					null,
 				expiresAt: result.expiresAt,
 			})
 			.where(eq(apiTokens.id, payload.tokenId));

src/app/api/auth/device/tokens/[tokenId]/route.ts

@@ -39,7 +39,9 @@ export async function DELETE(_request: Request, { params }: RouteParams) {
 		await db
 			.update(apiTokens)
 			.set({ revokedAt: new Date() })
-			.where(eq(apiTokens.id, tokenId));
+			.where(
+				and(eq(apiTokens.id, tokenId), eq(apiTokens.userId, session.user.id)),
+			);
 
 		return NextResponse.json({
 			message: "Token revogado com sucesso",

src/app/api/auth/device/verify/route.ts

@@ -1,4 +1,4 @@
-import { and, eq, isNull } from "drizzle-orm";
+import { and, eq, gt, isNull } from "drizzle-orm";
 import { NextResponse } from "next/server";
 import { apiTokens } from "@/db/schema";
 import { extractBearerToken, hashToken } from "@/shared/lib/auth/api-token";
@@ -33,6 +33,7 @@ export async function POST(request: Request) {
 			where: and(
 				eq(apiTokens.tokenHash, tokenHash),
 				isNull(apiTokens.revokedAt),
+				gt(apiTokens.expiresAt, new Date()),
 			),
 		});