Enrollment + almost all auth

lib/auth/requireSession.ts

@@ -6,7 +6,7 @@ const COOKIE_NAME = "mis_session";
 export async function requireSession() {
   const jar = await cookies();
   const sessionId = jar.get(COOKIE_NAME)?.value;
-  if (!sessionId) throw new Error("UNAUTHORIZED");
+  if (!sessionId) return null;
 
   const session = await prisma.session.findFirst({
     where: {
@@ -14,9 +14,21 @@ export async function requireSession() {
       revokedAt: null,
       expiresAt: { gt: new Date() },
     },
+    include: {
+      user: {
+        select: { isActive: true, emailVerifiedAt: true },
+      },
+    },
   });
 
-  if (!session) throw new Error("UNAUTHORIZED");
+  if (!session) return null;
+
+  if (!session.user?.isActive || !session.user?.emailVerifiedAt) {
+    await prisma.session
+      .update({ where: { id: session.id }, data: { revokedAt: new Date() } })
+      .catch(() => {});
+    return null;
+  }
 
   // Optional: update lastSeenAt (useful later)
   await prisma.session

lib/auth/sessionCookie.ts

@@ -0,0 +1,20 @@
+export const COOKIE_NAME = "mis_session";
+export const SESSION_DAYS = 7;
+
+export function isSecureRequest(req: Request) {
+  const forwardedProto = req.headers.get("x-forwarded-proto");
+  if (forwardedProto) {
+    return forwardedProto.split(",")[0].trim() === "https";
+  }
+  return new URL(req.url).protocol === "https:";
+}
+
+export function buildSessionCookieOptions(req: Request) {
+  return {
+    httpOnly: true,
+    sameSite: "lax" as const,
+    secure: isSecureRequest(req),
+    path: "/",
+    maxAge: SESSION_DAYS * 24 * 60 * 60,
+  };
+}