feat: Implement competitor update API with history reset on URL change, add user data export and account deletion functionality, and introduce encryption for sensitive user settings.

Author: Bharath-code

src/app/api/competitors/[id]/route.ts

@@ -0,0 +1,148 @@
+import { NextRequest, NextResponse } from "next/server";
+import { createServerClient } from "@/lib/supabase";
+import { getUserId } from "@/lib/auth";
+
+/**
+ * Competitor Update API
+ *
+ * PATCH /api/competitors/[id] - Update competitor name/URL
+ * 
+ * If URL changes, all historical data (snapshots, alerts) is reset
+ * to maintain data integrity and prevent misuse.
+ */
+
+interface RouteParams {
+    params: Promise<{ id: string }>;
+}
+
+export async function PATCH(request: NextRequest, { params }: RouteParams) {
+    try {
+        const userId = await getUserId();
+
+        if (!userId) {
+            return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+        }
+
+        const { id } = await params;
+
+        if (!id) {
+            return NextResponse.json(
+                { error: "Competitor ID is required" },
+                { status: 400 }
+            );
+        }
+
+        const body = await request.json();
+        const { name, url } = body;
+
+        // At least one field must be provided
+        if (!name && !url) {
+            return NextResponse.json(
+                { error: "Name or URL is required" },
+                { status: 400 }
+            );
+        }
+
+        // Validate URL format if provided
+        if (url) {
+            try {
+                new URL(url);
+            } catch {
+                return NextResponse.json(
+                    { error: "Invalid URL format" },
+                    { status: 400 }
+                );
+            }
+        }
+
+        const supabase = createServerClient();
+
+        // Fetch current competitor and verify ownership
+        const { data: competitor, error: fetchError } = await supabase
+            .from("competitors")
+            .select("*")
+            .eq("id", id)
+            .single();
+
+        if (fetchError || !competitor) {
+            return NextResponse.json({ error: "Competitor not found" }, { status: 404 });
+        }
+
+        if (competitor.user_id !== userId) {
+            return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+        }
+
+        // Check if URL is changing
+        const urlIsChanging = url && url !== competitor.url;
+        let historyReset = false;
+
+        if (urlIsChanging) {
+            // Delete all snapshots for this competitor
+            const { error: snapshotDeleteError } = await supabase
+                .from("snapshots")
+                .delete()
+                .eq("competitor_id", id);
+
+            if (snapshotDeleteError) {
+                console.error("Error deleting snapshots:", snapshotDeleteError);
+                // Non-fatal: continue with update
+            }
+
+            // Delete all alerts for this competitor
+            const { error: alertDeleteError } = await supabase
+                .from("alerts")
+                .delete()
+                .eq("competitor_id", id);
+
+            if (alertDeleteError) {
+                console.error("Error deleting alerts:", alertDeleteError);
+                // Non-fatal: continue with update
+            }
+
+            historyReset = true;
+            console.log(`[Competitors] URL changed for ${competitor.name}, history reset`);
+        }
+
+        // Prepare update payload
+        const updatePayload: Record<string, unknown> = {};
+
+        if (name) {
+            updatePayload.name = name;
+        }
+
+        if (url) {
+            updatePayload.url = url;
+        }
+
+        // If URL changed, reset tracking fields
+        if (urlIsChanging) {
+            updatePayload.last_checked_at = null;
+            updatePayload.failure_count = 0;
+            updatePayload.status = "active";
+        }
+
+        // Update competitor
+        const { data: updatedCompetitor, error: updateError } = await supabase
+            .from("competitors")
+            .update(updatePayload)
+            .eq("id", id)
+            .select()
+            .single();
+
+        if (updateError) {
+            console.error("Error updating competitor:", updateError);
+            return NextResponse.json({ error: "Failed to update competitor" }, { status: 500 });
+        }
+
+        return NextResponse.json({
+            competitor: updatedCompetitor,
+            historyReset,
+            message: historyReset
+                ? "Competitor updated. Historical data has been reset due to URL change."
+                : "Competitor updated successfully."
+        });
+    } catch (error) {
+        console.error("Unexpected error:", error);
+        return NextResponse.json({ error: "Internal server error" }, { status: 500 });
+    }
+}

src/app/api/settings/route.ts

@@ -3,6 +3,7 @@ import { createServerClient } from "@/lib/supabase";
 import { getUserId } from "@/lib/auth";
 import type { UserSettings } from "@/lib/types";
 import { DEFAULT_USER_SETTINGS } from "@/lib/types";
+import { encryptWebhookUrl, decryptWebhookUrl } from "@/lib/encryption";
 
 /**
  * Settings API
@@ -40,6 +41,13 @@ export async function GET() {
             ...(user?.settings || {}),
         };
 
+        // Decrypt webhook URL for client display (masked)
+        if (settings.slack_webhook_url) {
+            const decrypted = decryptWebhookUrl(settings.slack_webhook_url);
+            // Return masked version for security
+            settings.slack_webhook_url = decrypted ? "••••••••" + decrypted.slice(-20) : null;
+        }
+
         return NextResponse.json({ settings });
     } catch (error) {
         console.error("Unexpected error:", error);
@@ -72,7 +80,15 @@ export async function PATCH(request: NextRequest) {
             if (body.slack_webhook_url === null || body.slack_webhook_url === "") {
                 updates.slack_webhook_url = null;
             } else if (typeof body.slack_webhook_url === "string" && body.slack_webhook_url.startsWith("https://hooks.slack.com/")) {
-                updates.slack_webhook_url = body.slack_webhook_url;
+                // Encrypt the webhook URL before storing
+                const encrypted = encryptWebhookUrl(body.slack_webhook_url);
+                if (!encrypted) {
+                    return NextResponse.json(
+                        { error: "Failed to secure webhook URL. Please try again." },
+                        { status: 500 }
+                    );
+                }
+                updates.slack_webhook_url = encrypted;
             } else {
                 return NextResponse.json(
                     { error: "Invalid Slack webhook URL. Must start with https://hooks.slack.com/" },

src/app/api/user/route.ts

@@ -0,0 +1,163 @@
+import { NextResponse } from "next/server";
+import { createServerClient } from "@/lib/supabase";
+import { getUserId, getCurrentUser } from "@/lib/auth";
+import { decryptWebhookUrl } from "@/lib/encryption";
+
+/**
+ * User Data API
+ * 
+ * GET /api/user/export - GDPR data export (all user data)
+ * DELETE /api/user - Account deletion (removes all user data)
+ */
+
+export async function GET() {
+    try {
+        const userId = await getUserId();
+
+        if (!userId) {
+            return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+        }
+
+        const supabase = createServerClient();
+
+        // Fetch all user data
+        const [
+            { data: user },
+            { data: competitors },
+            { data: alerts },
+            { data: snapshots }
+        ] = await Promise.all([
+            supabase.from("users").select("*").eq("id", userId).single(),
+            supabase.from("competitors").select("*").eq("user_id", userId),
+            supabase.from("alerts").select("*, competitors!inner(user_id)").eq("competitors.user_id", userId),
+            supabase.from("snapshots").select("*, competitors!inner(user_id)").eq("competitors.user_id", userId)
+        ]);
+
+        if (!user) {
+            return NextResponse.json({ error: "User not found" }, { status: 404 });
+        }
+
+        // Sanitize settings (decrypt and redact sensitive data)
+        const sanitizedSettings = user.settings ? {
+            ...user.settings,
+            slack_webhook_url: user.settings.slack_webhook_url
+                ? "[REDACTED - Encrypted Webhook URL]"
+                : null
+        } : null;
+
+        // Build export payload
+        const exportData = {
+            exportedAt: new Date().toISOString(),
+            user: {
+                id: user.id,
+                email: user.email,
+                plan: user.plan,
+                subscription_status: user.subscription_status,
+                created_at: user.created_at,
+                settings: sanitizedSettings
+            },
+            competitors: (competitors || []).map(c => ({
+                id: c.id,
+                name: c.name,
+                url: c.url,
+                status: c.status,
+                created_at: c.created_at,
+                last_checked_at: c.last_checked_at
+            })),
+            alerts: (alerts || []).map(a => ({
+                id: a.id,
+                type: a.type,
+                severity: a.severity,
+                title: a.title,
+                description: a.description,
+                created_at: a.created_at,
+                is_read: a.is_read
+            })),
+            snapshots_count: snapshots?.length || 0,
+            // Don't include full snapshot data (too large), just metadata
+            snapshots_summary: (snapshots || []).slice(0, 10).map(s => ({
+                id: s.id,
+                competitor_id: s.competitor_id,
+                created_at: s.created_at,
+                region: s.region
+            }))
+        };
+
+        // Return as downloadable JSON
+        return new NextResponse(JSON.stringify(exportData, null, 2), {
+            status: 200,
+            headers: {
+                "Content-Type": "application/json",
+                "Content-Disposition": `attachment; filename="rivaleye-export-${userId}.json"`
+            }
+        });
+    } catch (error) {
+        console.error("Data export error:", error);
+        return NextResponse.json({ error: "Internal server error" }, { status: 500 });
+    }
+}
+
+export async function DELETE() {
+    try {
+        const userId = await getUserId();
+
+        if (!userId) {
+            return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+        }
+
+        const supabase = createServerClient();
+
+        // Cascade delete: snapshots → alerts → competitors → user
+        // Note: In production, you'd want RLS and proper cascade constraints
+
+        // 1. Get all competitor IDs for this user
+        const { data: competitors } = await supabase
+            .from("competitors")
+            .select("id")
+            .eq("user_id", userId);
+
+        const competitorIds = (competitors || []).map(c => c.id);
+
+        if (competitorIds.length > 0) {
+            // 2. Delete snapshots for these competitors
+            await supabase
+                .from("snapshots")
+                .delete()
+                .in("competitor_id", competitorIds);
+
+            // 3. Delete alerts for these competitors
+            await supabase
+                .from("alerts")
+                .delete()
+                .in("competitor_id", competitorIds);
+
+            // 4. Delete competitors
+            await supabase
+                .from("competitors")
+                .delete()
+                .eq("user_id", userId);
+        }
+
+        // 5. Delete user record
+        const { error: userDeleteError } = await supabase
+            .from("users")
+            .delete()
+            .eq("id", userId);
+
+        if (userDeleteError) {
+            console.error("User deletion error:", userDeleteError);
+            return NextResponse.json({ error: "Failed to delete account" }, { status: 500 });
+        }
+
+        // Log the deletion event
+        console.log(`[GDPR] User account deleted: ${userId}`);
+
+        return NextResponse.json({
+            success: true,
+            message: "Account and all associated data have been permanently deleted."
+        });
+    } catch (error) {
+        console.error("Account deletion error:", error);
+        return NextResponse.json({ error: "Internal server error" }, { status: 500 });
+    }
+}

src/app/components/Header.tsx

@@ -98,6 +98,7 @@ export default function Header() {
                     pathname === "/settings" && "text-emerald-400 bg-white/5 border-white/5"
                   )}
                   title="Settings"
+                  aria-label="Open notification settings"
                 >
                   <SettingsIcon className="w-4.5 h-4.5" />
                 </Button>