97 lines
2.6 KiB
JavaScript
97 lines
2.6 KiB
JavaScript
import { db } from "./db.mjs";
|
|
import { json, readBody } from "./http.mjs";
|
|
import { clearSessionCookie, createSession, deleteSession, getSession, parseCookies, sessionCookie } from "./session.mjs";
|
|
import { verifyPassword } from "./security.mjs";
|
|
|
|
function publicUser(user) {
|
|
if (!user) return null;
|
|
|
|
return {
|
|
id: user.id,
|
|
email: user.email,
|
|
name: user.name,
|
|
avatarUrl: user.avatar_url,
|
|
role: user.role,
|
|
};
|
|
}
|
|
|
|
export function getRequestSession(request) {
|
|
const cookies = parseCookies(request.headers.cookie);
|
|
const sessionId = cookies.vpc_session;
|
|
const session = getSession(sessionId);
|
|
return { sessionId, session };
|
|
}
|
|
|
|
export function requireCmsUser(request, response) {
|
|
const { session } = getRequestSession(request);
|
|
|
|
if (!session?.user?.id) {
|
|
json(response, 401, { error: "Not signed in" });
|
|
return undefined;
|
|
}
|
|
|
|
return session.user;
|
|
}
|
|
|
|
async function handleMe(request, response) {
|
|
const { session } = getRequestSession(request);
|
|
json(response, 200, { user: session?.user ?? null });
|
|
}
|
|
|
|
async function handleLogin(request, response) {
|
|
const body = JSON.parse(await readBody(request) || "{}");
|
|
const email = String(body.email || "").trim().toLowerCase();
|
|
const password = String(body.password || "");
|
|
|
|
if (!email || !password) {
|
|
json(response, 400, { error: "Email and password are required" });
|
|
return;
|
|
}
|
|
|
|
const user = db.prepare("SELECT * FROM users WHERE email = ?").get(email);
|
|
|
|
if (!user?.password_hash || !verifyPassword(password, user.password_hash)) {
|
|
json(response, 401, { error: "Invalid email or password" });
|
|
return;
|
|
}
|
|
|
|
const sessionUser = publicUser(user);
|
|
const sessionId = createSession({
|
|
user: sessionUser,
|
|
});
|
|
|
|
json(response, 200, { user: sessionUser }, { "Set-Cookie": sessionCookie(sessionId) });
|
|
}
|
|
|
|
async function handleLogout(request, response) {
|
|
const { sessionId } = getRequestSession(request);
|
|
deleteSession(sessionId);
|
|
json(response, 200, { ok: true }, { "Set-Cookie": clearSessionCookie() });
|
|
}
|
|
|
|
export async function handleAuthApi(request, response, url) {
|
|
try {
|
|
if (url.pathname === "/api/auth/me" && request.method === "GET") {
|
|
await handleMe(request, response);
|
|
return true;
|
|
}
|
|
|
|
if (url.pathname === "/api/auth/login" && request.method === "POST") {
|
|
await handleLogin(request, response);
|
|
return true;
|
|
}
|
|
|
|
if (url.pathname === "/api/auth/logout" && request.method === "POST") {
|
|
await handleLogout(request, response);
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
} catch (error) {
|
|
json(response, 500, {
|
|
error: error instanceof Error ? error.message : "Unknown auth API error",
|
|
});
|
|
return true;
|
|
}
|
|
}
|