stage 1

2026-04-20 15:49:01 -05:00
parent 381a31d607
commit b98837a72c
46 changed files with 8883 additions and 37 deletions
@@ -0,0 +1,52 @@
+import { NextResponse, type NextRequest } from "next/server";
+import { z } from "zod";
+import { prisma } from "@/lib/prisma";
+import { verifyPassword } from "@/lib/password";
+import { createSession } from "@/lib/session";
+import { audit } from "@/lib/audit";
+import { clientIp, userAgent } from "@/lib/request";
+
+const Body = z.object({
+  email: z.string().email(),
+  password: z.string().min(1),
+});
+
+export async function POST(req: NextRequest) {
+  const parsed = Body.safeParse(await req.json().catch(() => ({})));
+  if (!parsed.success) {
+    return NextResponse.json({ error: "Invalid email or password" }, { status: 400 });
+  }
+
+  const { email, password } = parsed.data;
+  const user = await prisma.user.findUnique({ where: { email } });
+
+  const ip = clientIp(req);
+  const ua = userAgent(req);
+
+  if (!user || user.role !== "admin" || !user.active || !user.passwordHash) {
+    await audit({ action: "login_failed", entity: "User", entityId: user?.id, ipAddress: ip });
+    return NextResponse.json({ error: "Invalid email or password" }, { status: 401 });
+  }
+
+  const ok = await verifyPassword(password, user.passwordHash);
+  if (!ok) {
+    await audit({ action: "login_failed", entity: "User", entityId: user.id, ipAddress: ip });
+    return NextResponse.json({ error: "Invalid email or password" }, { status: 401 });
+  }
+
+  await createSession({
+    userId: user.id,
+    role: "admin",
+    userAgent: ua,
+    ipAddress: ip,
+  });
+
+  await prisma.user.update({
+    where: { id: user.id },
+    data: { lastLoginAt: new Date(), failedAttempts: 0, lockedUntil: null },
+  });
+
+  await audit({ actorId: user.id, action: "login", entity: "User", entityId: user.id, ipAddress: ip });
+
+  return NextResponse.json({ ok: true, redirect: "/admin" });
+}
@@ -0,0 +1,12 @@
+import { NextResponse } from "next/server";
+import { destroyCurrentSession, getSessionUser } from "@/lib/session";
+import { audit } from "@/lib/audit";
+
+export async function POST() {
+  const user = await getSessionUser();
+  await destroyCurrentSession();
+  if (user) {
+    await audit({ actorId: user.id, action: "logout", entity: "User", entityId: user.id });
+  }
+  return NextResponse.json({ ok: true });
+}
@@ -0,0 +1,80 @@
+import { NextResponse, type NextRequest } from "next/server";
+import { z } from "zod";
+import { prisma } from "@/lib/prisma";
+import { verifyPin, isValidPin } from "@/lib/password";
+import { createSession } from "@/lib/session";
+import { env } from "@/lib/env";
+import { audit } from "@/lib/audit";
+import { clientIp, userAgent } from "@/lib/request";
+
+const Body = z.object({
+  operatorId: z.string().min(1),
+  pin: z.string().regex(/^\d{4}$/, "PIN must be 4 digits"),
+});
+
+export async function POST(req: NextRequest) {
+  const parsed = Body.safeParse(await req.json().catch(() => ({})));
+  if (!parsed.success) {
+    return NextResponse.json({ error: "Invalid PIN" }, { status: 400 });
+  }
+
+  const { operatorId, pin } = parsed.data;
+  if (!isValidPin(pin)) {
+    return NextResponse.json({ error: "Invalid PIN" }, { status: 400 });
+  }
+
+  const ip = clientIp(req);
+  const ua = userAgent(req);
+
+  const user = await prisma.user.findUnique({ where: { id: operatorId } });
+  if (!user || user.role !== "operator" || !user.active || !user.pinHash) {
+    await audit({ action: "login_failed", entity: "User", entityId: user?.id, ipAddress: ip });
+    return NextResponse.json({ error: "Invalid PIN" }, { status: 401 });
+  }
+
+  if (user.lockedUntil && user.lockedUntil.getTime() > Date.now()) {
+    const mins = Math.ceil((user.lockedUntil.getTime() - Date.now()) / 60000);
+    return NextResponse.json(
+      { error: `Account locked. Try again in ${mins} minute${mins === 1 ? "" : "s"}.` },
+      { status: 423 },
+    );
+  }
+
+  const ok = await verifyPin(pin, user.pinHash);
+  if (!ok) {
+    const attempts = user.failedAttempts + 1;
+    const shouldLock = attempts >= env.PIN_MAX_ATTEMPTS;
+    await prisma.user.update({
+      where: { id: user.id },
+      data: {
+        failedAttempts: shouldLock ? 0 : attempts,
+        lockedUntil: shouldLock ? new Date(Date.now() + env.PIN_LOCKOUT_MINUTES * 60_000) : null,
+      },
+    });
+    await audit({ action: "login_failed", entity: "User", entityId: user.id, ipAddress: ip });
+    return NextResponse.json(
+      {
+        error: shouldLock
+          ? `Too many attempts. Locked for ${env.PIN_LOCKOUT_MINUTES} minutes.`
+          : "Invalid PIN",
+      },
+      { status: shouldLock ? 423 : 401 },
+    );
+  }
+
+  await createSession({
+    userId: user.id,
+    role: "operator",
+    userAgent: ua,
+    ipAddress: ip,
+  });
+
+  await prisma.user.update({
+    where: { id: user.id },
+    data: { lastLoginAt: new Date(), failedAttempts: 0, lockedUntil: null },
+  });
+
+  await audit({ actorId: user.id, action: "login", entity: "User", entityId: user.id, ipAddress: ip });
+
+  return NextResponse.json({ ok: true, redirect: "/op" });
+}
@@ -0,0 +1,14 @@
+import { NextResponse } from "next/server";
+import { prisma } from "@/lib/prisma";
+
+export async function GET() {
+  try {
+    await prisma.$queryRaw`SELECT 1`;
+    return NextResponse.json({ ok: true, ts: new Date().toISOString() });
+  } catch (err) {
+    return NextResponse.json(
+      { ok: false, error: err instanceof Error ? err.message : "unknown" },
+      { status: 503 },
+    );
+  }
+}
@@ -0,0 +1,13 @@
+import { NextResponse } from "next/server";
+import { prisma } from "@/lib/prisma";
+
+// Public-by-design: returns the list of active operators so the login tile
+// grid can render. Contains no secrets (no email, no hashes).
+export async function GET() {
+  const operators = await prisma.user.findMany({
+    where: { role: "operator", active: true },
+    select: { id: true, name: true },
+    orderBy: { name: "asc" },
+  });
+  return NextResponse.json({ operators });
+}