stage 1
This commit is contained in:
jason
@@ -0,0 +1,52 @@
|
||||
import { NextResponse, type NextRequest } from "next/server";
|
||||
import { z } from "zod";
|
||||
import { prisma } from "@/lib/prisma";
|
||||
import { verifyPassword } from "@/lib/password";
|
||||
import { createSession } from "@/lib/session";
|
||||
import { audit } from "@/lib/audit";
|
||||
import { clientIp, userAgent } from "@/lib/request";
|
||||
|
||||
const Body = z.object({
|
||||
email: z.string().email(),
|
||||
password: z.string().min(1),
|
||||
});
|
||||
|
||||
export async function POST(req: NextRequest) {
|
||||
const parsed = Body.safeParse(await req.json().catch(() => ({})));
|
||||
if (!parsed.success) {
|
||||
return NextResponse.json({ error: "Invalid email or password" }, { status: 400 });
|
||||
}
|
||||
|
||||
const { email, password } = parsed.data;
|
||||
const user = await prisma.user.findUnique({ where: { email } });
|
||||
|
||||
const ip = clientIp(req);
|
||||
const ua = userAgent(req);
|
||||
|
||||
if (!user || user.role !== "admin" || !user.active || !user.passwordHash) {
|
||||
await audit({ action: "login_failed", entity: "User", entityId: user?.id, ipAddress: ip });
|
||||
return NextResponse.json({ error: "Invalid email or password" }, { status: 401 });
|
||||
}
|
||||
|
||||
const ok = await verifyPassword(password, user.passwordHash);
|
||||
if (!ok) {
|
||||
await audit({ action: "login_failed", entity: "User", entityId: user.id, ipAddress: ip });
|
||||
return NextResponse.json({ error: "Invalid email or password" }, { status: 401 });
|
||||
}
|
||||
|
||||
await createSession({
|
||||
userId: user.id,
|
||||
role: "admin",
|
||||
userAgent: ua,
|
||||
ipAddress: ip,
|
||||
});
|
||||
|
||||
await prisma.user.update({
|
||||
where: { id: user.id },
|
||||
data: { lastLoginAt: new Date(), failedAttempts: 0, lockedUntil: null },
|
||||
});
|
||||
|
||||
await audit({ actorId: user.id, action: "login", entity: "User", entityId: user.id, ipAddress: ip });
|
||||
|
||||
return NextResponse.json({ ok: true, redirect: "/admin" });
|
||||
}
|
||||
@@ -0,0 +1,12 @@
|
||||
import { NextResponse } from "next/server";
|
||||
import { destroyCurrentSession, getSessionUser } from "@/lib/session";
|
||||
import { audit } from "@/lib/audit";
|
||||
|
||||
export async function POST() {
|
||||
const user = await getSessionUser();
|
||||
await destroyCurrentSession();
|
||||
if (user) {
|
||||
await audit({ actorId: user.id, action: "logout", entity: "User", entityId: user.id });
|
||||
}
|
||||
return NextResponse.json({ ok: true });
|
||||
}
|
||||
@@ -0,0 +1,80 @@
|
||||
import { NextResponse, type NextRequest } from "next/server";
|
||||
import { z } from "zod";
|
||||
import { prisma } from "@/lib/prisma";
|
||||
import { verifyPin, isValidPin } from "@/lib/password";
|
||||
import { createSession } from "@/lib/session";
|
||||
import { env } from "@/lib/env";
|
||||
import { audit } from "@/lib/audit";
|
||||
import { clientIp, userAgent } from "@/lib/request";
|
||||
|
||||
const Body = z.object({
|
||||
operatorId: z.string().min(1),
|
||||
pin: z.string().regex(/^\d{4}$/, "PIN must be 4 digits"),
|
||||
});
|
||||
|
||||
export async function POST(req: NextRequest) {
|
||||
const parsed = Body.safeParse(await req.json().catch(() => ({})));
|
||||
if (!parsed.success) {
|
||||
return NextResponse.json({ error: "Invalid PIN" }, { status: 400 });
|
||||
}
|
||||
|
||||
const { operatorId, pin } = parsed.data;
|
||||
if (!isValidPin(pin)) {
|
||||
return NextResponse.json({ error: "Invalid PIN" }, { status: 400 });
|
||||
}
|
||||
|
||||
const ip = clientIp(req);
|
||||
const ua = userAgent(req);
|
||||
|
||||
const user = await prisma.user.findUnique({ where: { id: operatorId } });
|
||||
if (!user || user.role !== "operator" || !user.active || !user.pinHash) {
|
||||
await audit({ action: "login_failed", entity: "User", entityId: user?.id, ipAddress: ip });
|
||||
return NextResponse.json({ error: "Invalid PIN" }, { status: 401 });
|
||||
}
|
||||
|
||||
if (user.lockedUntil && user.lockedUntil.getTime() > Date.now()) {
|
||||
const mins = Math.ceil((user.lockedUntil.getTime() - Date.now()) / 60000);
|
||||
return NextResponse.json(
|
||||
{ error: `Account locked. Try again in ${mins} minute${mins === 1 ? "" : "s"}.` },
|
||||
{ status: 423 },
|
||||
);
|
||||
}
|
||||
|
||||
const ok = await verifyPin(pin, user.pinHash);
|
||||
if (!ok) {
|
||||
const attempts = user.failedAttempts + 1;
|
||||
const shouldLock = attempts >= env.PIN_MAX_ATTEMPTS;
|
||||
await prisma.user.update({
|
||||
where: { id: user.id },
|
||||
data: {
|
||||
failedAttempts: shouldLock ? 0 : attempts,
|
||||
lockedUntil: shouldLock ? new Date(Date.now() + env.PIN_LOCKOUT_MINUTES * 60_000) : null,
|
||||
},
|
||||
});
|
||||
await audit({ action: "login_failed", entity: "User", entityId: user.id, ipAddress: ip });
|
||||
return NextResponse.json(
|
||||
{
|
||||
error: shouldLock
|
||||
? `Too many attempts. Locked for ${env.PIN_LOCKOUT_MINUTES} minutes.`
|
||||
: "Invalid PIN",
|
||||
},
|
||||
{ status: shouldLock ? 423 : 401 },
|
||||
);
|
||||
}
|
||||
|
||||
await createSession({
|
||||
userId: user.id,
|
||||
role: "operator",
|
||||
userAgent: ua,
|
||||
ipAddress: ip,
|
||||
});
|
||||
|
||||
await prisma.user.update({
|
||||
where: { id: user.id },
|
||||
data: { lastLoginAt: new Date(), failedAttempts: 0, lockedUntil: null },
|
||||
});
|
||||
|
||||
await audit({ actorId: user.id, action: "login", entity: "User", entityId: user.id, ipAddress: ip });
|
||||
|
||||
return NextResponse.json({ ok: true, redirect: "/op" });
|
||||
}
|
||||
Reference in New Issue
Block a user