stage 1

2026-04-20 15:49:01 -05:00
parent 381a31d607
commit b98837a72c
46 changed files with 8883 additions and 37 deletions
@@ -0,0 +1,52 @@
+import { NextResponse, type NextRequest } from "next/server";
+import { z } from "zod";
+import { prisma } from "@/lib/prisma";
+import { verifyPassword } from "@/lib/password";
+import { createSession } from "@/lib/session";
+import { audit } from "@/lib/audit";
+import { clientIp, userAgent } from "@/lib/request";
+
+const Body = z.object({
+  email: z.string().email(),
+  password: z.string().min(1),
+});
+
+export async function POST(req: NextRequest) {
+  const parsed = Body.safeParse(await req.json().catch(() => ({})));
+  if (!parsed.success) {
+    return NextResponse.json({ error: "Invalid email or password" }, { status: 400 });
+  }
+
+  const { email, password } = parsed.data;
+  const user = await prisma.user.findUnique({ where: { email } });
+
+  const ip = clientIp(req);
+  const ua = userAgent(req);
+
+  if (!user || user.role !== "admin" || !user.active || !user.passwordHash) {
+    await audit({ action: "login_failed", entity: "User", entityId: user?.id, ipAddress: ip });
+    return NextResponse.json({ error: "Invalid email or password" }, { status: 401 });
+  }
+
+  const ok = await verifyPassword(password, user.passwordHash);
+  if (!ok) {
+    await audit({ action: "login_failed", entity: "User", entityId: user.id, ipAddress: ip });
+    return NextResponse.json({ error: "Invalid email or password" }, { status: 401 });
+  }
+
+  await createSession({
+    userId: user.id,
+    role: "admin",
+    userAgent: ua,
+    ipAddress: ip,
+  });
+
+  await prisma.user.update({
+    where: { id: user.id },
+    data: { lastLoginAt: new Date(), failedAttempts: 0, lockedUntil: null },
+  });
+
+  await audit({ actorId: user.id, action: "login", entity: "User", entityId: user.id, ipAddress: ip });
+
+  return NextResponse.json({ ok: true, redirect: "/admin" });
+}