initial commit

server/api/auth/login.post.js

@@ -0,0 +1,34 @@
+import { setCookie } from 'h3'
+import { getDb } from '../../utils/db.js'
+import { verifyPassword } from '../../utils/password.js'
+import { getSessionMaxAgeDays } from '../../utils/session.js'
+
+export default defineEventHandler(async (event) => {
+  const body = await readBody(event)
+  const identifier = body?.identifier?.trim()
+  const password = body?.password
+  if (!identifier || typeof password !== 'string') {
+    throw createError({ statusCode: 400, message: 'identifier and password required' })
+  }
+  const { get, run } = await getDb()
+  const user = await get('SELECT id, identifier, role, password_hash FROM users WHERE identifier = ?', [identifier])
+  if (!user || !user.password_hash || !verifyPassword(password, user.password_hash)) {
+    throw createError({ statusCode: 401, message: 'Invalid credentials' })
+  }
+  const sessionDays = getSessionMaxAgeDays()
+  const sid = crypto.randomUUID()
+  const now = new Date()
+  const expires = new Date(now.getTime() + sessionDays * 24 * 60 * 60 * 1000)
+  await run(
+    'INSERT INTO sessions (id, user_id, created_at, expires_at) VALUES (?, ?, ?, ?)',
+    [sid, user.id, now.toISOString(), expires.toISOString()],
+  )
+  setCookie(event, 'session_id', sid, {
+    httpOnly: true,
+    sameSite: 'strict',
+    path: '/',
+    maxAge: sessionDays * 24 * 60 * 60,
+    secure: process.env.NODE_ENV === 'production',
+  })
+  return { user: { id: user.id, identifier: user.identifier, role: user.role } }
+})