brendan/nanodrop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
aed9931e143a51b000cdb924a2ac2231b6b04972
nanodrop/src/routes/api/v1/auth.ts
Brendan Chen 86870db726 feat(auth): family-wide session constants + mint primitive + auth factory 
Adds src/constants.ts exporting the family-wide session policy
(SESSION_TTL_DAYS=30, SESSION_TTL_SECONDS=2_592_000,
SESSION_RENEW_THRESHOLD_SECONDS=3600, LOGOUT_PATHS) so every
bchen.dev app shares the same persistence window.

Introduces issueSessionCookie as the single mint site for
fastify-jwt sign + setCookie, replacing inlined jwt.sign +
setCookie calls in pages.ts and api/v1/auth.ts. The cookie now
carries Max-Age=SESSION_TTL_SECONDS so it persists across browser
restarts.

Converts requireAuth into a makeRequireAuth(config) factory; route
plugins build their own preHandler at registration time. Threads
through pages.ts, api/v1/auth.ts, and api/v1/files.ts.

SESSION_COOKIE_NAME stays 'token' in this commit so existing tests
remain green; the rename to 'nanodrop_session' lands in a follow-up.
JWT_EXPIRY env var is still read; its removal also lands in a
follow-up so each commit builds cleanly.
2026-05-09 10:10:47 -07:00

75 lines
2.1 KiB
TypeScript
Raw Blame History

import type { FastifyPluginAsync } from 'fastify';
import type Database from 'better-sqlite3';
import type { Config } from '../../../config.ts';
import type { Logger } from '../../../middleware/logging.ts';
import type { LockoutService } from '../../../services/lockout.ts';
import { attemptLogin } from '../../../services/login-handler.ts';
import { makeRequireAuth, issueSessionCookie } from '../../../middleware/auth.ts';
import { SESSION_COOKIE_NAME } from '../../../constants.ts';
interface Deps {
db: Database.Database;
config: Config;
logger: Logger;
lockout: LockoutService;
}
interface LoginBody {
username: string;
password: string;
}
export const authApiRoutes: FastifyPluginAsync<{ deps: Deps }> = async (app, { deps }) => {
const { config } = deps;
const requireAuth = makeRequireAuth(config);
app.post<{ Body: LoginBody }>(
'/login',
{
config: {
rateLimit: {
max: config.loginRateLimitMax,
timeWindow: config.loginRateLimitWindowSeconds * 1000,
},
},
},
async (request, reply) => {
const { username, password } = request.body ?? {};
const result = await attemptLogin(deps, {
username: username ?? '',
password: password ?? '',
ip: request.ip,
userAgent: request.headers['user-agent'] ?? '',
});
if (result.kind === 'bad_request') {
return reply.status(400).send({ error: 'username and password are required' });
}
if (result.kind === 'locked') {
return reply
.status(401)
.header('Retry-After', String(result.retryAfterSeconds))
.send({ error: 'Invalid credentials' });
}
if (result.kind === 'bad_credentials') {
return reply.status(401).send({ error: 'Invalid credentials' });
}
issueSessionCookie(
reply,
app,
{ sub: result.user.id, username: result.user.username },
config.cookieSecure,
);
reply.send({ ok: true });
},
);
app.post('/logout', { preHandler: requireAuth }, async (_request, reply) => {
reply.clearCookie(SESSION_COOKIE_NAME, { path: '/' }).send({ ok: true });
});
};
Reference in New Issue View Git Blame Copy Permalink