soroush.asadi
36 lines
944 B
TypeScript
36 lines
944 B
TypeScript
import { NextResponse } from 'next/server';
|
|
import {
|
|
SESSION_COOKIE,
|
|
SESSION_MAX_AGE,
|
|
createSession,
|
|
verifyPassword,
|
|
} from '@/lib/auth/session';
|
|
|
|
export const runtime = 'nodejs';
|
|
|
|
export async function POST(req: Request) {
|
|
let password = '';
|
|
try {
|
|
const body = await req.json();
|
|
password = typeof body?.password === 'string' ? body.password : '';
|
|
} catch {
|
|
return NextResponse.json({ error: 'bad request' }, { status: 400 });
|
|
}
|
|
|
|
if (!(await verifyPassword(password))) {
|
|
// Small constant delay-ish guard; password compare is already constant-time.
|
|
return NextResponse.json({ error: 'invalid' }, { status: 401 });
|
|
}
|
|
|
|
const token = await createSession();
|
|
const res = NextResponse.json({ ok: true });
|
|
res.cookies.set(SESSION_COOKIE, token, {
|
|
httpOnly: true,
|
|
sameSite: 'lax',
|
|
secure: process.env.NODE_ENV === 'production',
|
|
path: '/',
|
|
maxAge: SESSION_MAX_AGE,
|
|
});
|
|
return res;
|
|
}
|