add login with sessian and cleanup

server/src/api/v1/auth/index.ts

@@ -0,0 +1,117 @@
+import express, { type Router, type Request, type Response } from 'express'
+import jwt from 'jsonwebtoken'
+
+import { UserModel } from '../../../models/user.model.ts'
+
+import ldapAuth from './ldap.ts'
+
+const router = express.Router()
+
+const ACCESS_TOKEN_SECRET = process.env.ACCESS_TOKEN_SECRET!
+const REFRESH_TOKEN_SECRET = process.env.REFRESH_TOKEN_SECRET!
+
+function createAccessToken(user: any) {
+	return jwt.sign(
+		{ sub: user._id, role: user.role },
+		ACCESS_TOKEN_SECRET,
+		{ expiresIn: '15m' },
+	)
+}
+
+function createRefreshToken(user: any) {
+	return jwt.sign(
+		{ sub: user._id },
+		REFRESH_TOKEN_SECRET,
+		{ expiresIn: '7d' },
+	)
+}
+
+router.post('/login', async (req: Request, res: Response) => {
+	const { email, username, password } = req.body
+	if (!username || !password) return res.status(400).json({ error: 'Missing credentials' })
+
+	try {
+		const ldapUser = await ldapAuth({ username, password })
+
+		if (!ldapUser.auth) return res.status(401).json({ error: 'Invalid credentials' })
+
+		let user = await UserModel.findOne({ username: ldapUser.user.cn })
+		if (!user) {
+			user = await UserModel.create({
+				username: ldapUser.user.cn,
+				email: ldapUser.user.dn,
+				refresh_token: '',
+			})
+		}
+
+		const accessToken = createAccessToken(user)
+		const refreshToken = createRefreshToken(user)
+
+		user.refreshToken = refreshToken
+		await user.save()
+
+		res.cookie('access_token', accessToken, {
+			httpOnly: true, sameSite: 'lax', secure: process.env.NODE_ENV !== 'dev', maxAge: 15 * 60 * 1000,
+		})
+		res.cookie('refresh_token', refreshToken, {
+			httpOnly: true, sameSite: 'lax', secure: process.env.NODE_ENV !== 'dev', maxAge: 7 * 24 * 3600 * 1000,
+		})
+
+		res.json({
+			ok: true,
+			user: {
+				username: ldapUser.user.cn,
+				email: ldapUser.user.dn
+			},
+		})
+
+	} catch (err) {
+		console.error(err)
+		res.status(401).json({ error: 'Invalid credentials' })
+	}
+})
+
+router.post('/refresh', async (req: Request, res: Response) => {
+	const token = req.cookies.refresh_token
+	if (!token) return res.status(401).json({ error: 'No refresh token' })
+	try {
+		const payload = jwt.verify(token, REFRESH_TOKEN_SECRET)
+		const user = await UserModel.findById(payload.sub)
+		if (!user || !user.refreshToken === token) return res.status(403).json({ error: 'Invalid refresh token' })
+
+		const newAccessToken = createAccessToken(user)
+		const newRefreshToken = createRefreshToken(user)
+
+		user.refreshToken = newRefreshToken
+		await user.save()
+
+		res.cookie('access_token', newAccessToken, {
+			httpOnly: true, sameSite: 'lax', secure: process.env.NODE_ENV !== 'dev', maxAge: 15 * 60 * 1000,
+		})
+		res.cookie('refresh_token', newRefreshToken, {
+			httpOnly: true, sameSite: 'lax', secure: process.env.NODE_ENV !== 'dev', maxAge: 7 * 24 * 3600 * 1000,
+		})
+		res.json({ ok: true })
+	} catch (error) {
+		res.status(401).json({ error: 'Invalid refresh token' })
+	}
+})
+
+router.post('/logout', async (req: Request, res: Response) => {
+	const token = req.cookies.refresh_token
+	if (token) {
+		try {
+			const payload = jwt.verify(token, REFRESH_TOKEN_SECRET)
+			const user = await UserModel.findById(payload.sub)
+			if (user) {
+				user.refreshToken = ''
+				await user.save()
+			}
+		} catch { }
+	}
+	res.clearCookie('access_token')
+	res.clearCookie('refresh_token')
+	res.json({ loggedOut: true })
+})
+
+export default router as Router