| import express from "express"; |
| import bcrypt from "bcrypt"; |
| import jwt from "jsonwebtoken"; |
| import crypto from "crypto"; |
| import { User } from "../models/User.js"; |
| import { loginLimiter } from "../middleware/rateLimit.js"; |
| import { JWT_CONFIG, PASSWORD_POLICY } from "../config/security.js"; |
|
|
| const r = express.Router(); |
|
|
| r.post("/register", async (req, res) => { |
| if (!req.body.password || req.body.password.length < PASSWORD_POLICY.minLength) |
| return res.status(400).json({ error: "Weak password" }); |
|
|
| const hash = await bcrypt.hash(req.body.password, 10); |
| await User.create({ email: req.body.email, passwordHash: hash }); |
| res.json({ ok: true }); |
| }); |
|
|
| r.post("/login", loginLimiter, async (req, res) => { |
| const user = await User.findOne({ email: req.body.email }); |
| if (!user) return res.sendStatus(401); |
|
|
| const ok = await bcrypt.compare(req.body.password, user.passwordHash); |
| await new Promise((r) => setTimeout(r, 500)); |
| if (!ok) return res.sendStatus(401); |
|
|
| const accessToken = jwt.sign( |
| { id: user.id, role: user.role }, |
| process.env.JWT_SECRET, |
| { expiresIn: "15m", ...JWT_CONFIG } |
| ); |
|
|
| const refresh = crypto.randomBytes(64).toString("hex"); |
| user.refreshTokens.push({ |
| hash: await bcrypt.hash(refresh, 10), |
| ip: req.ip, |
| userAgent: req.headers["user-agent"], |
| }); |
| await user.save(); |
|
|
| res.json({ accessToken, refreshToken: refresh }); |
| }); |
|
|
| export default r; |
|
|
