99 lines
3 KiB
TypeScript
99 lines
3 KiB
TypeScript
import { NextResponse } from "next/server";
|
|
import { cookies, headers } from "next/headers";
|
|
import { createRateLimiter, getClientIp } from "@/lib/rateLimit";
|
|
import { checkCsrf } from "@/lib/apiUtils";
|
|
|
|
const MEDUSA_URL = process.env.MEDUSA_URL ?? process.env.NEXT_PUBLIC_MEDUSA_URL ?? "http://localhost:9000";
|
|
const API_KEY = process.env.MEDUSA_PUBLISHABLE_KEY ?? process.env.NEXT_PUBLIC_MEDUSA_PUBLISHABLE_KEY ?? "";
|
|
|
|
// 5 login attempts per IP per 15 minutes
|
|
const limiter = createRateLimiter({ windowMs: 15 * 60 * 1000, maxRequests: 5 });
|
|
|
|
export async function POST(request: Request) {
|
|
// CSRF check
|
|
const csrfError = await checkCsrf();
|
|
if (csrfError) return csrfError;
|
|
|
|
// Rate limit by IP
|
|
const hdrs = await headers();
|
|
const ip = getClientIp(hdrs);
|
|
const limit = limiter.check(`login:${ip}`);
|
|
if (!limit.allowed) {
|
|
return NextResponse.json(
|
|
{ error: "Too many login attempts. Please try again later." },
|
|
{ status: 429, headers: { "Retry-After": String(Math.ceil(limit.retryAfterMs / 1000)) } },
|
|
);
|
|
}
|
|
|
|
let body: Record<string, unknown>;
|
|
try {
|
|
body = await request.json();
|
|
} catch {
|
|
return NextResponse.json({ error: "Invalid request body" }, { status: 400 });
|
|
}
|
|
|
|
const { email, password } = body;
|
|
|
|
// Server-side validation
|
|
if (typeof email !== "string" || typeof password !== "string") {
|
|
return NextResponse.json({ error: "Email and password are required" }, { status: 400 });
|
|
}
|
|
|
|
const trimmedEmail = email.trim().toLowerCase();
|
|
if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(trimmedEmail)) {
|
|
return NextResponse.json({ error: "Invalid email address" }, { status: 400 });
|
|
}
|
|
if (password.length < 8) {
|
|
return NextResponse.json({ error: "Password must be at least 8 characters" }, { status: 400 });
|
|
}
|
|
if (password.length > 128) {
|
|
return NextResponse.json({ error: "Password too long" }, { status: 400 });
|
|
}
|
|
|
|
// Authenticate with Medusa
|
|
const authRes = await fetch(`${MEDUSA_URL}/auth/customer/emailpass`, {
|
|
method: "POST",
|
|
headers: {
|
|
"Content-Type": "application/json",
|
|
"x-publishable-api-key": API_KEY,
|
|
},
|
|
body: JSON.stringify({ email: trimmedEmail, password }),
|
|
});
|
|
|
|
if (!authRes.ok) {
|
|
return NextResponse.json(
|
|
{ error: "Invalid email or password" },
|
|
{ status: 401 },
|
|
);
|
|
}
|
|
|
|
const { token } = await authRes.json();
|
|
|
|
// Set httpOnly cookie
|
|
const cookieStore = await cookies();
|
|
cookieStore.set("medusa_auth_token", token, {
|
|
httpOnly: true,
|
|
secure: process.env.NODE_ENV === "production",
|
|
sameSite: "lax",
|
|
path: "/",
|
|
maxAge: 604800, // 7 days
|
|
});
|
|
|
|
// Fetch customer profile
|
|
const meRes = await fetch(`${MEDUSA_URL}/store/customers/me`, {
|
|
headers: {
|
|
"x-publishable-api-key": API_KEY,
|
|
Authorization: `Bearer ${token}`,
|
|
},
|
|
});
|
|
|
|
if (!meRes.ok) {
|
|
return NextResponse.json(
|
|
{ error: "Failed to fetch profile" },
|
|
{ status: 500 },
|
|
);
|
|
}
|
|
|
|
const { customer } = await meRes.json();
|
|
return NextResponse.json({ customer });
|
|
}
|