81 lines
2.9 KiB
TypeScript
81 lines
2.9 KiB
TypeScript
import session from "express-session";
|
|
import connectPg from "connect-pg-simple";
|
|
import type { Express, RequestHandler, Request, Response, NextFunction } from "express";
|
|
import bcrypt from "bcryptjs";
|
|
import { storage } from "./storage";
|
|
|
|
declare module "express-session" {
|
|
interface SessionData {
|
|
userId?: string;
|
|
isAdmin?: boolean;
|
|
isSuperAdmin?: boolean;
|
|
}
|
|
}
|
|
|
|
export function getSession() {
|
|
const sessionTtl = 7 * 24 * 60 * 60 * 1000;
|
|
const PgStore = connectPg(session);
|
|
const sessionStore = new PgStore({
|
|
conString: process.env.DATABASE_URL,
|
|
createTableIfMissing: false,
|
|
ttl: sessionTtl,
|
|
tableName: "sessions",
|
|
});
|
|
return session({
|
|
secret: process.env.SESSION_SECRET!,
|
|
store: sessionStore,
|
|
resave: false,
|
|
saveUninitialized: false,
|
|
cookie: {
|
|
httpOnly: true,
|
|
secure: process.env.NODE_ENV === "production",
|
|
maxAge: sessionTtl,
|
|
},
|
|
});
|
|
}
|
|
|
|
export async function setupAuth(app: Express) {
|
|
app.set("trust proxy", 1);
|
|
app.use(getSession());
|
|
|
|
// POST /api/auth/login — email + password
|
|
app.post("/api/auth/login", async (req: Request, res: Response) => {
|
|
const { email, password } = req.body || {};
|
|
if (!email || !password) return res.status(400).json({ error: "Email and password required" });
|
|
try {
|
|
const user = await storage.getUserByEmail(email);
|
|
if (!user || !user.passwordHash) return res.status(401).json({ error: "Invalid credentials" });
|
|
const ok = await bcrypt.compare(password, user.passwordHash);
|
|
if (!ok || !user.isActive) return res.status(401).json({ error: "Invalid credentials" });
|
|
req.session.userId = user.id;
|
|
req.session.isAdmin = !!user.isAdmin || !!user.isSuperAdmin;
|
|
req.session.isSuperAdmin = !!user.isSuperAdmin;
|
|
return res.json({ user: { id: user.id, email: user.email, username: user.username, isAdmin: req.session.isAdmin } });
|
|
} catch (e: any) {
|
|
console.error("Login err:", e);
|
|
return res.status(500).json({ error: "Login failed" });
|
|
}
|
|
});
|
|
|
|
app.post("/api/auth/logout", (req: Request, res: Response) => {
|
|
req.session.destroy(() => res.json({ ok: true }));
|
|
});
|
|
|
|
app.get("/api/login", (_req, res) => res.redirect("/login"));
|
|
app.get("/api/callback", (_req, res) => res.redirect("/login"));
|
|
app.get("/api/logout", (req, res) => { req.session.destroy(() => res.redirect("/")); });
|
|
}
|
|
|
|
export const isAuthenticated: RequestHandler = (req: any, res, next) => {
|
|
if (!req.session?.userId) return res.status(401).json({ message: "Unauthorized" });
|
|
req.user = { claims: { sub: req.session.userId } }; // compat with old code expecting req.user.claims.sub
|
|
next();
|
|
};
|
|
|
|
export const isAdmin: RequestHandler = (req: any, res, next) => {
|
|
if (!req.session?.userId) return res.status(401).json({ message: "Unauthorized" });
|
|
if (!req.session.isAdmin) return res.status(403).json({ message: "Forbidden" });
|
|
req.user = { claims: { sub: req.session.userId } };
|
|
next();
|
|
};
|