import NextAuth from "next-auth"; import Credentials from "next-auth/providers/credentials"; import bcrypt from "bcryptjs"; import { z } from "zod"; const loginSchema = z.object({ username: z.string().min(1, "Username is required"), password: z.string().min(6, "Password must be at least 6 characters"), }); export const { handlers, auth, signIn, signOut } = NextAuth({ providers: [ Credentials({ name: "credentials", credentials: { username: { label: "Username", type: "text" }, password: { label: "Password", type: "password" }, }, async authorize(credentials) { try { // Import database here to avoid edge runtime issues const { default: db } = await import("./db.js"); // Validate input const validatedFields = loginSchema.parse(credentials); // Check if user exists and is active const user = db .prepare( ` SELECT id, username, name, password_hash, role, is_active, failed_login_attempts, locked_until FROM users WHERE username = ? AND is_active = 1 ` ) .get(validatedFields.username); if (!user) { throw new Error("Invalid credentials"); } // Check if account is locked if (user.locked_until && new Date(user.locked_until) > new Date()) { throw new Error("Account temporarily locked"); } // Verify password const isValidPassword = await bcrypt.compare( validatedFields.password, user.password_hash ); if (!isValidPassword) { // Increment failed attempts db.prepare( ` UPDATE users SET failed_login_attempts = failed_login_attempts + 1, locked_until = CASE WHEN failed_login_attempts >= 4 THEN datetime('now', '+15 minutes') ELSE locked_until END WHERE id = ? ` ).run(user.id); // Log failed login attempt (only in Node.js runtime) try { const { logAuditEventSafe, AUDIT_ACTIONS, RESOURCE_TYPES } = await import("./auditLogSafe.js"); await logAuditEventSafe({ action: AUDIT_ACTIONS.LOGIN_FAILED, userId: user.id, resourceType: RESOURCE_TYPES.SESSION, details: { username: validatedFields.username, reason: "invalid_password", failed_attempts: user.failed_login_attempts + 1, }, }); } catch (auditError) { console.error("Failed to log audit event:", auditError); } throw new Error("Invalid credentials"); } // Reset failed attempts and update last login db.prepare( ` UPDATE users SET failed_login_attempts = 0, locked_until = NULL, last_login = CURRENT_TIMESTAMP WHERE id = ? ` ).run(user.id); // Log successful login (only in Node.js runtime) try { const { logAuditEventSafe, AUDIT_ACTIONS, RESOURCE_TYPES } = await import("./auditLogSafe.js"); await logAuditEventSafe({ action: AUDIT_ACTIONS.LOGIN, userId: user.id, resourceType: RESOURCE_TYPES.SESSION, details: { username: user.username, role: user.role, }, }); } catch (auditError) { console.error("Failed to log audit event:", auditError); } return { id: user.id, username: user.username, name: user.name, role: user.role, }; } catch (error) { console.error("Login error:", error); return null; } }, }), ], callbacks: { async jwt({ token, user }) { if (user) { token.role = user.role; token.username = user.username; } return token; }, async session({ session, token }) { if (token) { session.user.id = token.sub; session.user.role = token.role; session.user.username = token.username; } return session; }, }, pages: { signIn: "/auth/signin", }, session: { strategy: "jwt", maxAge: 24 * 60 * 60, // 24 hours }, secret: process.env.NEXTAUTH_SECRET, });