157 lines
4.1 KiB
JavaScript
157 lines
4.1 KiB
JavaScript
import NextAuth from "next-auth";
|
|
import Credentials from "next-auth/providers/credentials";
|
|
import bcrypt from "bcryptjs";
|
|
import { z } from "zod";
|
|
|
|
const loginSchema = z.object({
|
|
username: z.string().min(1, "Username is required"),
|
|
password: z.string().min(6, "Password must be at least 6 characters"),
|
|
});
|
|
|
|
export const { handlers, auth, signIn, signOut } = NextAuth({
|
|
providers: [
|
|
Credentials({
|
|
name: "credentials",
|
|
credentials: {
|
|
username: { label: "Username", type: "text" },
|
|
password: { label: "Password", type: "password" },
|
|
},
|
|
async authorize(credentials) {
|
|
try {
|
|
// Import database here to avoid edge runtime issues
|
|
const { default: db } = await import("./db.js");
|
|
|
|
// Validate input
|
|
const validatedFields = loginSchema.parse(credentials);
|
|
|
|
// Check if user exists and is active
|
|
const user = db
|
|
.prepare(
|
|
`
|
|
SELECT id, username, name, password_hash, role, is_active,
|
|
failed_login_attempts, locked_until
|
|
FROM users
|
|
WHERE username = ? AND is_active = 1
|
|
`
|
|
)
|
|
.get(validatedFields.username);
|
|
|
|
if (!user) {
|
|
throw new Error("Invalid credentials");
|
|
}
|
|
|
|
// Check if account is locked
|
|
if (user.locked_until && new Date(user.locked_until) > new Date()) {
|
|
throw new Error("Account temporarily locked");
|
|
}
|
|
|
|
// Verify password
|
|
const isValidPassword = await bcrypt.compare(
|
|
validatedFields.password,
|
|
user.password_hash
|
|
);
|
|
|
|
if (!isValidPassword) {
|
|
// Increment failed attempts
|
|
db.prepare(
|
|
`
|
|
UPDATE users
|
|
SET failed_login_attempts = failed_login_attempts + 1,
|
|
locked_until = CASE
|
|
WHEN failed_login_attempts >= 4
|
|
THEN datetime('now', '+15 minutes')
|
|
ELSE locked_until
|
|
END
|
|
WHERE id = ?
|
|
`
|
|
).run(user.id);
|
|
|
|
// Log failed login attempt (only in Node.js runtime)
|
|
try {
|
|
const { logAuditEventSafe, AUDIT_ACTIONS, RESOURCE_TYPES } =
|
|
await import("./auditLogSafe.js");
|
|
await logAuditEventSafe({
|
|
action: AUDIT_ACTIONS.LOGIN_FAILED,
|
|
userId: user.id,
|
|
resourceType: RESOURCE_TYPES.SESSION,
|
|
details: {
|
|
username: validatedFields.username,
|
|
reason: "invalid_password",
|
|
failed_attempts: user.failed_login_attempts + 1,
|
|
},
|
|
});
|
|
} catch (auditError) {
|
|
console.error("Failed to log audit event:", auditError);
|
|
}
|
|
|
|
throw new Error("Invalid credentials");
|
|
}
|
|
|
|
// Reset failed attempts and update last login
|
|
db.prepare(
|
|
`
|
|
UPDATE users
|
|
SET failed_login_attempts = 0,
|
|
locked_until = NULL,
|
|
last_login = CURRENT_TIMESTAMP
|
|
WHERE id = ?
|
|
`
|
|
).run(user.id);
|
|
|
|
// Log successful login (only in Node.js runtime)
|
|
try {
|
|
const { logAuditEventSafe, AUDIT_ACTIONS, RESOURCE_TYPES } =
|
|
await import("./auditLogSafe.js");
|
|
await logAuditEventSafe({
|
|
action: AUDIT_ACTIONS.LOGIN,
|
|
userId: user.id,
|
|
resourceType: RESOURCE_TYPES.SESSION,
|
|
details: {
|
|
username: user.username,
|
|
role: user.role,
|
|
},
|
|
});
|
|
} catch (auditError) {
|
|
console.error("Failed to log audit event:", auditError);
|
|
}
|
|
|
|
return {
|
|
id: user.id,
|
|
username: user.username,
|
|
name: user.name,
|
|
role: user.role,
|
|
};
|
|
} catch (error) {
|
|
console.error("Login error:", error);
|
|
return null;
|
|
}
|
|
},
|
|
}),
|
|
],
|
|
callbacks: {
|
|
async jwt({ token, user }) {
|
|
if (user) {
|
|
token.role = user.role;
|
|
token.username = user.username;
|
|
}
|
|
return token;
|
|
},
|
|
async session({ session, token }) {
|
|
if (token) {
|
|
session.user.id = token.sub;
|
|
session.user.role = token.role;
|
|
session.user.username = token.username;
|
|
}
|
|
return session;
|
|
},
|
|
},
|
|
pages: {
|
|
signIn: "/auth/signin",
|
|
},
|
|
session: {
|
|
strategy: "jwt",
|
|
maxAge: 24 * 60 * 60, // 24 hours
|
|
},
|
|
secret: process.env.NEXTAUTH_SECRET,
|
|
});
|