aknuth/mailadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
85b608e3d42b4ddb27848b595d0809b40d3af25a
mailadmin/backend/src/routes/auth.ts
Andreas Knuth 85b608e3d4 Domain Admin
2026-04-27 16:57:08 -05:00

69 lines
2.4 KiB
TypeScript
Raw Blame History

import { Router } from 'express';
import bcrypt from 'bcryptjs';
import { z } from 'zod';
import { pool } from '../db.js';
import { config } from '../config.js';
import { requireAuth, signUser } from '../middleware/auth.js';
import { audit } from '../services/audit.js';
export const authRouter = Router();
const loginSchema = z.object({ email: z.string().email(), password: z.string().min(1) });
authRouter.post('/login', async (req, res) => {
const body = loginSchema.parse(req.body);
const result = await pool.query(
`SELECT id, email, password_hash, role, allowed_domains FROM admin_users WHERE email=$1 AND active=true`,
[body.email.toLowerCase()],
);
const user = result.rows[0];
if (!user || !(await bcrypt.compare(body.password, user.password_hash))) {
res.status(401).json({ error: 'Invalid email or password' });
return;
}
const token = signUser({ id: user.id, email: user.email, role: user.role, allowed_domains: user.allowed_domains ?? [] });
res.cookie('mailadmin_token', token, {
httpOnly: true,
sameSite: 'lax',
secure: config.cookieSecure,
maxAge: 12 * 60 * 60 * 1000,
});
res.json({ email: user.email, role: user.role, allowed_domains: user.allowed_domains ?? [] });
});
authRouter.post('/logout', (_req, res) => {
res.clearCookie('mailadmin_token');
res.json({ ok: true });
});
authRouter.get('/me', requireAuth, (req, res) => {
res.json(req.user);
});
// Self-service password change. Requires the current password to prevent
// session hijacking from changing the password silently.
const changePwSchema = z.object({
current_password: z.string().min(1),
new_password: z.string().min(8),
});
authRouter.post('/change-password', requireAuth, async (req, res) => {
const body = changePwSchema.parse(req.body);
const result = await pool.query(
`SELECT id, password_hash FROM admin_users WHERE email=$1 AND active=true`,
[req.user!.email.toLowerCase()],
);
const row = result.rows[0];
if (!row || !(await bcrypt.compare(body.current_password, row.password_hash))) {
res.status(401).json({ error: 'Current password is incorrect' });
return;
}
const newHash = await bcrypt.hash(body.new_password, 12);
await pool.query(
`UPDATE admin_users SET password_hash=$1, updated_at=now() WHERE id=$2`,
[newHash, row.id],
);
await audit(req.user!.email, 'admin.self_password_change', 'admin', req.user!.email, {}, req.ip);
res.json({ ok: true });
});
Reference in New Issue View Git Blame Copy Permalink