72 lines
2 KiB
JavaScript
72 lines
2 KiB
JavaScript
// server/api/auth/verify.post.js
|
|
import { getRequestIP } from 'h3'
|
|
import jwt from 'jsonwebtoken'
|
|
import Member from '../../models/member.js'
|
|
import { validateBody } from '../../utils/validateBody.js'
|
|
import { verifyMagicLinkSchema } from '../../utils/schemas.js'
|
|
import { setAuthCookie } from '../../utils/auth.js'
|
|
import { rateLimit } from '../../utils/rateLimit.js'
|
|
|
|
export default defineEventHandler(async (event) => {
|
|
const ip = getRequestIP(event, { xForwardedFor: true }) || 'unknown'
|
|
if (!rateLimit(`auth:verify:ip:${ip}`, { max: 5, windowMs: 3600_000 })) {
|
|
throw createError({ statusCode: 429, statusMessage: 'Too many verification attempts' })
|
|
}
|
|
|
|
const { token } = await validateBody(event, verifyMagicLinkSchema)
|
|
|
|
const config = useRuntimeConfig(event)
|
|
|
|
let decoded
|
|
try {
|
|
decoded = jwt.verify(token, config.jwtSecret)
|
|
} catch {
|
|
throw createError({
|
|
statusCode: 401,
|
|
statusMessage: 'Invalid or expired token',
|
|
})
|
|
}
|
|
|
|
const member = await Member.findById(decoded.memberId)
|
|
|
|
if (!member) {
|
|
throw createError({
|
|
statusCode: 401,
|
|
statusMessage: 'Invalid or expired token',
|
|
})
|
|
}
|
|
|
|
if (member.status === 'suspended') {
|
|
throw createError({
|
|
statusCode: 403,
|
|
statusMessage: 'Account is suspended',
|
|
})
|
|
}
|
|
|
|
if (member.status === 'cancelled') {
|
|
throw createError({
|
|
statusCode: 403,
|
|
statusMessage: 'Account is cancelled',
|
|
})
|
|
}
|
|
|
|
// Single-use enforcement: jti must match and must not have been used
|
|
if (!decoded.jti || decoded.jti !== member.magicLinkJti || member.magicLinkJtiUsed) {
|
|
throw createError({
|
|
statusCode: 401,
|
|
statusMessage: 'Invalid or expired token',
|
|
})
|
|
}
|
|
|
|
// Atomically burn the token before issuing session
|
|
await Member.findByIdAndUpdate(
|
|
member._id,
|
|
{ $set: { magicLinkJtiUsed: true, lastLogin: new Date() } },
|
|
{ runValidators: false }
|
|
)
|
|
|
|
setAuthCookie(event, member)
|
|
|
|
const redirectUrl = member.role === 'admin' ? '/admin' : '/member/dashboard'
|
|
return { success: true, redirectUrl }
|
|
})
|