ghostguild-org/server/api/auth/verify.get.js

// server/api/auth/verify.get.js
import jwt from 'jsonwebtoken'
import Member from '../../models/member.js'
import { connectDB } from '../../utils/mongoose.js'

export default defineEventHandler(async (event) => {
  // Connect to database
  await connectDB()
  
  const query = getQuery(event)
  const { token } = query
  
  if (!token) {
    throw createError({ 
      statusCode: 400, 
      statusMessage: 'Token is required' 
    })
  }
  
  try {
    // Verify the JWT token (use runtime config for consistency with login/requireAuth)
    const config = useRuntimeConfig(event)
    const decoded = jwt.verify(token, config.jwtSecret)
    const member = await Member.findById(decoded.memberId)
    
    if (!member) {
      throw createError({ 
        statusCode: 404, 
        statusMessage: 'Member not found' 
      })
    }

    if (member.status === 'suspended' || member.status === 'cancelled') {
      throw createError({
        statusCode: 403,
        statusMessage: 'Account is ' + member.status
      })
    }
    
    // Create a new session token for the authenticated user
    const sessionToken = jwt.sign(
      { memberId: member._id, email: member.email },
      config.jwtSecret,
      { expiresIn: '7d' }
    )

    // Set the session cookie
    setCookie(event, 'auth-token', sessionToken, {
      httpOnly: true,
      secure: process.env.NODE_ENV === 'production',
      sameSite: 'lax',
      maxAge: 60 * 60 * 24 * 7 // 7 days
    })
    
    // Redirect to wiki for invite links, /members for regular logins
    const redirectUrl = decoded.redirect === 'wiki'
      ? 'https://wiki.ghostguild.org'
      : '/members'
    await sendRedirect(event, redirectUrl, 302)
    
  } catch (err) {
    if (err.statusCode && err.statusCode !== 401) {
      throw err
    }
    throw createError({ 
      statusCode: 401, 
      statusMessage: 'Invalid or expired token' 
    })
  }
})