karim
540dd9df5b
Auf Wunsch: Betreiber-Bereich getrennt von Kundenkonten. - auth.js: signAdminToken (role:operator), requireAdmin prüft Token-Rolle; requireAuth weist Operator-Token ab (saubere Trennung beide Richtungen) - routes/admin.js: POST /admin/login (ADMIN_PASSWORD → Operator-Token) - env.js: adminPassword statt adminEmail - 0003_admin.sql: droppt die nicht mehr genutzte accounts.is_admin-Spalte - register/login/account/me: is_admin restlos entfernt E2E: Kunde→403, falsches PW→401, richtiges PW→Token, stats→200, Admin-Token→Kundenroute→401. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
42 lines
1.8 KiB
JavaScript
42 lines
1.8 KiB
JavaScript
// HOST-Kundenkonten: Registrierung + Login. Gibt ein JWT zurück.
|
|
import { Router } from "express";
|
|
import { one } from "../db.js";
|
|
import { hashPassword, verifyPassword, signToken } from "../auth.js";
|
|
|
|
export const authRouter = Router();
|
|
|
|
const isEmail = (s) => /.+@.+\..+/.test(s || "");
|
|
|
|
authRouter.post("/register", async (req, res) => {
|
|
const email = (req.body?.email || "").trim().toLowerCase();
|
|
const password = req.body?.password || "";
|
|
if (!isEmail(email)) return res.status(400).json({ error: "Ungültige Email." });
|
|
if (password.length < 8) return res.status(400).json({ error: "Passwort min. 8 Zeichen." });
|
|
|
|
const existing = await one("select id from accounts where email = $1", [email]);
|
|
if (existing) return res.status(409).json({ error: "Konto existiert bereits." });
|
|
|
|
let account;
|
|
try {
|
|
account = await one(
|
|
"insert into accounts (email, password_hash) values ($1, $2) returning id, email",
|
|
[email, await hashPassword(password)]
|
|
);
|
|
} catch (e) {
|
|
// 23505 = unique_violation (Race zwischen SELECT und INSERT).
|
|
if (e.code === "23505") return res.status(409).json({ error: "Konto existiert bereits." });
|
|
throw e;
|
|
}
|
|
res.json({ token: signToken(account), account: { id: account.id, email: account.email } });
|
|
});
|
|
|
|
authRouter.post("/login", async (req, res) => {
|
|
const email = (req.body?.email || "").trim().toLowerCase();
|
|
const password = req.body?.password || "";
|
|
const account = await one("select id, email, password_hash from accounts where email = $1", [email]);
|
|
if (!account || !(await verifyPassword(password, account.password_hash))) {
|
|
return res.status(401).json({ error: "Email oder Passwort falsch." });
|
|
}
|
|
res.json({ token: signToken(account), account: { id: account.id, email: account.email } });
|
|
});
|