Create src/routes/auth.js

src/routes/auth.js

@@ -0,0 +1,45 @@
+import express from "express";
+import bcrypt from "bcrypt";
+import jwt from "jsonwebtoken";
+import crypto from "crypto";
+import { User } from "../models/User.js";
+import { loginLimiter } from "../middleware/rateLimit.js";
+import { JWT_CONFIG, PASSWORD_POLICY } from "../config/security.js";
+
+const r = express.Router();
+
+r.post("/register", async (req, res) => {
+  if (!req.body.password || req.body.password.length < PASSWORD_POLICY.minLength)
+    return res.status(400).json({ error: "Weak password" });
+
+  const hash = await bcrypt.hash(req.body.password, 10);
+  await User.create({ email: req.body.email, passwordHash: hash });
+  res.json({ ok: true });
+});
+
+r.post("/login", loginLimiter, async (req, res) => {
+  const user = await User.findOne({ email: req.body.email });
+  if (!user) return res.sendStatus(401);
+
+  const ok = await bcrypt.compare(req.body.password, user.passwordHash);
+  await new Promise((r) => setTimeout(r, 500));
+  if (!ok) return res.sendStatus(401);
+
+  const accessToken = jwt.sign(
+    { id: user.id, role: user.role },
+    process.env.JWT_SECRET,
+    { expiresIn: "15m", ...JWT_CONFIG }
+  );
+
+  const refresh = crypto.randomBytes(64).toString("hex");
+  user.refreshTokens.push({
+    hash: await bcrypt.hash(refresh, 10),
+    ip: req.ip,
+    userAgent: req.headers["user-agent"],
+  });
+  await user.save();
+
+  res.json({ accessToken, refreshToken: refresh });
+});
+
+export default r;