Working version before modification.

src/routes/authRoutes.js

@@ -0,0 +1,127 @@
+/*
+ * Authentication routes for the PoC application.
+ * 
+ * Provides endpoints for:
+ * - POST /auth/admin/login - Admin login
+ * - POST /auth/user/login - User login
+ * - POST /auth/logout - Logout (both admin and user)
+ * - GET /auth/check - Check current session validity
+ */
+
+import { Router } from 'express';
+import { asyncHandler } from '../utils/asyncHandler.js';
+import {
+  verifyAdminCredentials,
+  verifyUserCredentials,
+  generateSessionToken,
+  createSession,
+  removeSession,
+  validateSession
+} from '../services/authService.js';
+
+const router = Router();
+
+/**
+ * Admin login endpoint.
+ * Expects: { username: string, password: string }
+ * Returns: { success: true, token: string } or { success: false, message: string }
+ */
+router.post(
+  '/admin/login',
+  asyncHandler(async (req, res) => {
+    const { username, password } = req.body;
+
+    if (!username || !password) {
+      return res.status(400).json({ success: false, message: 'Username and password required.' });
+    }
+
+    const result = await verifyAdminCredentials(username, password);
+
+    if (!result.valid) {
+      return res.status(401).json({ success: false, message: 'Invalid credentials.' });
+    }
+
+    const token = generateSessionToken();
+    createSession(token, { type: 'admin', ...result.admin });
+
+    /* Set cookie for browser-based auth */
+    res.cookie('auth_token', token, {
+      httpOnly: true,
+      maxAge: 24 * 60 * 60 * 1000, // 24 hours
+      sameSite: 'lax'
+    });
+
+    return res.json({ success: true, token, admin: result.admin });
+  })
+);
+
+/**
+ * User login endpoint.
+ * Expects: { email: string, password: string }
+ * Returns: { success: true, token: string, user: object } or { success: false, message: string }
+ */
+router.post(
+  '/user/login',
+  asyncHandler(async (req, res) => {
+    const { email, password } = req.body;
+
+    if (!email || !password) {
+      return res.status(400).json({ success: false, message: 'Email and password required.' });
+    }
+
+    const result = await verifyUserCredentials(email, password);
+
+    if (!result.valid) {
+      return res.status(401).json({ success: false, message: 'Invalid credentials.' });
+    }
+
+    const token = generateSessionToken();
+    createSession(token, { type: 'user', ...result.user });
+
+    /* Set cookie for browser-based auth */
+    res.cookie('auth_token', token, {
+      httpOnly: true,
+      maxAge: 24 * 60 * 60 * 1000, // 24 hours
+      sameSite: 'lax'
+    });
+
+    return res.json({ success: true, token, user: result.user });
+  })
+);
+
+/**
+ * Logout endpoint - clears session.
+ */
+router.post('/logout', (req, res) => {
+  const token = req.cookies?.auth_token || req.headers.authorization?.replace('Bearer ', '');
+
+  if (token) {
+    removeSession(token);
+  }
+
+  res.clearCookie('auth_token');
+  return res.json({ success: true, message: 'Logged out.' });
+});
+
+/**
+ * Check current session validity.
+ * Returns session data if valid, 401 if not.
+ */
+router.get('/check', (req, res) => {
+  const token = req.cookies?.auth_token || req.headers.authorization?.replace('Bearer ', '');
+
+  if (!token) {
+    return res.status(401).json({ authenticated: false, message: 'No session token.' });
+  }
+
+  const session = validateSession(token);
+
+  if (!session) {
+    res.clearCookie('auth_token');
+    return res.status(401).json({ authenticated: false, message: 'Session expired or invalid.' });
+  }
+
+  return res.json({ authenticated: true, session });
+});
+
+export default router;