feat: implement auth system, passkeys, and user management

Add PostgreSQL and Redis integration for users and sessions Implement password and WebAuthn passkey login flows Add Docker stack, super-admin seeding, and protected routes
2026-04-12 20:16:43 +08:00
parent a649c509c2
commit 377a9617be
45 changed files with 3620 additions and 104 deletions
--- a/server/api/auth/login.post.ts
+++ b/server/api/auth/login.post.ts
@@ -0,0 +1,46 @@
+import { verifyPassword } from '../../utils/password'
+import { normalizeUsername, signInUser } from '../../utils/auth'
+import { getUserByUsername } from '../../utils/user-repository'
+
+export default defineEventHandler(async (event) => {
+  const body = await readBody<{
+    username?: string
+    password?: string
+    remember?: boolean
+  }>(event)
+
+  const username = normalizeUsername(body.username || '')
+  const password = body.password?.trim() || ''
+  const remember = body.remember !== false
+
+  if (!username || !password) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: 'Username and password are required'
+    })
+  }
+
+  const user = await getUserByUsername(username)
+
+  if (!user || !user.isActive) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Invalid username or password'
+    })
+  }
+
+  const passwordMatches = await verifyPassword(password, user.passwordHash)
+
+  if (!passwordMatches) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Invalid username or password'
+    })
+  }
+
+  const authenticatedUser = await signInUser(event, user, remember)
+
+  return {
+    user: authenticatedUser
+  }
+})