updated auth routes to use sessions and "httpOnly" cookies

2026-02-08 10:33:01 +00:00 · 2026-01-09 05:33:36 +00:00
parent 89b38a4aa3
commit f90ddc2e4c
6 changed files with 104 additions and 30 deletions
--- a/packages/backend/src/routes/auth/login.ts
+++ b/packages/backend/src/routes/auth/login.ts
@@ -1,6 +1,6 @@
 import type { BunRequest } from "bun";
-import { generateToken, verifyPassword } from "../../auth/utils";
-import { getUserByUsername } from "../../db/queries";
+import { buildAuthCookie, generateToken, verifyPassword } from "../../auth/utils";
+import { createSession, getUserByUsername } from "../../db/queries";

 const isNonEmptyString = (value: unknown): value is string =>
    typeof value === "string" && value.trim().length > 0;
@@ -37,10 +37,24 @@ export default async function login(req: BunRequest) {
        return new Response("invalid credentials", { status: 401 });
    }

-    const token = generateToken(user.id);
+    const session = await createSession(user.id);
+    if (!session) {
+        return new Response("failed to create session", { status: 500 });
+    }

-    return Response.json({
-        user: { id: user.id, name: user.name, username: user.username },
-        token,
-    });
+    const token = generateToken(session.id, user.id);
+
+    return new Response(
+        JSON.stringify({
+            user: { id: user.id, name: user.name, username: user.username, avatarURL: user.avatarURL },
+            csrfToken: session.csrfToken,
+        }),
+        {
+            status: 200,
+            headers: {
+                "Content-Type": "application/json",
+                "Set-Cookie": buildAuthCookie(token),
+            },
+        },
+    );
 }