98 lines
3.1 KiB
TypeScript
98 lines
3.1 KiB
TypeScript
import { NextResponse } from "next/server";
|
|
import type { NextRequest } from "next/server";
|
|
import { handlers } from "@/src/lib/auth";
|
|
import { isRateLimited, registerFailedAttempt, resetAttempts } from "@/src/lib/rate-limit";
|
|
|
|
export const dynamic = 'force-dynamic';
|
|
|
|
export const { GET } = handlers;
|
|
|
|
function getClientIp(request: NextRequest): string {
|
|
// Get client IP from headers
|
|
// In production, ensure your reverse proxy (Caddy) sets these headers correctly
|
|
const forwarded = request.headers.get("x-forwarded-for");
|
|
if (forwarded) {
|
|
const parts = forwarded.split(",");
|
|
return parts[parts.length - 1]?.trim() || "unknown";
|
|
}
|
|
const real = request.headers.get("x-real-ip");
|
|
if (real) {
|
|
return real.trim();
|
|
}
|
|
return "unknown";
|
|
}
|
|
|
|
function buildRateLimitKey(ip: string, username: string) {
|
|
const normalizedUsername = username.trim().toLowerCase() || "unknown";
|
|
return `login:${ip}:${normalizedUsername}`;
|
|
}
|
|
|
|
function buildBlockedResponse(retryAfterMs?: number) {
|
|
const retryAfterSeconds = retryAfterMs ? Math.ceil(retryAfterMs / 1000) : 60;
|
|
const retryAfterMinutes = Math.max(1, Math.ceil(retryAfterSeconds / 60));
|
|
return NextResponse.json(
|
|
{
|
|
error: `Too many login attempts. Try again in about ${retryAfterMinutes} minute${retryAfterMinutes === 1 ? "" : "s"}.`
|
|
},
|
|
{
|
|
status: 429,
|
|
headers: {
|
|
"Retry-After": retryAfterSeconds.toString()
|
|
}
|
|
}
|
|
);
|
|
}
|
|
|
|
export async function POST(request: NextRequest) {
|
|
const formData = await request.clone().formData();
|
|
const username = String(formData.get("username") ?? "");
|
|
const ip = getClientIp(request);
|
|
const rateLimitKey = buildRateLimitKey(ip, username);
|
|
|
|
const limitation = isRateLimited(rateLimitKey);
|
|
if (limitation.blocked) {
|
|
return buildBlockedResponse(limitation.retryAfterMs);
|
|
}
|
|
|
|
const response = await handlers.POST(request);
|
|
|
|
// Determine success/failure by inspecting redirect destination, not status code.
|
|
// Auth.js returns 302 (direct form) or 200+JSON (X-Auth-Return-Redirect) on both
|
|
// success and failure — the error is signaled by the destination URL containing "error=".
|
|
const isFailure = await isAuthFailureResponse(response);
|
|
|
|
if (isFailure) {
|
|
const result = registerFailedAttempt(rateLimitKey);
|
|
if (result.blocked) {
|
|
return buildBlockedResponse(result.retryAfterMs);
|
|
}
|
|
} else {
|
|
resetAttempts(rateLimitKey);
|
|
}
|
|
|
|
return response;
|
|
}
|
|
|
|
async function isAuthFailureResponse(response: Response): Promise<boolean> {
|
|
// Redirect case: Auth.js sets Location header
|
|
const location = response.headers.get("location");
|
|
if (location) {
|
|
return location.includes("error=");
|
|
}
|
|
// JSON case (X-Auth-Return-Redirect: 1): body is {"url": "..."}
|
|
const contentType = response.headers.get("content-type") ?? "";
|
|
if (response.status === 200 && contentType.includes("application/json")) {
|
|
try {
|
|
const cloned = response.clone();
|
|
const body = await cloned.json() as { url?: string };
|
|
if (typeof body.url === "string") {
|
|
return body.url.includes("error=");
|
|
}
|
|
} catch {
|
|
// ignore parse errors
|
|
}
|
|
}
|
|
// Any 4xx/5xx is a failure
|
|
return response.status >= 400;
|
|
}
|