feat: login page, session management, auth API routes en proxy guard

- lib/session.ts: token generatie, SHA-256 hashing, createSession/getCurrentUser/invalidateSession - app/api/auth/login: bcrypt verificatie, session aanmaken, ops_session cookie (httpOnly, sameSite=strict, 24h TTL), rate-limit 5/min per IP - app/api/auth/logout: session invalideren en cookie verwijderen - app/login/page.tsx: login form (client component) - proxy.ts: route-protectie – redirect naar /login zonder sessie (middleware.ts is deprecated in Next.js 16) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-13 17:10:07 +02:00 · 2026-05-13 17:10:07 +02:00 · be05724de0
commit be05724de0
parent cce0f25419
5 changed files with 250 additions and 0 deletions
--- a/app/api/auth/login/route.ts
+++ b/app/api/auth/login/route.ts
@ -0,0 +1,62 @@
+import { NextRequest, NextResponse } from 'next/server'
+import bcrypt from 'bcryptjs'
+import { prisma } from '@/lib/prisma'
+import { generateSessionToken, createSession } from '@/lib/session'
+
+const loginAttempts = new Map<string, number[]>()
+const MAX_ATTEMPTS = 5
+const WINDOW_MS = 60_000
+
+function isRateLimited(ip: string): boolean {
+  const now = Date.now()
+  const attempts = (loginAttempts.get(ip) ?? []).filter((t) => now - t < WINDOW_MS)
+  attempts.push(now)
+  loginAttempts.set(ip, attempts)
+  return attempts.length > MAX_ATTEMPTS
+}
+
+export async function POST(request: NextRequest) {
+  const ip =
+    request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? 'unknown'
+
+  if (isRateLimited(ip)) {
+    return NextResponse.json({ error: 'Too many requests' }, { status: 429 })
+  }
+
+  let email: string, password: string
+  try {
+    const body = await request.json()
+    email = (body.email ?? '').trim()
+    password = body.password ?? ''
+  } catch {
+    return NextResponse.json({ error: 'Invalid request body' }, { status: 400 })
+  }
+
+  if (!email || !password) {
+    return NextResponse.json(
+      { error: 'Email and password are required' },
+      { status: 400 }
+    )
+  }
+
+  const user = await prisma.user.findUnique({ where: { email } })
+  const validPassword =
+    user != null && (await bcrypt.compare(password, user.pwd_hash))
+
+  if (!user || !validPassword) {
+    return NextResponse.json({ error: 'Invalid credentials' }, { status: 401 })
+  }
+
+  const token = generateSessionToken()
+  await createSession(user.id, token)
+
+  const response = NextResponse.json({ success: true })
+  response.cookies.set('ops_session', token, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'strict',
+    maxAge: 60 * 60 * 24,
+    path: '/',
+  })
+  return response
+}
--- a/app/api/auth/logout/route.ts
+++ b/app/api/auth/logout/route.ts
@ -0,0 +1,16 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { cookies } from 'next/headers'
+import { invalidateSession } from '@/lib/session'
+
+export async function POST(_request: NextRequest) {
+  const cookieStore = await cookies()
+  const token = cookieStore.get('ops_session')?.value
+
+  if (token) {
+    await invalidateSession(token)
+  }
+
+  const response = NextResponse.json({ success: true })
+  response.cookies.delete('ops_session')
+  return response
+}
--- a/app/login/page.tsx
+++ b/app/login/page.tsx
@ -0,0 +1,97 @@
+'use client'
+
+import { useState } from 'react'
+import { useRouter } from 'next/navigation'
+import { Button } from '@/components/ui/button'
+
+export default function LoginPage() {
+  const router = useRouter()
+  const [email, setEmail] = useState('')
+  const [password, setPassword] = useState('')
+  const [error, setError] = useState('')
+  const [loading, setLoading] = useState(false)
+
+  async function handleSubmit(e: React.FormEvent) {
+    e.preventDefault()
+    setError('')
+    setLoading(true)
+
+    try {
+      const res = await fetch('/api/auth/login', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ email, password }),
+      })
+
+      if (res.ok) {
+        router.push('/')
+        router.refresh()
+      } else {
+        const data = await res.json()
+        setError(data.error ?? 'Login failed')
+      }
+    } catch {
+      setError('Network error, please try again')
+    } finally {
+      setLoading(false)
+    }
+  }
+
+  return (
+    <div className="flex min-h-full items-center justify-center bg-zinc-50 dark:bg-zinc-950">
+      <div className="w-full max-w-sm rounded-xl border border-zinc-200 bg-white p-8 shadow-sm dark:border-zinc-800 dark:bg-zinc-900">
+        <h1 className="mb-6 text-xl font-semibold text-zinc-900 dark:text-zinc-50">
+          Ops Dashboard
+        </h1>
+
+        <form onSubmit={handleSubmit} className="flex flex-col gap-4">
+          <div className="flex flex-col gap-1.5">
+            <label
+              htmlFor="email"
+              className="text-sm font-medium text-zinc-700 dark:text-zinc-300"
+            >
+              Email
+            </label>
+            <input
+              id="email"
+              type="email"
+              autoComplete="email"
+              required
+              value={email}
+              onChange={(e) => setEmail(e.target.value)}
+              className="rounded-lg border border-zinc-300 bg-white px-3 py-2 text-sm text-zinc-900 outline-none placeholder:text-zinc-400 focus:border-zinc-500 focus:ring-2 focus:ring-zinc-500/20 dark:border-zinc-700 dark:bg-zinc-800 dark:text-zinc-50 dark:placeholder:text-zinc-500 dark:focus:border-zinc-400"
+              placeholder="admin@example.com"
+            />
+          </div>
+
+          <div className="flex flex-col gap-1.5">
+            <label
+              htmlFor="password"
+              className="text-sm font-medium text-zinc-700 dark:text-zinc-300"
+            >
+              Password
+            </label>
+            <input
+              id="password"
+              type="password"
+              autoComplete="current-password"
+              required
+              value={password}
+              onChange={(e) => setPassword(e.target.value)}
+              className="rounded-lg border border-zinc-300 bg-white px-3 py-2 text-sm text-zinc-900 outline-none placeholder:text-zinc-400 focus:border-zinc-500 focus:ring-2 focus:ring-zinc-500/20 dark:border-zinc-700 dark:bg-zinc-800 dark:text-zinc-50 dark:placeholder:text-zinc-500 dark:focus:border-zinc-400"
+              placeholder="••••••••"
+            />
+          </div>
+
+          {error && (
+            <p className="text-sm text-red-600 dark:text-red-400">{error}</p>
+          )}
+
+          <Button type="submit" disabled={loading} className="mt-2 w-full">
+            {loading ? 'Signing in…' : 'Sign in'}
+          </Button>
+        </form>
+      </div>
+    </div>
+  )
+}