harheimertc/server/api/auth/login.post.js

import { readUsers, writeUsers, verifyPassword, generateToken, createSession } from '../../utils/auth.js'

export default defineEventHandler(async (event) => {
  try {
    const body = await readBody(event)
    const { email, password } = body

    if (!email || !password) {
      throw createError({
        statusCode: 400,
        message: 'E-Mail und Passwort sind erforderlich'
      })
    }

    // Find user
    const users = await readUsers()
    const user = users.find(u => u.email.toLowerCase() === email.toLowerCase())

    if (!user) {
      throw createError({
        statusCode: 401,
        message: 'Ungültige Anmeldedaten'
      })
    }

    // Check if user is active
    if (user.active === false) {
      throw createError({
        statusCode: 403,
        message: 'Ihr Konto wurde noch nicht freigeschaltet. Bitte warten Sie auf die Bestätigung des Vorstands.'
      })
    }

    // Verify password
    const isValid = await verifyPassword(password, user.password)
    if (!isValid) {
      throw createError({
        statusCode: 401,
        message: 'Ungültige Anmeldedaten'
      })
    }

    // Generate token
    const token = generateToken(user)

    // Create session
    await createSession(user.id, token)

    // Update last login
    user.lastLogin = new Date().toISOString()
    const updatedUsers = users.map(u => u.id === user.id ? user : u)
    await writeUsers(updatedUsers)

    // Set cookie
    setCookie(event, 'auth_token', token, {
      httpOnly: true,
      secure: process.env.NODE_ENV === 'production',
      sameSite: 'lax',
      maxAge: 60 * 60 * 24 * 7 // 7 days
    })

    // Return user data (without password)
    return {
      success: true,
      user: {
        id: user.id,
        email: user.email,
        name: user.name,
        role: user.role
      }
    }
  } catch (error) {
    console.error('Login-Fehler:', error)
    throw error
  }
})