// app/api/auth/login/route.ts import { NextRequest, NextResponse } from "next/server"; import { loginDirectus } from "@/lib/directus"; export const runtime = "nodejs"; const secure = process.env.NODE_ENV === "production"; /** * Accepts any of: * - { identifier: string, password: string } // email OR username in `identifier` * - { email: string, password: string } * - { username: string, password: string } * * On success: sets HttpOnly "ma_at" cookie and returns { ok: true }. */ export async function POST(req: NextRequest) { try { const body = await req.json().catch(() => ({} as any)); const password = String(body?.password ?? "").trim(); const identifier = String( body?.identifier ?? body?.email ?? body?.username ?? "" ).trim(); if (!identifier || !password) { return NextResponse.json({ error: "Missing credentials" }, { status: 400 }); } // Directus accepts username in the "email" field for /auth/login const data = await loginDirectus(identifier, password); const access = data?.access_token ?? data?.data?.access_token ?? null; const expiresSec = data?.expires ?? data?.data?.expires ?? null; if (!access) { return NextResponse.json( { error: "Invalid response from auth provider" }, { status: 502 } ); } const res = NextResponse.json({ ok: true }); // Max-Age from Directus if provided; else fallback to 8h const maxAge = typeof expiresSec === "number" ? Math.max(0, Math.floor(expiresSec)) : 60 * 60 * 8; res.cookies.set({ name: "ma_at", value: access, httpOnly: true, sameSite: "lax", secure, path: "/", maxAge, }); return res; } catch (err: any) { const message = err?.response?.data?.error || err?.message || "Login failed"; const status = /unauth|invalid|credentials/i.test(message) ? 401 : 400; return NextResponse.json({ error: message }, { status }); } }