makearmy-app/app/api/auth/login/route.ts

// app/api/auth/login/route.ts
import { NextRequest, NextResponse } from "next/server";
import { emailForUsername, loginDirectus } from "@/lib/directus";

export const runtime = "nodejs";

const secure = process.env.NODE_ENV === "production";

/**
 * Accepts any of:
 *  - { identifier: string, password: string }   // email OR username in `identifier`
 *  - { email: string, password: string }
 *  - { username: string, password: string }
 *
 * On success: sets HttpOnly "ma_at" cookie and returns { ok: true }.
 */
export async function POST(req: NextRequest) {
    try {
        const body = await req.json().catch(() => ({} as any));
        const password = String(body?.password ?? "").trim();
        let identifier = String(
            body?.identifier ?? body?.email ?? body?.username ?? ""
        ).trim();

        if (!identifier || !password) {
            return NextResponse.json({ error: "Missing credentials" }, { status: 400 });
        }

        // Resolve to an email for Directus login:
        // - If identifier looks like an email, use it directly.
        // - Otherwise treat it as a username and look up the email.
        let email = identifier.includes("@") ? identifier : null;
        if (!email) {
            email = await emailForUsername(identifier);
            if (!email) {
                return NextResponse.json({ error: "User not found" }, { status: 404 });
            }
        }

        // Login against Directus; helper returns { access_token, expires } (root or .data)
        const data = await loginDirectus(email, password);

        const access =
        data?.access_token ?? data?.data?.access_token ?? null;
        const expiresSec =
        data?.expires ?? data?.data?.expires ?? null;

        if (!access) {
            return NextResponse.json(
                { error: "Invalid response from auth provider" },
                { status: 502 }
            );
        }

        const res = NextResponse.json({ ok: true });

        // Use provider TTL if present, else fallback to 8h
        const maxAge =
        typeof expiresSec === "number" ? Math.max(0, Math.floor(expiresSec)) : 60 * 60 * 8;

        res.cookies.set({
            name: "ma_at",
            value: access,
            httpOnly: true,
            sameSite: "lax",
            secure,
            path: "/",
            maxAge,
        });

        return res;
    } catch (err: any) {
        const message =
        err?.response?.data?.errors?.[0]?.message ||
        err?.response?.data?.error ||
        err?.message ||
        "Login failed";
            const status = /unauth|invalid|credential/i.test(message) ? 401 : 400;
            return NextResponse.json({ error: message }, { status });
    }
}