30 lines
848 B
JavaScript
30 lines
848 B
JavaScript
import jwt from 'jsonwebtoken';
|
|
|
|
const SECRET = process.env.JWT_SECRET || 'change-me-to-a-long-random-string';
|
|
const EXPIRY = '8h';
|
|
|
|
export function signToken(user) {
|
|
return jwt.sign({ id: user.id, username: user.username, role: user.role }, SECRET, {
|
|
expiresIn: EXPIRY,
|
|
});
|
|
}
|
|
|
|
export function verifyToken(token) {
|
|
try {
|
|
return jwt.verify(token, SECRET);
|
|
} catch {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
// Accepts token from Authorization: Bearer <t> or the `nn_token` cookie.
|
|
export function requireAuth(req, res, next) {
|
|
const header = req.get('authorization') || '';
|
|
const bearer = header.startsWith('Bearer ') ? header.slice(7) : null;
|
|
const token = bearer || req.cookies?.nn_token;
|
|
const payload = token && verifyToken(token);
|
|
if (!payload) return res.status(401).json({ error: 'unauthorized' });
|
|
req.user = payload;
|
|
next();
|
|
}
|