feat(api): POST /api/auth/login
Verifies bcrypt password hash, mints a session token, stores its sha256 in the sessions table, and returns the token in both the response body (for Flutter) and an httpOnly/SameSite=Strict cookie (for the web SPA). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,26 @@
|
||||
package api
|
||||
|
||||
import "github.com/jackc/pgx/v5/pgtype"
|
||||
|
||||
// LoginRequest is the POST /api/auth/login body. Kept boring on purpose —
|
||||
// web and Flutter both send the same payload.
|
||||
type LoginRequest struct {
|
||||
Username string `json:"username"`
|
||||
Password string `json:"password"`
|
||||
}
|
||||
|
||||
// LoginResponse carries the opaque session token AND the authenticated user
|
||||
// so the SPA can hydrate its auth store in one round-trip. The token is also
|
||||
// set as a cookie; SPAs ignore the body token, Flutter uses it as bearer.
|
||||
type LoginResponse struct {
|
||||
Token string `json:"token"`
|
||||
User UserView `json:"user"`
|
||||
}
|
||||
|
||||
// UserView is the /api/* view of a user. Narrower than dbq.User — no hash,
|
||||
// no api_token, no subsonic_password.
|
||||
type UserView struct {
|
||||
ID pgtype.UUID `json:"id"`
|
||||
Username string `json:"username"`
|
||||
IsAdmin bool `json:"is_admin"`
|
||||
}
|
||||
Reference in New Issue
Block a user