2f2dfa86df
Verifies bcrypt password hash, mints a session token, stores its sha256 in the sessions table, and returns the token in both the response body (for Flutter) and an httpOnly/SameSite=Strict cookie (for the web SPA). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
27 lines
856 B
Go
27 lines
856 B
Go
package api
|
|
|
|
import "github.com/jackc/pgx/v5/pgtype"
|
|
|
|
// LoginRequest is the POST /api/auth/login body. Kept boring on purpose —
|
|
// web and Flutter both send the same payload.
|
|
type LoginRequest struct {
|
|
Username string `json:"username"`
|
|
Password string `json:"password"`
|
|
}
|
|
|
|
// LoginResponse carries the opaque session token AND the authenticated user
|
|
// so the SPA can hydrate its auth store in one round-trip. The token is also
|
|
// set as a cookie; SPAs ignore the body token, Flutter uses it as bearer.
|
|
type LoginResponse struct {
|
|
Token string `json:"token"`
|
|
User UserView `json:"user"`
|
|
}
|
|
|
|
// UserView is the /api/* view of a user. Narrower than dbq.User — no hash,
|
|
// no api_token, no subsonic_password.
|
|
type UserView struct {
|
|
ID pgtype.UUID `json:"id"`
|
|
Username string `json:"username"`
|
|
IsAdmin bool `json:"is_admin"`
|
|
}
|