Merge pull request #41 from Dayz-tech-co/feature/auth-middleware-31

Feature/auth middleware 31

Author: SudiptaPaul-31

app/api/auth/logout/route.ts

@@ -0,0 +1,27 @@
+import { NextRequest, NextResponse } from 'next/server'
+import {
+  clearSessionCookies,
+  readRefreshToken,
+  revokeSession,
+} from '@/lib/auth/session'
+
+export async function POST(request: NextRequest): Promise<NextResponse> {
+  try {
+    const refreshToken = readRefreshToken(request)
+    if (refreshToken) {
+      await revokeSession(refreshToken)
+    }
+
+    const response = NextResponse.json({ ok: true }, { status: 200 })
+    clearSessionCookies(response)
+    return response
+  } catch {
+    return NextResponse.json(
+      {
+        error: 'Failed to log out',
+        code: 'LOGOUT_FAILED',
+      },
+      { status: 500 }
+    )
+  }
+}

app/api/auth/me/route.ts

@@ -0,0 +1,12 @@
+import { NextResponse } from 'next/server'
+import { withAuth } from '@/lib/auth/middleware'
+
+export const GET = withAuth(async (_request, auth) => {
+  return NextResponse.json(
+    {
+      walletAddress: auth.walletAddress,
+      authenticated: true,
+    },
+    { status: 200 }
+  )
+})

app/api/auth/nonce/route.ts

@@ -0,0 +1,57 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { NONCE_TTL_SECONDS } from '@/lib/auth/constants'
+import { randomNonce, sha256Hex } from '@/lib/auth/crypto'
+import { saveNonce } from '@/lib/auth/store'
+import {
+  buildAuthMessage,
+  isValidStellarAddress,
+  normalizeWalletAddress,
+} from '@/lib/auth/stellar'
+
+interface NonceRequestBody {
+  walletAddress?: string
+}
+
+export async function POST(request: NextRequest): Promise<NextResponse> {
+  try {
+    const body: NonceRequestBody = await request.json()
+    const walletAddress = body.walletAddress?.trim()
+
+    if (!walletAddress || !isValidStellarAddress(walletAddress)) {
+      return NextResponse.json(
+        {
+          error: 'Invalid wallet address',
+          code: 'INVALID_WALLET_ADDRESS',
+        },
+        { status: 400 }
+      )
+    }
+
+    const normalizedWallet = normalizeWalletAddress(walletAddress)
+    const nonce = randomNonce()
+    const expiresAt = new Date(Date.now() + NONCE_TTL_SECONDS * 1000)
+    await saveNonce({
+      walletAddress: normalizedWallet,
+      nonceHash: sha256Hex(nonce),
+      expiresAt,
+    })
+
+    return NextResponse.json(
+      {
+        walletAddress: normalizedWallet,
+        nonce,
+        message: buildAuthMessage(normalizedWallet, nonce),
+        expiresAt: expiresAt.toISOString(),
+      },
+      { status: 200 }
+    )
+  } catch {
+    return NextResponse.json(
+      {
+        error: 'Failed to create auth nonce',
+        code: 'NONCE_ISSUE_FAILED',
+      },
+      { status: 500 }
+    )
+  }
+}

app/api/auth/refresh/route.ts

@@ -0,0 +1,52 @@
+import { NextRequest, NextResponse } from 'next/server'
+import {
+  readRefreshToken,
+  rotateSession,
+  setSessionCookies,
+} from '@/lib/auth/session'
+
+export async function POST(request: NextRequest): Promise<NextResponse> {
+  try {
+    const refreshToken = readRefreshToken(request)
+    if (!refreshToken) {
+      return NextResponse.json(
+        {
+          error: 'Refresh token is required',
+          code: 'REFRESH_TOKEN_REQUIRED',
+        },
+        { status: 401 }
+      )
+    }
+
+    const session = await rotateSession(request, refreshToken)
+    if (!session) {
+      return NextResponse.json(
+        {
+          error: 'Invalid or expired refresh token',
+          code: 'INVALID_REFRESH_TOKEN',
+        },
+        { status: 401 }
+      )
+    }
+
+    const response = NextResponse.json(
+      {
+        walletAddress: session.walletAddress,
+        accessTokenExpiresAt: session.accessTokenExpiresAt.toISOString(),
+        refreshTokenExpiresAt: session.refreshTokenExpiresAt.toISOString(),
+      },
+      { status: 200 }
+    )
+    setSessionCookies(response, session)
+
+    return response
+  } catch {
+    return NextResponse.json(
+      {
+        error: 'Failed to refresh session',
+        code: 'SESSION_REFRESH_FAILED',
+      },
+      { status: 500 }
+    )
+  }
+}

app/api/auth/verify/route.ts

@@ -0,0 +1,125 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { createSession, setSessionCookies } from '@/lib/auth/session'
+import { consumeNonce, hasActiveNonce } from '@/lib/auth/store'
+import { sha256Hex } from '@/lib/auth/crypto'
+import {
+  buildAuthMessage,
+  isValidStellarAddress,
+  normalizeWalletAddress,
+  verifyStellarSignature,
+} from '@/lib/auth/stellar'
+
+interface VerifyRequestBody {
+  walletAddress?: string
+  nonce?: string
+  signature?: string
+  message?: string
+}
+
+export async function POST(request: NextRequest): Promise<NextResponse> {
+  try {
+    const body: VerifyRequestBody = await request.json()
+
+    const walletAddress = body.walletAddress?.trim()
+    const nonce = body.nonce?.trim()
+    const signature = body.signature?.trim()
+
+    if (!walletAddress || !nonce || !signature) {
+      return NextResponse.json(
+        {
+          error: 'Missing walletAddress, nonce, or signature',
+          code: 'INVALID_AUTH_PAYLOAD',
+        },
+        { status: 400 }
+      )
+    }
+
+    if (!isValidStellarAddress(walletAddress)) {
+      return NextResponse.json(
+        {
+          error: 'Invalid wallet address',
+          code: 'INVALID_WALLET_ADDRESS',
+        },
+        { status: 400 }
+      )
+    }
+
+    const normalizedWallet = normalizeWalletAddress(walletAddress)
+    const nonceHash = sha256Hex(nonce)
+    const expectedMessage = buildAuthMessage(normalizedWallet, nonce)
+
+    if (body.message && body.message !== expectedMessage) {
+      return NextResponse.json(
+        {
+          error: 'Signed message does not match expected format',
+          code: 'MESSAGE_MISMATCH',
+        },
+        { status: 400 }
+      )
+    }
+
+    const nonceIsValid = await hasActiveNonce({
+      walletAddress: normalizedWallet,
+      nonceHash,
+    })
+    if (!nonceIsValid) {
+      return NextResponse.json(
+        {
+          error: 'Nonce is invalid, expired, or already used',
+          code: 'INVALID_NONCE',
+        },
+        { status: 401 }
+      )
+    }
+
+    const signatureIsValid = verifyStellarSignature({
+      walletAddress: normalizedWallet,
+      message: expectedMessage,
+      signature,
+    })
+    if (!signatureIsValid) {
+      return NextResponse.json(
+        {
+          error: 'Invalid wallet signature',
+          code: 'INVALID_SIGNATURE',
+        },
+        { status: 401 }
+      )
+    }
+
+    const consumed = await consumeNonce({
+      walletAddress: normalizedWallet,
+      nonceHash,
+    })
+    if (!consumed) {
+      return NextResponse.json(
+        {
+          error: 'Nonce is invalid, expired, or already used',
+          code: 'INVALID_NONCE',
+        },
+        { status: 401 }
+      )
+    }
+
+    const session = await createSession(request, normalizedWallet)
+    const response = NextResponse.json(
+      {
+        walletAddress: normalizedWallet,
+        accessTokenExpiresAt: session.accessTokenExpiresAt.toISOString(),
+        refreshTokenExpiresAt: session.refreshTokenExpiresAt.toISOString(),
+      },
+      { status: 200 }
+    )
+    setSessionCookies(response, session)
+
+    return response
+  } catch {
+    return NextResponse.json(
+      {
+        error: 'Authentication failed',
+        code: 'AUTH_VERIFICATION_FAILED',
+      },
+      { status: 500 }
+    )
+  }
+}

app/layout.tsx

@@ -1,12 +1,8 @@
 import React from "react"
 import type { Metadata } from 'next'
-import { Geist, Geist_Mono } from 'next/font/google'
 import { Analytics } from '@vercel/analytics/next'
 import './globals.css'
 
-const _geist = Geist({ subsets: ["latin"] });
-const _geistMono = Geist_Mono({ subsets: ["latin"] });
-
 export const metadata: Metadata = {
   title: 'TaskChain',
   description: 'Web3-powered freelance marketplace with escrow-based payments on Stellar blockchain. Protect your work and payments with smart contract security.',

docs/pr-evidence/build.txt

@@ -1 +1,2 @@
-DATABASE_URL=your db url
+DATABASE_URL=your db url
+JWT_SECRET=replace_with_a_long_random_secret_min_32_chars

docs/pr-evidence/lint.txt

@@ -0,0 +1,6 @@
+export const ACCESS_TOKEN_COOKIE = 'tc_access_token'
+export const REFRESH_TOKEN_COOKIE = 'tc_refresh_token'
+
+export const ACCESS_TOKEN_TTL_SECONDS = 15 * 60
+export const REFRESH_TOKEN_TTL_SECONDS = 7 * 24 * 60 * 60
+export const NONCE_TTL_SECONDS = 5 * 60