fifteen/apps/web/app/api/admin/login/route.ts

import { NextRequest, NextResponse } from "next/server";
import { createSession, makeSessionCookie } from "@/lib/admin-auth";
import { checkRateLimit, verifyPassword } from "@/lib/rate-limit";

export const runtime = "nodejs";

export async function POST(req: NextRequest) {
  const ip =
    req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ?? "unknown";

  const { allowed, remaining } = await checkRateLimit(ip);
  if (!allowed) {
    return NextResponse.json(
      { error: "Too many login attempts. Try again later." },
      {
        status: 429,
        headers: { "Retry-After": "900", "X-RateLimit-Remaining": "0" },
      },
    );
  }

  let password: string;
  try {
    const body = await req.json();
    password = body.password ?? "";
  } catch {
    return NextResponse.json({ error: "Invalid request body" }, { status: 400 });
  }

  const valid = await verifyPassword(password);
  if (!valid) {
    return NextResponse.json(
      { error: "Invalid password", remainingAttempts: remaining },
      { status: 401 },
    );
  }

  const token = await createSession(ip);
  const secure = req.nextUrl.protocol === "https:";
  const cookie = makeSessionCookie(token, secure);

  const res = NextResponse.json({ ok: true });
  res.headers.set("Set-Cookie", cookie);
  return res;
}