[PK-26] BE-2 Auth: register/login/logout/me + guest→user session migracia #9
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "agent/be-dev/27430433"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
BE-2 Auth: register/login/logout/me + guest→user session migrácia.
Issue: PK-26
Merge order: BE-2 → FE-4 → FE-5
- POST /api/auth/register — validacia, bcrypt cost 12, unique email (409 dup), vytvori usera s rolou customer, migrate guest session → user (anti session-fixation token rotation), 201 + cookie. - POST /api/auth/login — validacia, sliding-window rate-limit 5/IP/60s (per-IP), bcrypt verify, 401 s jednou hlaskou (nezbieranie user enumeration), pri uspechu migrate session. - POST /api/auth/logout — idempotent, vymaze Session row + zhasne cookie. - GET /api/auth/me — vrati user payload alebo { guest: true }; bootstrap aj pre guest-a (vytvori session ak chyba). - lib/auth.ts — hand-rolled validatory (rovnaky styl ako checkoutValidation), bcrypt utility, migrateSessionToUser/clearSessionUser, createUser. - lib/rateLimit.ts — Map-based sliding window per-IP (login singleton). - lib/adminGuard.ts — requireAdmin helper (401/403, pre BE-7/BE-8). - lib/session.ts — pridane setSessionCookie + clearSessionCookie pre cookie rotation a logout. - .env.example — pridany SESSION_SECRET (separatny od CHECKOUT_SECRET). - tests/auth.test.ts — 22 testov: register OK/dup/validacia, login OK/401/ rate-limit/case-insensitive, /me s/bez session, guest→user cart preservation, admin guard 401/403/ok, logout flow. Cart sa zachovava: register/login drzi rovnaky Session.id, len rotuje token a naviaze userId. Cart.sessionId zostava platny ⇒ kosik prezije login bez merge. Co-authored-by: multica-agent <github@multica.ai>