feat: implement secure admin authentication system with JWT sessions, middleware protection, and Prisma schema initialization

2026-03-28 20:38:47 +07:00
parent 53da46def1
commit 0549f12a97
13 changed files with 1100 additions and 6 deletions
--- a/src/app/[locale]/admin/dashboard/page.tsx
+++ b/src/app/[locale]/admin/dashboard/page.tsx
@@ -0,0 +1,67 @@
+import { verifySession, clearSession } from "@/core/security/session";
+import { redirect } from "@/i18n/routing";
+import { getLocale } from "next-intl/server";
+import { LogOut } from "lucide-react";
+
+export default async function DashboardPage() {
+  const session = await verifySession();
+  const locale = await getLocale();
+
+  if (!session) {
+    redirect({ href: "/admin/login", locale });
+  }
+
+  return (
+    <div className="min-h-screen bg-muted/30">
+      {/* Navbar Minimal Dashboard */}
+      <header className="glass border-b border-border/50 sticky top-0 z-40">
+        <div className="max-w-7xl mx-auto px-6 py-4 flex items-center justify-between">
+          <div className="flex flex-col">
+            <h1 className="text-xl font-bold tracking-tight">Admin Dashboard</h1>
+            <span className="text-xs text-muted-foreground">{session.email}</span>
+          </div>
+          
+          <form action={async () => {
+            "use server";
+            await clearSession();
+            redirect({ href: "/admin/login", locale });
+          }}>
+            <button
+              type="submit"
+              className="flex items-center gap-2 px-4 py-2 text-sm font-medium text-error hover:bg-error/10 hover:border-error/30 border border-transparent rounded-lg transition-colors"
+            >
+              <LogOut size={16} />
+              Sign Out
+            </button>
+          </form>
+        </div>
+      </header>
+
+      {/* Main Content */}
+      <main className="max-w-7xl mx-auto px-6 py-12">
+        <div className="grid gap-6 md:grid-cols-3">
+          {/* Card: Projects */}
+          <div className="p-6 rounded-2xl bg-card border border-border/50 shadow-sm hover:shadow-md transition-shadow">
+            <h2 className="text-lg font-bold mb-2">Projects</h2>
+            <p className="text-sm text-muted-foreground mb-4">Manage portfolio projects and case studies.</p>
+            <div className="text-3xl font-mono font-bold text-accent">--</div>
+          </div>
+
+          {/* Card: Skills */}
+          <div className="p-6 rounded-2xl bg-card border border-border/50 shadow-sm hover:shadow-md transition-shadow">
+            <h2 className="text-lg font-bold mb-2">Tech Stack</h2>
+            <p className="text-sm text-muted-foreground mb-4">Update your skills and technical arsenal.</p>
+            <div className="text-3xl font-mono font-bold text-emerald-500">--</div>
+          </div>
+
+          {/* Card: Messages */}
+          <div className="p-6 rounded-2xl bg-card border border-border/50 shadow-sm hover:shadow-md transition-shadow relative overflow-hidden">
+            <h2 className="text-lg font-bold mb-2">Inbox</h2>
+            <p className="text-sm text-muted-foreground mb-4">Read messages from visitors.</p>
+            <div className="text-3xl font-mono font-bold text-blue-500">--</div>
+          </div>
+        </div>
+      </main>
+    </div>
+  );
+}
--- a/src/app/[locale]/admin/login/page.tsx
+++ b/src/app/[locale]/admin/login/page.tsx
@@ -0,0 +1,24 @@
+import { LoginForm } from "@/features/auth/login-form";
+import { verifySession } from "@/core/security/session";
+import { redirect } from "@/i18n/routing";
+import { getLocale } from "next-intl/server";
+
+export default async function LoginPage() {
+  const session = await verifySession();
+  const locale = await getLocale();
+
+  // If already logged in, redirect to dashboard
+  if (session) {
+    redirect({ href: "/admin/dashboard", locale });
+  }
+
+  return (
+    <div className="min-h-screen flex items-center justify-center relative p-6 bg-muted/30">
+      <div className="absolute inset-0 grid-pattern opacity-20" />
+      
+      <div className="relative z-10 w-full">
+        <LoginForm />
+      </div>
+    </div>
+  );
+}
--- a/src/core/db/prisma.ts
+++ b/src/core/db/prisma.ts
@@ -0,0 +1,13 @@
+import { PrismaClient } from "@prisma/client";
+
+const prismaClientSingleton = () => {
+  return new PrismaClient();
+};
+
+declare global {
+  var prismaGlobal: undefined | ReturnType<typeof prismaClientSingleton>;
+}
+
+export const prisma = globalThis.prismaGlobal ?? prismaClientSingleton();
+
+if (process.env.NODE_ENV !== "production") globalThis.prismaGlobal = prisma;
--- a/src/core/security/session.ts
+++ b/src/core/security/session.ts
@@ -0,0 +1,54 @@
+import { jwtVerify, SignJWT } from "jose";
+import { cookies } from "next/headers";
+
+const secretKey = process.env.JWT_SECRET || "fallback-secret-for-development";
+const key = new TextEncoder().encode(secretKey);
+
+export const SESSION_COOKIE = "ando_admin_session";
+
+export async function encrypt(payload: any) {
+  return await new SignJWT(payload)
+    .setProtectedHeader({ alg: "HS256" })
+    .setIssuedAt()
+    .setExpirationTime("24h") // 1 day session
+    .sign(key);
+}
+
+export async function decrypt(input: string): Promise<any> {
+  try {
+    const { payload } = await jwtVerify(input, key, {
+      algorithms: ["HS256"],
+    });
+    return payload;
+  } catch (error) {
+    return null;
+  }
+}
+
+export async function createSession(userId: string, email: string) {
+  const expires = new Date(Date.now() + 24 * 60 * 60 * 1000);
+  const session = await encrypt({ userId, email, expires });
+
+  const cookieStore = await cookies();
+  cookieStore.set(SESSION_COOKIE, session, {
+    expires,
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    path: "/",
+  });
+}
+
+export async function clearSession() {
+  const cookieStore = await cookies();
+  cookieStore.delete(SESSION_COOKIE);
+}
+
+export async function verifySession() {
+  const cookieStore = await cookies();
+  const session = cookieStore.get(SESSION_COOKIE)?.value;
+
+  if (!session) return null;
+
+  return await decrypt(session);
+}
--- a/src/features/auth/actions.ts
+++ b/src/features/auth/actions.ts
@@ -0,0 +1,48 @@
+"use server";
+
+import { prisma } from "@/core/db/prisma";
+import { createSession } from "@/core/security/session";
+import { loginSchema, LoginFormValues } from "./login-schema";
+import { compare } from "bcryptjs";
+import { getLocale } from "next-intl/server";
+
+export type ActionResponse = {
+  success: boolean;
+  message?: string;
+};
+
+export async function loginAction(data: LoginFormValues): Promise<ActionResponse> {
+  try {
+    // 1. Validate Input
+    const validatedData = loginSchema.safeParse(data);
+    if (!validatedData.success) {
+      return { success: false, message: "Invalid credentials format" };
+    }
+
+    const { email, password } = validatedData.data;
+
+    // 2. Find User
+    const user = await prisma.user.findUnique({
+      where: { email },
+    });
+
+    if (!user) {
+      return { success: false, message: "Invalid email or password" };
+    }
+
+    // 3. Verify Password
+    const passwordMatch = await compare(password, user.passwordHash);
+
+    if (!passwordMatch) {
+      return { success: false, message: "Invalid email or password" };
+    }
+
+    // 4. Create Session Cookie
+    await createSession(user.id, user.email);
+
+    return { success: true };
+  } catch (error) {
+    console.error("Login failed:", error);
+    return { success: false, message: "An unexpected error occurred" };
+  }
+}
--- a/src/features/auth/login-form.tsx
+++ b/src/features/auth/login-form.tsx
@@ -0,0 +1,92 @@
+"use client";
+
+import { useState } from "react";
+import { loginAction } from "./actions";
+import { useRouter } from "@/i18n/routing";
+import { Lock, Mail, Loader2 } from "lucide-react";
+
+export function LoginForm() {
+  const router = useRouter();
+  const [error, setError] = useState<string | null>(null);
+  const [loading, setLoading] = useState(false);
+
+  async function handleSubmit(e: React.FormEvent<HTMLFormElement>) {
+    e.preventDefault();
+    setError(null);
+    setLoading(true);
+
+    const formData = new FormData(e.currentTarget);
+    const email = formData.get("email") as string;
+    const password = formData.get("password") as string;
+
+    const res = await loginAction({ email, password });
+
+    if (!res.success) {
+      setError(res.message || "Failed to login");
+      setLoading(false);
+    } else {
+      // Successfully authenticated, redirect to dashboard
+      router.push("/admin/dashboard");
+    }
+  }
+
+  return (
+    <div className="w-full max-w-sm mx-auto p-8 rounded-2xl bg-card border border-border/50 shadow-2xl glass relative overflow-hidden">
+      <div className="absolute top-0 inset-x-0 h-1 bg-gradient-to-r from-accent via-purple-500 to-accent" />
+      
+      <div className="text-center mb-8">
+        <div className="w-12 h-12 rounded-xl bg-accent/10 flex items-center justify-center mx-auto mb-4 border border-accent/20">
+          <Lock size={20} className="text-accent" />
+        </div>
+        <h1 className="text-2xl font-bold tracking-tight">Admin Portal</h1>
+        <p className="text-sm text-muted-foreground mt-2">
+          Sign in to manage your portfolio
+        </p>
+      </div>
+
+      <form onSubmit={handleSubmit} className="space-y-5">
+        {error && (
+          <div className="p-3 rounded-lg bg-error/10 border border-error/20 text-error text-sm text-center font-medium">
+            {error}
+          </div>
+        )}
+
+        <div className="space-y-4">
+          <div className="relative">
+            <Mail size={16} className="absolute left-3.5 top-1/2 -translate-y-1/2 text-muted-foreground" />
+            <input
+              name="email"
+              type="email"
+              placeholder="admin@ando.dev"
+              required
+              className="w-full pl-10 pr-4 py-3 rounded-xl bg-muted/50 border border-border/50 text-sm focus:outline-none focus:ring-2 focus:ring-accent/50 transition-all font-mono"
+            />
+          </div>
+          
+          <div className="relative">
+            <Lock size={16} className="absolute left-3.5 top-1/2 -translate-y-1/2 text-muted-foreground" />
+            <input
+              name="password"
+              type="password"
+              placeholder="••••••••"
+              required
+              className="w-full pl-10 pr-4 py-3 rounded-xl bg-muted/50 border border-border/50 text-sm focus:outline-none focus:ring-2 focus:ring-accent/50 transition-all font-mono"
+            />
+          </div>
+        </div>
+
+        <button
+          type="submit"
+          disabled={loading}
+          className="w-full flex items-center justify-center gap-2 py-3 rounded-xl bg-foreground text-background font-semibold text-sm hover:opacity-90 transition-opacity disabled:opacity-50 disabled:cursor-not-allowed"
+        >
+          {loading ? (
+            <Loader2 size={16} className="animate-spin" />
+          ) : (
+            "Sign In to Dashboard"
+          )}
+        </button>
+      </form>
+    </div>
+  );
+}
--- a/src/features/auth/login-schema.ts
+++ b/src/features/auth/login-schema.ts
@@ -0,0 +1,8 @@
+import { z } from "zod";
+
+export const loginSchema = z.object({
+  email: z.string().email({ message: "Invalid email address" }),
+  password: z.string().min(6, { message: "Password must be at least 6 characters" }),
+});
+
+export type LoginFormValues = z.infer<typeof loginSchema>;
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -1,9 +1,53 @@
 import createMiddleware from 'next-intl/middleware';
-import {routing} from './i18n/routing';
+import { routing } from './i18n/routing';
+import { NextResponse } from 'next/server';
+import type { NextRequest } from 'next/server';
+import { jwtVerify } from 'jose';

-export default createMiddleware(routing);
+const intlMiddleware = createMiddleware(routing);
+
+export async function middleware(request: NextRequest) {
+  // Execute internationalization middleware first
+  const response = intlMiddleware(request);
+
+  // Pathname before rewrite (e.g., /id/admin/dashboard, /admin/dashboard)
+  const pathname = request.nextUrl.pathname;
+  
+  // Protect all /admin routes except the login page
+  const isAdminRoute = pathname.includes('/admin') && !pathname.includes('/admin/login');
+
+  if (isAdminRoute) {
+    const session = request.cookies.get('ando_admin_session')?.value;
+    
+    // Determine current locale from path or cookie for redirect
+    const segments = pathname.split('/');
+    const localeIndex = routing.locales.includes(segments[1] as any) ? 1 : -1;
+    const locale = localeIndex !== -1 ? segments[localeIndex] : routing.defaultLocale;
+
+    if (!session) {
+      return NextResponse.redirect(new URL(`/${locale}/admin/login`, request.url));
+    }
+
+    try {
+      const secretKey = process.env.JWT_SECRET || "fallback-secret-for-development";
+      const key = new TextEncoder().encode(secretKey);
+      await jwtVerify(session, key, { algorithms: ["HS256"] });
+    } catch (err) {
+      // Token is expired or invalid
+      const res = NextResponse.redirect(new URL(`/${locale}/admin/login`, request.url));
+      res.cookies.delete('ando_admin_session');
+      return res;
+    }
+  }
+
+  return response;
+}

 export const config = {
-  // Match only internationalized pathnames
-  matcher: ['/', '/(id|en)/:path*']
+  // Apply middleware to all standard routes and admin routes
+  matcher: [
+    '/',
+    '/(id|en)/:path*',
+    '/admin/:path*'
+  ]
 };