54 lines
1.7 KiB
TypeScript
54 lines
1.7 KiB
TypeScript
import { type NextRequest, NextResponse } from "next/server"
|
|
import { safeQuery } from "@/lib/database"
|
|
import { validateIsraeliID, verifyPassword } from "@/lib/auth"
|
|
|
|
export async function POST(request: NextRequest) {
|
|
try {
|
|
const { nationalId, password } = await request.json()
|
|
|
|
// Input validation
|
|
if (!nationalId || !password) {
|
|
return NextResponse.json({ error: "נתונים חסרים" }, { status: 400 })
|
|
}
|
|
|
|
if (!validateIsraeliID(nationalId)) {
|
|
return NextResponse.json({ error: "מספר תעודת זהות לא תקין" }, { status: 400 })
|
|
}
|
|
|
|
// Use parameterized query to prevent SQL injection
|
|
const users = (await safeQuery(
|
|
"SELECT national_id, password, name, is_admin, role, field, department, team, in_shelter, last_updated, must_change_password FROM users WHERE national_id = ?",
|
|
[nationalId],
|
|
)) as any[]
|
|
|
|
if (users.length === 0) {
|
|
return NextResponse.json({ error: "משתמש לא נמצא" }, { status: 401 })
|
|
}
|
|
|
|
const user = users[0]
|
|
const isValidPassword = await verifyPassword(password, user.password)
|
|
|
|
if (!isValidPassword) {
|
|
return NextResponse.json({ error: "סיסמה שגויה" }, { status: 401 })
|
|
}
|
|
|
|
return NextResponse.json({
|
|
user: {
|
|
national_id: user.national_id,
|
|
name: user.name,
|
|
is_admin: user.is_admin,
|
|
role: user.role,
|
|
field: user.field,
|
|
department: user.department,
|
|
team: user.team,
|
|
in_shelter: user.in_shelter,
|
|
last_updated: user.last_updated,
|
|
must_change_password: user.must_change_password,
|
|
},
|
|
})
|
|
} catch (error) {
|
|
console.error("Login error:", error)
|
|
return NextResponse.json({ error: "שגיאה בשרת" }, { status: 500 })
|
|
}
|
|
}
|