// POST /_auth/login {password} — verify the shared password (constant-time), then seal an
// authenticated session cookie. Public (allowlisted in the gate) so an unauthenticated user
// can actually log in.
import { defineEventHandler, readBody, createError, useSession } from "h3";
import {
	sessionConfig,
	timingSafeEqual,
	uiPassword,
	type SessionData,
} from "../../util/auth";

export default defineEventHandler(async (event) => {
	const expected = uiPassword();
	if (!expected) {
		throw createError({
			statusCode: 503,
			statusMessage: "auth not configured",
		});
	}
	const body = await readBody<{ password?: string }>(event);
	const password = String(body?.password ?? "");
	if (!timingSafeEqual(password, expected)) {
		throw createError({ statusCode: 401, statusMessage: "invalid password" });
	}
	const session = await useSession<SessionData>(event, sessionConfig());
	await session.update({ authenticated: true });
	return { ok: true };
});