auth: full session-based auth with remember-me support

- Seed user: shawn / Brett85!@ (SHA-256)
- Sessions table with expires_at column
- login endpoint supports remember_me flag (30d vs 1d expiry)
- logout endpoint invalidates server-side token
- auth middleware + /api/auth/me check session expiry
- Frontend sends remember_me in login request body
- Frontend calls /api/auth/logout on client logout
- Migration function for existing databases
This commit is contained in:
2026-05-21 20:17:21 -04:00
parent 921a40a560
commit 58f8b67b28
2 changed files with 61 additions and 8 deletions
+6 -3
View File
@@ -1381,16 +1381,16 @@
}
try {
const remember = document.getElementById('loginRemember').checked;
const result = await api('/api/auth/login', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ username, password }),
body: JSON.stringify({ username, password, remember_me: remember }),
});
AppState.authToken = result.token;
AppState.currentUser = { id: result.id, username: result.username, role: result.role };
const remember = document.getElementById('loginRemember').checked;
if (remember) {
localStorage.setItem('canteen_session', JSON.stringify({
token: result.token,
@@ -1416,7 +1416,10 @@
}
}
function doLogout() {
async function doLogout() {
try {
await api('/api/auth/logout', { method: 'POST' });
} catch (e) { /* ignore — still clean up locally */ }
localStorage.removeItem('canteen_session');
AppState.authToken = null;
AppState.currentUser = null;