nav-carte/server/api/codev/auth.post.ts

import { z } from 'zod'

const AuthSchema = z.object({
  password: z.string().min(1).max(100),
})

export default defineEventHandler(async (event) => {
  const body = await readBody(event)
  const parsed = AuthSchema.safeParse(body)

  if (!parsed.success) {
    throw createError({ statusCode: 422, statusMessage: 'Mot de passe invalide' })
  }

  const config = useRuntimeConfig()
  const expected = config.codevPassword || 'merci'

  if (parsed.data.password.trim().toLowerCase() !== expected.trim().toLowerCase()) {
    throw createError({ statusCode: 401, statusMessage: 'Mauvais mot de passe' })
  }

  setCookie(event, 'codev_session', 'ok', {
    httpOnly: true,
    sameSite: 'lax',
    secure: process.env.NODE_ENV === 'production',
    maxAge: 60 * 60 * 24, // 24h
    path: '/',
  })

  return { status: 200, ok: true }
})