import { defineEventHandler, readBody, createError } from 'h3' import { getSubdomainFromRequest, isCentralSubdomain } from '~/server/utils/tenant' import { setSessionCookie, setTenantIdCookie } from '~/server/utils/session' export default defineEventHandler(async (event) => { const config = useRuntimeConfig() const body = await readBody(event) // Extract subdomain from the request const subdomain = getSubdomainFromRequest(event) if (!subdomain) { throw createError({ statusCode: 400, statusMessage: 'Unable to determine tenant from subdomain', }) } // Determine the backend URL based on whether this is central admin or tenant const isCentral = isCentralSubdomain(subdomain) const backendUrl = config.backendUrl || 'http://localhost:3000' const loginEndpoint = isCentral ? '/api/auth/central/login' : '/api/auth/login' try { // Forward login request to NestJS backend with subdomain header const response = await fetch(`${backendUrl}${loginEndpoint}`, { method: 'POST', headers: { 'Content-Type': 'application/json', 'x-tenant-subdomain': subdomain, }, body: JSON.stringify(body), }) const data = await response.json() if (!response.ok) { throw createError({ statusCode: response.status, statusMessage: data.message || 'Login failed', data: data, }) } // Extract token and tenant info from response const { access_token, user, tenantId } = data if (!access_token) { throw createError({ statusCode: 500, statusMessage: 'No access token received from backend', }) } // Set HTTP-only cookie with the JWT token setSessionCookie(event, access_token) // Set tenant ID cookie (readable by client for context) if (tenantId) { setTenantIdCookie(event, tenantId) } // Return user info (but NOT the token - it's in HTTP-only cookie) return { success: true, user, tenantId, } } catch (error: any) { // Re-throw H3 errors if (error.statusCode) { throw error } console.error('Login proxy error:', error) throw createError({ statusCode: 500, statusMessage: 'Failed to connect to authentication service', }) } })