Add Expo authentication and notes authorization workflow

app/(auth)/_layout.tsx

@@ -0,0 +1,18 @@
+import { Stack } from 'expo-router';
+import { colors } from '../../constants/theme';
+
+export default function AuthLayout() {
+  return (
+    <Stack
+      screenOptions={{
+        headerTintColor: colors.text,
+        headerStyle: { backgroundColor: colors.background },
+        headerShadowVisible: false,
+        contentStyle: { backgroundColor: colors.background },
+      }}
+    >
+      <Stack.Screen name="login" options={{ title: 'Login' }} />
+      <Stack.Screen name="register" options={{ title: 'Register' }} />
+    </Stack>
+  );
+}

app/(auth)/api/login+api.ts

@@ -0,0 +1,85 @@
+import crypto from 'node:crypto';
+import bcrypt from 'bcryptjs';
+import { createSessionInsecure } from '../../../database/sessions';
+import { getUserWithPasswordHashInsecure } from '../../../database/users';
+import { ExpoApiResponse } from '../../../ExpoApiResponse';
+import {
+  type User,
+  userSchemaLogin,
+} from '../../../migrations/00002-createTableUsers';
+import { createSerializedSessionTokenCookie } from '../../../util/cookies';
+import { getCombinedErrorMessage } from '../../../util/validation';
+
+export type LoginResponseBodyPost =
+  | {
+      user: User;
+    }
+  | {
+      error: string;
+    };
+
+export async function POST(
+  request: Request,
+): Promise<ExpoApiResponse<LoginResponseBodyPost>> {
+  const requestBody = await request.json();
+  const result = userSchemaLogin.safeParse(requestBody);
+
+  if (!result.success) {
+    return ExpoApiResponse.json(
+      { error: getCombinedErrorMessage(result.error.issues) },
+      { status: 400 },
+    );
+  }
+
+  const userWithPasswordHash = await getUserWithPasswordHashInsecure(
+    result.data.user.username,
+  );
+
+  if (!userWithPasswordHash) {
+    return ExpoApiResponse.json(
+      { error: 'Username or password invalid' },
+      { status: 401 },
+    );
+  }
+
+  const isPasswordValid = await bcrypt.compare(
+    result.data.user.password,
+    userWithPasswordHash.passwordHash,
+  );
+
+  userWithPasswordHash.passwordHash = '';
+
+  if (!isPasswordValid) {
+    return ExpoApiResponse.json(
+      { error: 'Username or password invalid' },
+      { status: 401 },
+    );
+  }
+
+  const sessionToken = crypto.randomBytes(100).toString('base64');
+  const session = await createSessionInsecure(
+    sessionToken,
+    userWithPasswordHash.id,
+  );
+
+  if (!session) {
+    return ExpoApiResponse.json(
+      { error: 'Session creation failed' },
+      { status: 500 },
+    );
+  }
+
+  return ExpoApiResponse.json(
+    {
+      user: {
+        id: userWithPasswordHash.id,
+        username: userWithPasswordHash.username,
+      },
+    },
+    {
+      headers: {
+        'Set-Cookie': createSerializedSessionTokenCookie(session.token),
+      },
+    },
+  );
+}

app/(auth)/api/logout+api.ts

@@ -0,0 +1,37 @@
+import { parse } from 'cookie';
+import { deleteSession } from '../../../database/sessions';
+import { ExpoApiResponse } from '../../../ExpoApiResponse';
+import { deleteSerializedSessionTokenCookie } from '../../../util/cookies';
+
+export type LogoutResponseBodyPost =
+  | {
+      success: true;
+    }
+  | {
+      error: string;
+    };
+
+export async function POST(
+  request: Request,
+): Promise<ExpoApiResponse<LogoutResponseBodyPost>> {
+  const cookies = parse(request.headers.get('cookie') || '');
+  const sessionToken = cookies.sessionToken;
+
+  if (!sessionToken) {
+    return ExpoApiResponse.json(
+      { error: 'Authentication required' },
+      { status: 401 },
+    );
+  }
+
+  await deleteSession(sessionToken);
+
+  return ExpoApiResponse.json(
+    { success: true },
+    {
+      headers: {
+        'Set-Cookie': deleteSerializedSessionTokenCookie(),
+      },
+    },
+  );
+}

app/(auth)/api/register+api.ts

@@ -0,0 +1,72 @@
+import crypto from 'node:crypto';
+import bcrypt from 'bcryptjs';
+import { createSessionInsecure } from '../../../database/sessions';
+import {
+  createUserInsecure,
+  getUserInsecure,
+} from '../../../database/users';
+import { ExpoApiResponse } from '../../../ExpoApiResponse';
+import {
+  type User,
+  userSchemaRegister,
+} from '../../../migrations/00002-createTableUsers';
+import { createSerializedSessionTokenCookie } from '../../../util/cookies';
+import { getCombinedErrorMessage } from '../../../util/validation';
+
+export type RegisterResponseBodyPost =
+  | {
+      user: User;
+    }
+  | {
+      error: string;
+    };
+
+export async function POST(
+  request: Request,
+): Promise<ExpoApiResponse<RegisterResponseBodyPost>> {
+  const requestBody = await request.json();
+  const result = userSchemaRegister.safeParse(requestBody);
+
+  if (!result.success) {
+    return ExpoApiResponse.json(
+      { error: getCombinedErrorMessage(result.error.issues) },
+      { status: 400 },
+    );
+  }
+
+  if (await getUserInsecure(result.data.user.username)) {
+    return ExpoApiResponse.json(
+      { error: 'Username already exists' },
+      { status: 400 },
+    );
+  }
+
+  const passwordHash = await bcrypt.hash(result.data.user.password, 12);
+  const user = await createUserInsecure(result.data.user.username, passwordHash);
+
+  if (!user) {
+    return ExpoApiResponse.json(
+      { error: 'Creating user failed' },
+      { status: 500 },
+    );
+  }
+
+  const sessionToken = crypto.randomBytes(100).toString('base64');
+  const session = await createSessionInsecure(sessionToken, user.id);
+
+  if (!session) {
+    return ExpoApiResponse.json(
+      { error: 'Session creation failed' },
+      { status: 500 },
+    );
+  }
+
+  return ExpoApiResponse.json(
+    { user },
+    {
+      headers: {
+        'Set-Cookie': createSerializedSessionTokenCookie(session.token),
+      },
+    },
+  );
+}