/** * Mobile auth helper — validates Bearer token and returns userId * Token format: base64(userId:timestamp:hmac) */ import { createHmac } from 'crypto' const SECRET = process.env.NEXTAUTH_SECRET || 'fallback-secret' export function createMobileToken(userId: string): string { const ts = Date.now() const payload = `${userId}:${ts}` const sig = createHmac('sha256', SECRET).update(payload).digest('hex').slice(0, 16) return Buffer.from(`${payload}:${sig}`).toString('base64url') } export function verifyMobileToken(token: string): string | null { try { const decoded = Buffer.from(token, 'base64url').toString('utf-8') const parts = decoded.split(':') if (parts.length !== 3) return null const [userId, ts, sig] = parts const payload = `${userId}:${ts}` const expected = createHmac('sha256', SECRET).update(payload).digest('hex').slice(0, 16) if (sig !== expected) return null // Token valid for 90 days if (Date.now() - Number(ts) > 90 * 24 * 60 * 60 * 1000) return null return userId } catch { return null } } export function getMobileUserId(request: Request): string | null { const auth = request.headers.get('Authorization') if (!auth?.startsWith('Bearer ')) return null return verifyMobileToken(auth.slice(7)) }