/** * Mobile auth helper — validates Bearer token and returns userId * Token format: base64url(userId:timestamp:hmac) */ import { createHmac, timingSafeEqual } from 'crypto' function getSecret(): string { const secret = process.env.NEXTAUTH_SECRET if (!secret) { throw new Error('NEXTAUTH_SECRET is required for mobile auth') } return secret } export function createMobileToken(userId: string): string { const ts = Date.now() const payload = `${userId}:${ts}` const sig = createHmac('sha256', getSecret()).update(payload).digest('hex') return Buffer.from(`${payload}:${sig}`).toString('base64url') } export async function verifyMobileToken(token: string): Promise { try { // Check Redis blacklist first (non-blocking — if Redis is down, allow) try { const { redis } = await import('@/lib/redis') const revoked = await redis.get(`mobile:revoked:${token}`) if (revoked) return null } catch {} const decoded = Buffer.from(token, 'base64url').toString('utf-8') const lastColon = decoded.lastIndexOf(':') if (lastColon === -1) return null const sig = decoded.slice(lastColon + 1) const payload = decoded.slice(0, lastColon) const secondColon = payload.lastIndexOf(':') if (secondColon === -1) return null const userId = payload.slice(0, secondColon) const ts = payload.slice(secondColon + 1) const expected = createHmac('sha256', getSecret()).update(payload).digest('hex') const sigBuf = Buffer.from(sig) const expectedBuf = Buffer.from(expected) if (sigBuf.length !== expectedBuf.length || !timingSafeEqual(sigBuf, expectedBuf)) return null if (Date.now() - Number(ts) > 90 * 24 * 60 * 60 * 1000) return null return userId } catch { return null } } export async function getMobileUserId(request: Request): Promise { const auth = request.headers.get('Authorization') if (!auth?.startsWith('Bearer ')) return null return verifyMobileToken(auth.slice(7)) }