smart-home-tablet/app/api/auth/route.ts

import { NextResponse } from 'next/server'
import { cookies } from 'next/headers'
import * as crypto from 'crypto'

const SECRET = process.env.APP_SECRET || 'smart-home-default-secret-change-me'

function makeToken(pin: string): string {
  return crypto.createHmac('sha256', SECRET).update(pin).digest('hex')
}

export async function POST(req: Request) {
  const { pin } = await req.json()
  const correctPin = process.env.APP_PIN || '1234'

  if (pin !== correctPin) {
    return NextResponse.json({ error: 'wrong_pin' }, { status: 401 })
  }

  const token = makeToken(correctPin)
  const res = NextResponse.json({ success: true })

  res.cookies.set('auth_token', token, {
    httpOnly: true,
    secure: true,
    sameSite: 'strict',
    path: '/',
    maxAge: 60 * 60 * 24 * 365, // 1 year — tablet stays logged in
  })

  return res
}

export async function DELETE() {
  const res = NextResponse.json({ success: true })
  res.cookies.delete('auth_token')
  return res
}