remotelink-docker/app/api/agent/session-code/route.ts

import { db } from '@/lib/db'
import { machines, sessionCodes } from '@/lib/db/schema'
import { eq, and } from 'drizzle-orm'
import { NextRequest, NextResponse } from 'next/server'
import { randomInt } from 'crypto'

function generateSessionCode(): string {
  const chars = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789'
  let code = ''
  for (let i = 0; i < 6; i++) {
    code += chars.charAt(randomInt(chars.length))
  }
  return code
}

// Simple in-process rate limiter: max 10 requests per minute per access key
const rateLimitMap = new Map<string, { count: number; resetAt: number }>()
const RATE_LIMIT = 10
const RATE_WINDOW_MS = 60_000

function isRateLimited(key: string): boolean {
  const now = Date.now()
  const entry = rateLimitMap.get(key)
  if (!entry || now >= entry.resetAt) {
    rateLimitMap.set(key, { count: 1, resetAt: now + RATE_WINDOW_MS })
    return false
  }
  if (entry.count >= RATE_LIMIT) return true
  entry.count++
  return false
}

export async function POST(request: NextRequest) {
  try {
    const { accessKey } = await request.json()

    if (!accessKey) {
      return NextResponse.json({ error: 'Access key required' }, { status: 400 })
    }

    if (isRateLimited(accessKey)) {
      return NextResponse.json({ error: 'Too many requests' }, { status: 429 })
    }

    const machineResult = await db
      .select()
      .from(machines)
      .where(eq(machines.accessKey, accessKey))
      .limit(1)

    const machine = machineResult[0]
    if (!machine) {
      return NextResponse.json({ error: 'Invalid access key' }, { status: 401 })
    }

    // Generate a unique code
    let code = ''
    for (let attempts = 0; attempts < 10; attempts++) {
      const candidate = generateSessionCode()
      const existing = await db
        .select({ id: sessionCodes.id })
        .from(sessionCodes)
        .where(and(eq(sessionCodes.code, candidate), eq(sessionCodes.isActive, true)))
        .limit(1)

      if (!existing[0]) {
        code = candidate
        break
      }
    }

    if (!code) {
      return NextResponse.json({ error: 'Failed to generate unique code' }, { status: 500 })
    }

    const expiresAt = new Date(Date.now() + 10 * 60 * 1000)

    await db.insert(sessionCodes).values({
      code,
      machineId: machine.id,
      createdBy: machine.userId,
      expiresAt,
      isActive: true,
    })

    return NextResponse.json({ success: true, code, expiresAt: expiresAt.toISOString(), expiresIn: 600 })
  } catch (error) {
    console.error('[Session Code] Error:', error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
}