import { Router } from 'express'; import { entraCallback, entraLogin, login, me, password, profile, theme } from '../controllers/authController.js'; import { requireAuth } from '../middleware/auth.js'; import { rateLimit } from '../middleware/rateLimit.js'; export const authRoutes = Router(); // Throttle credential-guessing against the public login endpoint. const loginLimiter = rateLimit({ windowMs: 60_000, max: 10, keyPrefix: 'login' }); // Session/profile endpoints. Local login is public; profile mutations require a valid JWT. authRoutes.post('/login', loginLimiter, login); authRoutes.get('/entra/login', entraLogin); authRoutes.get('/entra/callback', entraCallback); authRoutes.get('/me', requireAuth, me); authRoutes.put('/profile', requireAuth, profile); authRoutes.put('/theme', requireAuth, theme); authRoutes.post('/change-password', requireAuth, password);