feature: signup and login work

public/api/auth/index.ts

@@ -9,15 +9,15 @@ import { TOTP_ENTRIES } from '../../../models/totp_entry.ts';
 import { verifyTotp } from 'jsr:@stdext/crypto/totp';
 import { encodeBase64 } from 'jsr:@std/encoding/base64';
 import parse_body from '../../../utils/bodyparser.ts';
+import { SESSION_ID_TOKEN, SESSION_SECRET_TOKEN } from '../../../utils/prechecks.ts';
 
-const DEFAULT_SESSION_TIME: number = 60 * 60; // 1 Hour
+const DEFAULT_SESSION_TIME: number = 60 * 60 * 1_000; // 1 Hour
 
 // POST /api/auth - Authenticate
 export async function POST(req: Request, meta: Record<string, any>): Promise<Response> {
 	try {
 		const body = await parse_body(req);
 
-		const email: string = body.email?.toLowerCase().trim() ?? '';
 		const username: string = body.username?.toLowerCase() ?? '';
 		const password: string | undefined = body.password;
 		const password_hash: string | undefined = body.password_hash ?? (typeof password === 'string'
@@ -27,11 +27,11 @@ export async function POST(req: Request, meta: Record<string, any>): Promise<Res
 			: undefined);
 		const totp: string | undefined = body.totp;
 
-		if ((!email.length && !username.length) || (email.length && username.length)) {
+		if (!username.length) {
 			return Response.json({
 				error: {
-					message: 'You must specify either an email or username to log in.',
-					cause: 'email_or_username_required'
+					message: 'You must specify a username to log in.',
+					cause: 'username_required'
 				}
 			}, {
 				status: 400
@@ -51,20 +51,14 @@ export async function POST(req: Request, meta: Record<string, any>): Promise<Res
 		}
 
 		let user: USER | undefined = undefined;
-		if (email.length) {
-			user = (await USERS.find({
-				email
-			})).shift();
-		} else if (username.length) {
-			user = (await USERS.find({
-				username
-			})).shift();
-		}
+		user = (await USERS.find({
+			username
+		})).shift();
 
 		if (!user) {
 			return Response.json({
 				error: {
-					message: 'Could not locate an account with this email or username.',
+					message: `Could not locate an account with username: ${username}`,
 					cause: 'missing_account'
 				}
 			}, {
@@ -105,7 +99,7 @@ export async function POST(req: Request, meta: Record<string, any>): Promise<Res
 				}, {
 					status: 202,
 					headers: {
-						'Set-Cookie': `checklist_observer_totp_user_id=${user.id}; Path=/; Max-Age=300`
+						'Set-Cookie': `totp_user_id=${user.id}; Path=/; Max-Age=300`
 					}
 				});
 			}
@@ -123,7 +117,7 @@ export async function POST(req: Request, meta: Record<string, any>): Promise<Res
 			}
 		}
 
-		const session_result: SESSION_RESULT = await get_session({
+		const session_result: SESSION_RESULT = await create_new_session({
 			user,
 			expires: body.session?.expires
 		});
@@ -164,7 +158,7 @@ export type SESSION_INFO = {
 	expires: string | undefined;
 };
 
-export async function get_session(session_settings: SESSION_INFO): Promise<SESSION_RESULT> {
+export async function create_new_session(session_settings: SESSION_INFO): Promise<SESSION_RESULT> {
 	const now = new Date().toISOString();
 	const expires: string = session_settings.expires ??
 		new Date(new Date(now).valueOf() + DEFAULT_SESSION_TIME).toISOString();
@@ -183,7 +177,13 @@ export async function get_session(session_settings: SESSION_INFO): Promise<SESSI
 	await SESSIONS.create(session);
 
 	const headers = new Headers();
-	headers.append('Set-Cookie', `checklist_observer_session_id=${session.id}; Path=/; Expires=${expires}`);
+
+	headers.append('Set-Cookie', `${SESSION_ID_TOKEN}=${session.id}; Path=/; Expires=${expires}`);
+	headers.append(`x-${SESSION_ID_TOKEN}`, session.id);
+
+	// TODO: this wasn't really intended to be persisted in a cookie, but we are using it to
+	// generate the TOTP for the call to /api/users/me
+	headers.append('Set-Cookie', `${SESSION_SECRET_TOKEN}=${session.secret}; Path=/; Expires=${expires}`);
 
 	return {
 		session,