fix: login sessions

2025-07-04 14:51:49 -07:00 · 2025-07-04 14:51:49 -07:00 · cf46450f5f
commit cf46450f5f
parent dc91d0ab8c
11 changed files with 179 additions and 27 deletions
--- a/public/api/auth/index.ts
+++ b/public/api/auth/index.ts
@ -1,15 +1,14 @@
 import { PASSWORD_ENTRIES } from '../../../models/password_entry.ts';
 import { USER, USERS } from '../../../models/user.ts';
-import { generateSecret } from 'jsr:@stdext/crypto/utils';
 import { encodeBase32 } from 'jsr:@std/encoding';
-import { verify } from 'jsr:@stdext/crypto/hash';
 import lurid from 'jsr:@andyburke/lurid';
 import { SESSION, SESSIONS } from '../../../models/session.ts';
 import { TOTP_ENTRIES } from '../../../models/totp_entry.ts';
-import { verifyTotp } from 'jsr:@stdext/crypto/totp';
 import { encodeBase64 } from 'jsr:@std/encoding/base64';
 import parse_body from '../../../utils/bodyparser.ts';
 import { SESSION_ID_TOKEN, SESSION_SECRET_TOKEN } from '../../../utils/prechecks.ts';
+import * as bcrypt from 'jsr:@da/bcrypt';
+import { verifyTotp } from '../../../utils/totp.ts';

 const DEFAULT_SESSION_TIME: number = 60 * 60 * 1_000; // 1 Hour

@ -78,7 +77,8 @@ export async function POST(req: Request, meta: Record<string, any>): Promise<Res
 			});
 		}

-		const verified = verify('bcrypt', `${password_hash}${password_entry.salt}`, password_entry.hash);
+		const verified = await bcrypt.compare(`${password_hash}${password_entry.salt}`, password_entry.hash);
+
 		if (!verified) {
 			return Response.json({
 				error: {
@ -158,15 +158,18 @@ export type SESSION_INFO = {
 	expires: string | undefined;
 };

+const session_secret_buffer = new Uint8Array(20);
 export async function create_new_session(session_settings: SESSION_INFO): Promise<SESSION_RESULT> {
 	const now = new Date().toISOString();
 	const expires: string = session_settings.expires ??
 		new Date(new Date(now).valueOf() + DEFAULT_SESSION_TIME).toISOString();

+	crypto.getRandomValues(session_secret_buffer);
+
 	const session: SESSION = {
 		id: lurid(),
 		user_id: session_settings.user.id,
-		secret: encodeBase32(generateSecret()),
+		secret: encodeBase32(session_secret_buffer),
 		timestamps: {
 			created: now,
 			expires,
--- a/public/api/users/index.ts
+++ b/public/api/users/index.ts
@ -1,13 +1,12 @@
 import { PASSWORD_ENTRIES, PASSWORD_ENTRY } from '../../../models/password_entry.ts';
 import { USER, USERS } from '../../../models/user.ts';
-import { generateSecret } from 'jsr:@stdext/crypto/utils';
-import { hash } from 'jsr:@stdext/crypto/hash';
 import lurid from 'jsr:@andyburke/lurid';
 import { encodeBase64 } from 'jsr:@std/encoding';
 import parse_body from '../../../utils/bodyparser.ts';
 import { create_new_session, SESSION_RESULT } from '../auth/index.ts';
 import { get_session, get_user, PRECHECK_TABLE, require_user } from '../../../utils/prechecks.ts';
 import * as CANNED_RESPONSES from '../../../utils/canned_responses.ts';
+import * as bcrypt from 'jsr:@da/bcrypt';

 // TODO: figure out a better solution for doling out permissions
 const DEFAULT_USER_PERMISSIONS: string[] = [
@ -107,8 +106,8 @@ export async function POST(req: Request, meta: Record<string, any>): Promise<Res

 		await USERS.create(user);

-		const salt = generateSecret();
-		const hashed_password_value = hash('bcrypt', `${password_hash}${salt}`);
+		const salt = await bcrypt.genSalt();
+		const hashed_password_value = await bcrypt.hash(password_hash, salt);

 		const password_entry: PASSWORD_ENTRY = {
 			user_id: user.id,
--- a/public/index.html
+++ b/public/index.html
@ -27,6 +27,7 @@
 			/* check if we are logged in */
 			(async () => {
 				try {
+					console.log( 'hi');
 					const session_response = await api.fetch("/users/me");

 					if (!session_response.ok) {
--- a/public/js/smartforms.js
+++ b/public/js/smartforms.js
@ -1,6 +1,6 @@
 document.addEventListener("DOMContentLoaded", () => {
 	/* make all forms semi-smart */
-	const forms = document.querySelectorAll("form");
+	const forms = document.querySelectorAll("form[data-smart]");
 	for (const form of forms) {
 		const script = form.querySelector("script");

@ -21,17 +21,27 @@ document.addEventListener("DOMContentLoaded", () => {
 			}

 			const url = form.action;
+			const method = form.dataset.method ?? "POST";

+			console.dir({
+				method,
+				form,
+			});
 			try {
 				// TODO: send session header
-				const response = await fetch(url, {
-					method: "POST",
+				const options = {
+					method,
 					headers: {
 						Accept: "application/json",
-						"Content-Type": "application/json",
 					},
-					body: JSON.stringify(body),
-				});
+				};
+
+				if (["POST", "PUT", "PATCH"].includes(method)) {
+					options.headers["Content-Type"] = "application/json";
+					options.body = JSON.stringify(body);
+				}
+
+				const response = await fetch(url, options);

 				if (!response.ok) {
 					const error_body = await response.json();
--- a/public/signup_login_wall.html
+++ b/public/signup_login_wall.html
@ -102,6 +102,8 @@
 				</label>
 				<div class="tab-content">
 					<form
+						data-smart="true"
+						data-method="POST"
 						id="login-form"
 						action="/api/auth"
 						onreply="(user)=>{ document.body.dataset.user = JSON.stringify( user ); }"
@ -142,7 +144,7 @@
 					<div class="label">Sign Up</div>
 				</label>
 				<div class="tab-content">
-					<form id="signup-form" action="/api/users">
+					<form data-smart="true" data-method="POST" id="signup-form" action="/api/users">
 						<script>
 							{
 								const form = document.currentScript.closest("form");
--- a/public/tabs/talk.html
+++ b/public/tabs/talk.html
@ -288,7 +288,7 @@
 							`/rooms/${room_id}/events?type=chat&limit=100&sort=newest`,
 						);
 						if (!events_response.ok) {
-							const error = await room_response.json();
+							const error = await events_response.json();
 							alert(error.message ?? JSON.stringify(error));
 							return;
 						}
@ -327,6 +327,11 @@
 					window.addEventListener("locationchange", update_chat_rooms);

 					function check_for_room_in_url() {
+						const user_json = document.body.dataset.user;
+						if (!user_json) {
+							return;
+						}
+
 						const hash = window.location.hash;
 						const talk_in_url = hash.indexOf("#/talk") === 0;
 						if (!talk_in_url) {
@ -503,16 +508,6 @@
 									`<li id="room-selector-${new_room.id}" class="room"><a href="#/room/${new_room.id}">${new_room.name}</a></li>`,
 								);

-								const room_selectors = document.querySelectorAll("li.room");
-								for (const room_selector of room_selectors) {
-									room_selector.classList.remove("active");
-								}
-
-								const new_room_selector = document.getElementById(
-									`room-selector-${new_room.id}`,
-								);
-								new_room_selector.classList.add("active");
-
 								window.location.hash = `/talk/room/${new_room.id}`;
 							});
 						});
--- a/public/tabs/user.html
+++ b/public/tabs/user.html
@ -53,5 +53,24 @@
 		<div class="username-container">
 			<span class="username" data-bind-user_username></span>
 		</div>
+
+		<form data-smart="true" action="/api/auth" method="DELETE">
+			<script>
+				{
+					const form = document.currentScript.closest("form");
+					form.on_response = (response) => {
+						if (!response.ok) {
+							alert("error logging out!");
+							return;
+						}
+
+						delete document.body.dataset.user;
+						delete document.body.dataset.perms;
+						window.location = "/";
+					};
+				}
+			</script>
+			<button class="primary">Log Out</button>
+		</form>
 	</div>
 </div>