fix: login sessions

public/api/auth/index.ts

@@ -1,15 +1,14 @@
 import { PASSWORD_ENTRIES } from '../../../models/password_entry.ts';
 import { USER, USERS } from '../../../models/user.ts';
-import { generateSecret } from 'jsr:@stdext/crypto/utils';
 import { encodeBase32 } from 'jsr:@std/encoding';
-import { verify } from 'jsr:@stdext/crypto/hash';
 import lurid from 'jsr:@andyburke/lurid';
 import { SESSION, SESSIONS } from '../../../models/session.ts';
 import { TOTP_ENTRIES } from '../../../models/totp_entry.ts';
-import { verifyTotp } from 'jsr:@stdext/crypto/totp';
 import { encodeBase64 } from 'jsr:@std/encoding/base64';
 import parse_body from '../../../utils/bodyparser.ts';
 import { SESSION_ID_TOKEN, SESSION_SECRET_TOKEN } from '../../../utils/prechecks.ts';
+import * as bcrypt from 'jsr:@da/bcrypt';
+import { verifyTotp } from '../../../utils/totp.ts';
 
 const DEFAULT_SESSION_TIME: number = 60 * 60 * 1_000; // 1 Hour
 
@@ -78,7 +77,8 @@ export async function POST(req: Request, meta: Record<string, any>): Promise<Res
 			});
 		}
 
-		const verified = verify('bcrypt', `${password_hash}${password_entry.salt}`, password_entry.hash);
+		const verified = await bcrypt.compare(`${password_hash}${password_entry.salt}`, password_entry.hash);
+
 		if (!verified) {
 			return Response.json({
 				error: {
@@ -158,15 +158,18 @@ export type SESSION_INFO = {
 	expires: string | undefined;
 };
 
+const session_secret_buffer = new Uint8Array(20);
 export async function create_new_session(session_settings: SESSION_INFO): Promise<SESSION_RESULT> {
 	const now = new Date().toISOString();
 	const expires: string = session_settings.expires ??
 		new Date(new Date(now).valueOf() + DEFAULT_SESSION_TIME).toISOString();
 
+	crypto.getRandomValues(session_secret_buffer);
+
 	const session: SESSION = {
 		id: lurid(),
 		user_id: session_settings.user.id,
-		secret: encodeBase32(generateSecret()),
+		secret: encodeBase32(session_secret_buffer),
 		timestamps: {
 			created: now,
 			expires,