refactor: require password verification

chore: styling work

deno.json

@@ -46,10 +46,10 @@
 		"@andyburke/lurid": "jsr:@andyburke/lurid@^0.2.0",
 		"@andyburke/serverus": "jsr:@andyburke/serverus@^0.16.0",
 		"@da/bcrypt": "jsr:@da/bcrypt@^1.0.1",
-		"@std/assert": "jsr:@std/assert@^1.0.17",
+		"@std/assert": "jsr:@std/assert@^1.0.19",
 		"@std/encoding": "jsr:@std/encoding@^1.0.10",
-		"@std/fs": "jsr:@std/fs@^1.0.22",
+		"@std/fs": "jsr:@std/fs@^1.0.23",
-		"@std/http": "jsr:@std/http@^1.0.23",
+		"@std/http": "jsr:@std/http@^1.0.25",
 		"@std/media-types": "jsr:@std/media-types@^1.1.0",
 		"@std/path": "jsr:@std/path@^1.1.4"
 	}

deno.lock

@@ -6,28 +6,27 @@
     "jsr:@andyburke/serverus@0.16": "0.16.0",
     "jsr:@da/bcrypt@*": "1.0.1",
     "jsr:@da/bcrypt@^1.0.1": "1.0.1",
-    "jsr:@std/assert@^1.0.17": "1.0.17",
+    "jsr:@std/assert@^1.0.19": "1.0.19",
-    "jsr:@std/cli@^1.0.19": "1.0.25",
+    "jsr:@std/cli@^1.0.19": "1.0.28",
-    "jsr:@std/cli@^1.0.20": "1.0.25",
+    "jsr:@std/cli@^1.0.20": "1.0.28",
-    "jsr:@std/cli@^1.0.21": "1.0.25",
+    "jsr:@std/cli@^1.0.21": "1.0.28",
-    "jsr:@std/cli@^1.0.25": "1.0.25",
+    "jsr:@std/cli@^1.0.28": "1.0.28",
     "jsr:@std/encoding@^1.0.10": "1.0.10",
-    "jsr:@std/fmt@^1.0.6": "1.0.8",
+    "jsr:@std/fmt@^1.0.6": "1.0.9",
-    "jsr:@std/fmt@^1.0.8": "1.0.8",
+    "jsr:@std/fmt@^1.0.9": "1.0.9",
-    "jsr:@std/fs@^1.0.18": "1.0.22",
+    "jsr:@std/fs@^1.0.18": "1.0.23",
-    "jsr:@std/fs@^1.0.19": "1.0.22",
+    "jsr:@std/fs@^1.0.19": "1.0.23",
-    "jsr:@std/fs@^1.0.21": "1.0.22",
+    "jsr:@std/fs@^1.0.23": "1.0.23",
-    "jsr:@std/fs@^1.0.22": "1.0.22",
     "jsr:@std/html@^1.0.5": "1.0.5",
-    "jsr:@std/http@^1.0.20": "1.0.23",
+    "jsr:@std/http@^1.0.20": "1.0.25",
-    "jsr:@std/http@^1.0.23": "1.0.23",
+    "jsr:@std/http@^1.0.25": "1.0.25",
     "jsr:@std/internal@^1.0.12": "1.0.12",
     "jsr:@std/media-types@^1.1.0": "1.1.0",
     "jsr:@std/net@^1.0.6": "1.0.6",
     "jsr:@std/path@^1.1.0": "1.1.4",
     "jsr:@std/path@^1.1.1": "1.1.4",
     "jsr:@std/path@^1.1.4": "1.1.4",
-    "jsr:@std/streams@^1.0.16": "1.0.16",
+    "jsr:@std/streams@^1.0.17": "1.0.17",
     "npm:@types/node@*": "22.15.15"
   },
   "jsr": {
@@ -59,23 +58,23 @@
     "@da/bcrypt@1.0.1": {
       "integrity": "d2172d3acbcff52e0465557a1a48b1ff1c92df08c90712dae5372255a8c45eb3"
     },
-    "@std/assert@1.0.17": {
+    "@std/assert@1.0.19": {
-      "integrity": "df5ebfffe77c03b3fa1401e11c762cc8f603d51021c56c4d15a8c7ab45e90dbe",
+      "integrity": "eaada96ee120cb980bc47e040f82814d786fe8162ecc53c91d8df60b8755991e",
       "dependencies": [
         "jsr:@std/internal"
       ]
     },
-    "@std/cli@1.0.25": {
+    "@std/cli@1.0.28": {
-      "integrity": "1f85051b370c97a7a9dfc6ba626e7ed57a91bea8c081597276d1e78d929d8c91"
+      "integrity": "74ef9b976db59ca6b23a5283469c9072be6276853807a83ec6c7ce412135c70a"
     },
     "@std/encoding@1.0.10": {
       "integrity": "8783c6384a2d13abd5e9e87a7ae0520a30e9f56aeeaa3bdf910a3eaaf5c811a1"
     },
-    "@std/fmt@1.0.8": {
+    "@std/fmt@1.0.9": {
-      "integrity": "71e1fc498787e4434d213647a6e43e794af4fd393ef8f52062246e06f7e372b7"
+      "integrity": "2487343e8899fb2be5d0e3d35013e54477ada198854e52dd05ed0422eddcabe0"
     },
-    "@std/fs@1.0.22": {
+    "@std/fs@1.0.23": {
-      "integrity": "de0f277a58a867147a8a01bc1b181d0dfa80bfddba8c9cf2bacd6747bcec9308",
+      "integrity": "3ecbae4ce4fee03b180fa710caff36bb5adb66631c46a6460aaad49515565a37",
       "dependencies": [
         "jsr:@std/internal",
         "jsr:@std/path@^1.1.4"
@@ -84,13 +83,13 @@
     "@std/html@1.0.5": {
       "integrity": "4e2d693f474cae8c16a920fa5e15a3b72267b94b84667f11a50c6dd1cb18d35e"
     },
-    "@std/http@1.0.23": {
+    "@std/http@1.0.25": {
-      "integrity": "6634e9e034c589bf35101c1b5ee5bbf052a5987abca20f903e58bdba85c80dee",
+      "integrity": "577b4252290af1097132812b339fffdd55fb0f4aeb98ff11bdbf67998aa17193",
       "dependencies": [
-        "jsr:@std/cli@^1.0.25",
+        "jsr:@std/cli@^1.0.28",
         "jsr:@std/encoding",
-        "jsr:@std/fmt@^1.0.8",
+        "jsr:@std/fmt@^1.0.9",
-        "jsr:@std/fs@^1.0.21",
+        "jsr:@std/fs@^1.0.23",
         "jsr:@std/html",
         "jsr:@std/media-types",
         "jsr:@std/net",
@@ -113,8 +112,8 @@
         "jsr:@std/internal"
       ]
     },
-    "@std/streams@1.0.16": {
+    "@std/streams@1.0.17": {
-      "integrity": "85030627befb1767c60d4f65cb30fa2f94af1d6ee6e5b2515b76157a542e89c4"
+      "integrity": "7859f3d9deed83cf4b41f19223d4a67661b3d3819e9fc117698f493bf5992140"
     }
   },
   "npm": {
@@ -137,10 +136,10 @@
       "jsr:@andyburke/lurid@0.2",
       "jsr:@andyburke/serverus@0.16",
       "jsr:@da/bcrypt@^1.0.1",
-      "jsr:@std/assert@^1.0.17",
+      "jsr:@std/assert@^1.0.19",
       "jsr:@std/encoding@^1.0.10",
-      "jsr:@std/fs@^1.0.22",
+      "jsr:@std/fs@^1.0.23",
-      "jsr:@std/http@^1.0.23",
+      "jsr:@std/http@^1.0.25",
       "jsr:@std/media-types@^1.1.0",
       "jsr:@std/path@^1.1.4"
     ]

public/api/events/index.ts

@@ -41,13 +41,6 @@ export async function GET(request: Request, meta: Record<string, any>): Promise<
 				event_id
 			} = /^.*\/events\/.*\/(?<event_type>.*?)\:(?<event_id>[A-Za-z-]+)\.json$/.exec(entry.path)?.groups ?? {};
 
-			console.dir({
-				entry,
-				event_type,
-				event_id,
-				query: meta.query
-			});
-
 			if (meta.query.after_id && event_id <= meta.query.after_id) {
 				return false;
 			}

public/api/users/index.ts

@@ -139,6 +139,22 @@ export async function POST(req: Request, meta: Record<string, any>): Promise<Res
 			});
 		}
 
+		const password_verification_hash: string = body.password_verification_hash ?? (typeof body.password_verification === 'string'
+			? encodeBase64(
+				await crypto.subtle.digest('SHA-256', new TextEncoder().encode(body.password_verification))
+			)
+			: '');
+		if (password_verification_hash !== password_hash) {
+			return Response.json({
+				error: {
+					cause: 'invalid password verification hash',
+					message: 'Password and verification must be identical.'
+				}
+			}, {
+				status: 400
+			});
+		}
+
 		const at_least_one_existing_user = (await USERS.all({
 			limit: 1,
 			offset: 0

public/foo/index.html

@@ -1,6 +0,0 @@
-<!DOCTYPE html>
-<html>
-	<body>
-		<h1>Hello World - foo</h1>
-	</body>
-</html>

public/index.html

@@ -10,6 +10,7 @@
 		<link rel="icon" type="image/png" sizes="16x16" href="/icons/favicon-16x16.png" ></link>
 
 		<link rel="stylesheet" href="/base.css"></link>
+		<link rel="stylesheet" href="/icons.css"></link>
 		<link rel="stylesheet" href="/files/custom.css"></link>
 
 		<!-- inlining these to force them to be scoped for everything else -->

public/js/embeds/vimeo.js

@@ -27,7 +27,7 @@ function embed_vimeo(link_info) {
 		<iframe
 		src="https://player.vimeo.com/video/${video_id}"
 		frameborder="0"
-		allow="fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share"
+		allow="fullscreen; picture-in-picture; clipboard-write; encrypted-media;"
 		referrerpolicy="strict-origin-when-cross-origin"
 		title="Star Trek: Legacy"
 		loading="lazy"></iframe>

public/js/embeds/youtube.js

@@ -29,7 +29,7 @@ function embed_youtube(link_info) {
 		<iframe
 		src="https://www.youtube.com/embed/${video_id}"
 		title="YouTube video player"
-		allow="clipboard-write; encrypted-media; picture-in-picture; web-share;"
+		allow="clipboard-write; encrypted-media; picture-in-picture;"
 		referrerpolicy="strict-origin-when-cross-origin"
 	 	allowfullscreen
 		loading="lazy"

public/sidebar/sidebar.html

@@ -145,7 +145,7 @@
 		padding: 1rem;
 		display: flex;
 		align-items: center;
-		color: var(--text);
+		color: var(--text-primary);
 		letter-spacing: 0.5px;
 		transition:
 			background 0.25s,
@@ -257,7 +257,7 @@
 		padding: 0.75rem;
 		margin: 0 0.75rem 1rem 0;
 		background: none;
-		color: var(--text);
+		color: var(--text-primary);
 		border: 1px solid var(--border-highlight);
 		border-radius: var(--border-radius);
 		box-shadow: none;
@@ -364,7 +364,7 @@
 			top: 0;
 			left: 0;
 			bottom: 0;
-			padding: 0.75rem;
+			padding: 1rem;
 			width: 6rem;
 			border-right: 1px solid var(--border-subtle);
 			overflow-y: auto;
@@ -421,7 +421,7 @@
 		#server-info {
 			position: relative;
 			height: 100%;
-			padding: 0.75rem;
+			padding: 1rem 2rem;
 		}
 	</style>
 	<div id="server-info">

public/signup_login_wall.html

@@ -17,19 +17,9 @@
 		}
 
 		#auth-container {
-			width: 95%;
-			max-height: calc(min(90vh,900px));
-			border-radius: 10px;
 			position: relative;
-			background: var(--bg-lighter);
+			padding: 8em 4em;
-			max-width: 40em;
-			margin: 0 auto;
-			border-radius: calc( var(--border-radius) * 2.5);
-			padding: 2em 1em;
 			overflow-y: scroll;
-
-			transition: all 0.33s ease;
-			animation: zoomsettle 0.4s ease;
 		}
 
 		#signup-tab,
@@ -108,6 +98,10 @@
 						<input id="signup-password" type="password" name="password" required />
 						<label class="placeholder" for="signup-password">password</label>
 					</div>
+					<div>
+						<input id="signup-password-verification" type="password" name="password_verification" required />
+						<label class="placeholder" for="signup-password-verification">verify password</label>
+					</div>
 					<div>
 						<script>
 							APP.on( 'load', () => {

public/tabs/chat/channel_sidebar.html

@@ -159,7 +159,7 @@
 		font-weight: bold;
 		font-size: x-large;
 		content: "#";
-		color: var(--text);
+		color: var(--text-primary);
 	}
 
 	#channel-list-container .channel-list > li.channel a {

public/tabs/chat/chat.css

@@ -131,7 +131,7 @@
 	position: absolute;
 	top: 0.1rem;
 	right: 0.1rem;
-	color: rgb(from var(--text) r g b / 0.7);
+	color: rgb(from var(--text-primary) r g b / 0.7);
 	border: none;
 	z-index: 10;
 }

public/tabs/chat/chat.html

@@ -152,7 +152,8 @@
 				method="POST"
 				class="post-creation-form collapsible"
 				style="
-					margin-top: 1rem
+					position: relative;
+					margin-top: 1rem;
 					width: 100%;
 					transition: all 0.5s;
 				"
@@ -221,6 +222,7 @@
 					reset-on-submit
 					focus-on-submit
 					enter-key-submits
+					accept-speech
 				></textarea>
 
 				<button id="chat-send" class="primary" aria-label="Send a message">

tests/01_create_user.test.ts

@@ -27,10 +27,188 @@ Deno.test({
 			const password_hash = encodeBase64(
 				await crypto.subtle.digest('SHA-256', new TextEncoder().encode(password))
 			);
+			const password_verification_hash = encodeBase64(
+				await crypto.subtle.digest('SHA-256', new TextEncoder().encode(password))
+			);
 
 			const info = await get_new_user(client, {
 				username,
-				password_hash
+				password_hash,
+				password_verification_hash
+			});
+
+			asserts.assert(info);
+			asserts.assert(info.user);
+			asserts.assert(info.session);
+			asserts.assert(info.headers);
+
+			const user: USER = info.user;
+
+			asserts.assertEquals(user.username, username);
+
+			await delete_user(client, info);
+		} finally {
+			if (test_server_info) {
+				await test_server_info?.server?.stop();
+			}
+		}
+	}
+});
+
+Deno.test({
+	name: 'API - USERS - Create (fail on mismatched password verification hash)',
+	permissions: {
+		env: true,
+		read: true,
+		write: true,
+		net: true
+	},
+	fn: async () => {
+		let test_server_info: EPHEMERAL_SERVER | null = null;
+		try {
+			test_server_info = await get_ephemeral_listen_server();
+			const client: API_CLIENT = api({
+				prefix: '/api',
+				hostname: test_server_info.hostname,
+				port: test_server_info.port
+			});
+
+			const username = random_username();
+			const password = 'password';
+			const password_hash = encodeBase64(
+				await crypto.subtle.digest('SHA-256', new TextEncoder().encode(password))
+			);
+			const password_verification_hash = encodeBase64(
+				await crypto.subtle.digest('SHA-256', new TextEncoder().encode(password + '1'))
+			);
+
+			try {
+				const info = await get_new_user(client, {
+					username,
+					password_hash,
+					password_verification_hash
+				});
+
+				asserts.fail('allowed user creation with mismatched password_verification_hash')
+			}
+			catch( error ) {
+				asserts.assert( error );
+			}
+		} finally {
+			if (test_server_info) {
+				await test_server_info?.server?.stop();
+			}
+		}
+	}
+});
+
+Deno.test({
+	name: 'API - USERS - Create (mismatched password_verification)',
+	permissions: {
+		env: true,
+		read: true,
+		write: true,
+		net: true
+	},
+	fn: async () => {
+		let test_server_info: EPHEMERAL_SERVER | null = null;
+		try {
+			test_server_info = await get_ephemeral_listen_server();
+			const client: API_CLIENT = api({
+				prefix: '/api',
+				hostname: test_server_info.hostname,
+				port: test_server_info.port
+			});
+
+			const username = random_username();
+			const password = 'password';
+
+			try {
+				const info = await get_new_user(client, {
+					username,
+					password,
+					password_verification: password + '1'
+				});
+
+				asserts.fail( 'allowed account creation with mismatched password_verification' );
+			}
+			catch( error ) {
+				asserts.assert( error );
+			}
+		} finally {
+			if (test_server_info) {
+				await test_server_info?.server?.stop();
+			}
+		}
+	}
+});
+
+Deno.test({
+	name: 'API - USERS - Create (auto-generate password in testing)',
+	permissions: {
+		env: true,
+		read: true,
+		write: true,
+		net: true
+	},
+	fn: async () => {
+		let test_server_info: EPHEMERAL_SERVER | null = null;
+		try {
+			test_server_info = await get_ephemeral_listen_server();
+			const client: API_CLIENT = api({
+				prefix: '/api',
+				hostname: test_server_info.hostname,
+				port: test_server_info.port
+			});
+
+			const username = random_username();
+
+			const info = await get_new_user(client, {
+				username,
+			});
+
+			asserts.assert(info);
+			asserts.assert(info.user);
+			asserts.assert(info.session);
+			asserts.assert(info.headers);
+
+			const user: USER = info.user;
+
+			asserts.assertEquals(user.username, username);
+
+			await delete_user(client, info);
+		} finally {
+			if (test_server_info) {
+				await test_server_info?.server?.stop();
+			}
+		}
+	}
+});
+
+Deno.test({
+	name: 'API - USERS - Create (auto-generate password_verification in testing)',
+	permissions: {
+		env: true,
+		read: true,
+		write: true,
+		net: true
+	},
+	fn: async () => {
+		let test_server_info: EPHEMERAL_SERVER | null = null;
+		try {
+			test_server_info = await get_ephemeral_listen_server();
+			const client: API_CLIENT = api({
+				prefix: '/api',
+				hostname: test_server_info.hostname,
+				port: test_server_info.port
+			});
+
+			const username = random_username();
+			const password = 'password';
+
+			const info = await get_new_user(client, {
+				username,
+				password
 			});
 
 			asserts.assert(info);

tests/helpers.ts

@@ -119,6 +119,18 @@ export async function get_new_user(client: API_CLIENT, user_info?: Record<string
 		new_user_request_json.password = `${Math.round(Math.random() * 10)} - ${random_username()} ! ${random_username()}`;
 	}
 
+	if (
+		!((typeof new_user_request_json.password_verification === 'string' && new_user_request_json.password_verification.length) ||
+			(typeof new_user_request_json.password_verification_hash === 'string' && new_user_request_json.password_verification_hash.length))
+	) {
+		if ( typeof new_user_request_json.password === 'string' ) {
+			new_user_request_json.password_verification = new_user_request_json.password;
+		}
+		else if ( typeof new_user_request_json.password_hash === 'string' ) {
+			new_user_request_json.password_verification_hash = new_user_request_json.password_hash;
+		}
+	}
+
 	if (inviting_user_info) {
 		const invite_code = await client.fetch(`/users/${inviting_user_info.user?.id}/invites`, {
 			method: 'POST',

utils/prechecks.ts

@@ -36,10 +36,6 @@ export function require_user(
 	meta: Record<string, any>
 ): undefined | Response {
 	if (!meta.user) {
-		console.dir({
-			require_user: true,
-			meta
-		});
 		return CANNED_RESPONSES.permission_denied();
 	}
 }