Spaces:

andrewelawrence
/

chat

Sleeping

App Files Files Community

Andrew commited on 28 days ago

Commit

a790ffc

1 Parent(s): 6264428

refactor(auth): Replace static password whitelist with database authentication

Browse files

Files changed (1) hide show

src/routes/login/password/+server.ts +31 -82

src/routes/login/password/+server.ts CHANGED Viewed

@@ -1,71 +1,14 @@
-import { error, json } from "@sveltejs/kit";
 import { z } from "zod";
-import { config } from "$lib/server/config";
 import { updateUserSession } from "../callback/userSession";
-import { sha256 } from "$lib/utils/sha256";
-import JSON5 from "json5";
-const sanitizeJSONEnv = (val: string, fallback: string) => {
-	const raw = (val ?? "").trim();
-	const unquoted = raw.startsWith("`") && raw.endsWith("`") ? raw.slice(1, -1) : raw;
-	return unquoted || fallback;
-};
-const parseJSONEnv = (val: string, fallback: string) => {
-	try {
-		return JSON5.parse(sanitizeJSONEnv(val, fallback));
-	} catch (e) {
-		console.warn(`Failed to parse environment variable as JSON5, using fallback: ${fallback}`, e);
-		return JSON5.parse(fallback);
-	}
-};
-interface PasswordCredential {
-	username?: string;
-	email?: string;
-	passwordHash: string; // SHA256 hash
-	name?: string;
-	isAdmin?: boolean;
-	isEarlyAccess?: boolean;
 }
-const passwordWhitelist = z
-	.array(
-		z
-			.object({
-				username: z
-					.preprocess((val) => {
-						if (typeof val !== "string") return val;
-						const trimmed = val.trim();
-						return trimmed.length === 0 ? undefined : trimmed;
-					}, z.string().min(1))
-					.optional(),
-				email: z
-					.preprocess((val) => {
-						if (typeof val !== "string") return val;
-						const trimmed = val.trim();
-						return trimmed.length === 0 ? undefined : trimmed;
-					}, z.string().email())
-					.optional(),
-				passwordHash: z.string().length(64),
-				name: z.string().optional(),
-				isAdmin: z.boolean().optional(),
-				isEarlyAccess: z.boolean().optional(),
-			})
-			.refine((cred) => (cred.username && cred.username.length > 0) || !!cred.email, {
-				message: "Either a non-empty username or an email must be provided",
-				path: ["username"],
-			})
-	)
-	.optional()
-	.default([])
-	.parse(parseJSONEnv(config.PASSWORD_LOGIN_WHITELIST || "[]", "[]")) as PasswordCredential[];
 export async function POST({ request, locals, cookies, getClientAddress }) {
-	if (!passwordWhitelist.length) {
-		throw error(403, "Password login is not configured");
-	}
 	let body: Record<string, unknown> = {};
 	const contentType = request.headers.get("content-type") ?? "";
@@ -84,35 +27,41 @@ export async function POST({ request, locals, cookies, getClientAddress }) {
 		.parse(body);
 	const identifier = username.trim();
-	const passwordHash = await sha256(password);
-	const credential = passwordWhitelist.find((cred) => {
-		if (cred.passwordHash !== passwordHash) {
-			return false;
-		}
-		const matchesUsername = cred.username
-			? cred.username.toLowerCase() === identifier.toLowerCase()
-			: false;
-		const matchesEmail = cred.email ? cred.email.toLowerCase() === identifier.toLowerCase() : false;
-		return matchesUsername || matchesEmail;
 	});
-	if (!credential) {
 		return json({ message: "Invalid username or password" }, { status: 401 });
 	}
-	const authId = (credential.username ?? credential.email ?? identifier).toLowerCase();
-	const displayName = credential.name || credential.username || credential.email || identifier;
 	await updateUserSession({
 		userData: {
 			authProvider: "password",
-			authId,
-			username: credential.username ?? credential.email ?? identifier,
-			name: displayName,
-			email: credential.email,
-			avatarUrl: undefined,
-			isAdmin: credential.isAdmin || false,
-			isEarlyAccess: credential.isEarlyAccess || false,
 		},
 		locals,
 		cookies,

+import { json } from "@sveltejs/kit";
 import { z } from "zod";
 import { updateUserSession } from "../callback/userSession";
+import { collections } from "$lib/server/database";
+import { verifyPassword } from "$lib/server/passwords";
+function escapeRegExp(string: string) {
+	return string.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 export async function POST({ request, locals, cookies, getClientAddress }) {
 	let body: Record<string, unknown> = {};
 	const contentType = request.headers.get("content-type") ?? "";
 		.parse(body);
 	const identifier = username.trim();
+	// Find user by username or email
+	const user = await collections.users.findOne({
+		$or: [
+			{ username: { $regex: new RegExp(`^${escapeRegExp(identifier)}$`, "i") } },
+			{ email: { $regex: new RegExp(`^${escapeRegExp(identifier)}$`, "i") } },
+		],
 	});
+	if (!user || !user.passwordHash) {
+		return json({ message: "Invalid username or password" }, { status: 401 });
+	}
+	let isValid = false;
+	try {
+		isValid = await verifyPassword(password, user.passwordHash);
+	} catch (e) {
+		console.error("Error verifying password:", e);
 		return json({ message: "Invalid username or password" }, { status: 401 });
 	}
+	if (!isValid) {
+		return json({ message: "Invalid username or password" }, { status: 401 });
+	}
 	await updateUserSession({
 		userData: {
 			authProvider: "password",
+			authId: user.username || user.email || identifier, // Use username as authId if available
+			username: user.username,
+			name: user.name,
+			email: user.email,
+			avatarUrl: user.avatarUrl,
+			isAdmin: user.isAdmin,
+			isEarlyAccess: user.isEarlyAccess,
 		},
 		locals,
 		cookies,