Merge branch 'develop' into db-store

2026-02-04 08:41:17 +01:00 · 2025-04-03 18:12:07 -04:00
parent 0f35d4a445 96a1199fff
commit 9dc35c80c5
25 changed files with 1469 additions and 172 deletions
--- a/server/api/v1/auth/signin/simple.post.ts
+++ b/server/api/v1/auth/signin/simple.post.ts
@@ -1,7 +1,11 @@
 import { AuthMec } from "@prisma/client";
 import { JsonArray } from "@prisma/client/runtime/library";
+import { type } from "arktype";
 import prisma from "~/server/internal/db/database";
-import { checkHash } from "~/server/internal/security/simple";
+import {
+  checkHashArgon2,
+  checkHashBcrypt,
+} from "~/server/internal/security/simple";
 import sessionHandler from "~/server/internal/session";

 export default defineEventHandler(async (h3) => {
@@ -19,10 +23,10 @@ export default defineEventHandler(async (h3) => {
  const authMek = await prisma.linkedAuthMec.findFirst({
    where: {
      mec: AuthMec.Simple,
-      credentials: {
-        array_starts_with: username,
-      },
      enabled: true,
+      user: {
+        username,
+      },
    },
    include: {
      user: {
@@ -39,17 +43,46 @@ export default defineEventHandler(async (h3) => {
      statusMessage: "Invalid username or password.",
    });

-  const credentials = authMek.credentials as JsonArray;
-  const hash = credentials.at(1);
-
-  if (!hash || !authMek.user.enabled)
+  if (!authMek.user.enabled)
    throw createError({
      statusCode: 403,
      statusMessage:
        "Invalid or disabled account. Please contact the server administrator.",
    });

-  if (!(await checkHash(password, hash.toString())))
+  // LEGACY bcrypt
+  if (authMek.version == 1) {
+    const credentials = authMek.credentials as JsonArray | null;
+    const hash = credentials?.at(1)?.toString();
+
+    if (!hash)
+      throw createError({
+        statusCode: 403,
+        statusMessage:
+          "Invalid password state. Please contact the server administrator.",
+      });
+
+    if (!(await checkHashBcrypt(password, hash)))
+      throw createError({
+        statusCode: 401,
+        statusMessage: "Invalid username or password.",
+      });
+
+    // TODO: send user to forgot password screen or something to force them to change their password to new system
+    await sessionHandler.setUserId(h3, authMek.userId, rememberMe);
+    return { result: true, userId: authMek.userId };
+  }
+
+  // V2: argon2
+  const hash = authMek.credentials as string | undefined;
+  if (!hash || typeof hash !== "string")
+    throw createError({
+      statusCode: 500,
+      statusMessage:
+        "Invalid password state. Please contact the server administrator.",
+    });
+
+  if (!(await checkHashArgon2(password, hash)))
    throw createError({
      statusCode: 401,
      statusMessage: "Invalid username or password.",
--- a/server/api/v1/auth/signup/simple.post.ts
+++ b/server/api/v1/auth/signup/simple.post.ts
@@ -1,12 +1,20 @@
 import { AuthMec, Invitation } from "@prisma/client";
 import prisma from "~/server/internal/db/database";
-import { createHash } from "~/server/internal/security/simple";
+import {
+  createHashArgon2,
+} from "~/server/internal/security/simple";
 import { v4 as uuidv4 } from "uuid";
 import * as jdenticon from "jdenticon";
 import objectHandler from "~/server/internal/objects";
+import { type } from "arktype";
+import { writeNonLiteralDefaultMessage } from "arktype/internal/parser/shift/operator/default.ts";

-// Only really a simple test, in case people mistype their emails
-const mailRegex = /^\S+@\S+\.\S+$/;
+const userValidator = type({
+  username: "string >= 5",
+  email: "string.email",
+  password: "string >= 14",
+  "displayName?": "string | undefined",
+});

 export default defineEventHandler(async (h3) => {
  const body = await readBody(h3);
@@ -27,59 +35,24 @@ export default defineEventHandler(async (h3) => {
      statusMessage: "Invalid or expired invitation.",
    });

-  const useInvitationOrBodyRequirement = (
-    field: keyof Invitation,
-    check: (v: string) => boolean
-  ) => {
-    if (invitation[field]) {
-      return invitation[field].toString();
-    }
+  const user = userValidator(body);
+  if (user instanceof type.errors) {
+    // hover out.summary to see validation errors
+    console.error(user.summary);

-    const v: string = body[field]?.toString();
-    const valid = check(v);
-    return valid ? v : undefined;
-  };
-
-  const username = useInvitationOrBodyRequirement(
-    "username",
-    (e) => e.length >= 5
-  );
-  const email = useInvitationOrBodyRequirement("email", (e) =>
-    mailRegex.test(e)
-  );
-  const password = body.password;
-  const displayName = body.displayName || username;
-
-  if (username === undefined)
    throw createError({
      statusCode: 400,
-      statusMessage: "Username is invalid. Must be more than 5 characters.",
-    });
-  if (username.toLowerCase() != username)
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Username must be all lowercase",
+      statusMessage: user.summary,
    });
+  }

-  if (email === undefined)
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Invalid email. Must follow the format you@example.com",
-    });
+  // reuse items from invite
+  if (invitation.username !== null) user.username = invitation.username;
+  if (invitation.email !== null) user.email = invitation.email;

-  if (!password)
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Password empty or missing.",
-    });
-
-  if (password.length < 14)
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Password must be 14 or more characters.",
-    });
-
-  const existing = await prisma.user.count({ where: { username: username } });
+  const existing = await prisma.user.count({
+    where: { username: user.username },
+  });
  if (existing > 0)
    throw createError({
      statusCode: 400,
@@ -91,30 +64,33 @@ export default defineEventHandler(async (h3) => {
  const profilePictureId = uuidv4();
  await objectHandler.createFromSource(
    profilePictureId,
-    async () => jdenticon.toPng(username, 256),
+    async () => jdenticon.toPng(user.username, 256),
    {},
    [`internal:read`, `${userId}:write`]
  );
-  const user = await prisma.user.create({
-    data: {
-      username,
-      displayName,
-      email,
-      profilePicture: profilePictureId,
-      admin: invitation.isAdmin,
-    },
-  });
+  const [linkMec] = await prisma.$transaction([
+    prisma.linkedAuthMec.create({
+      data: {
+        mec: AuthMec.Simple,
+        credentials: await createHashArgon2(user.password),
+        version: 2,
+        user: {
+          create: {
+            id: userId,
+            username: user.username,
+            displayName: user.displayName ?? user.username,
+            email: user.email,
+            profilePicture: profilePictureId,
+            admin: invitation.isAdmin,
+          },
+        },
+      },
+      select: {
+        user: true,
+      },
+    }),
+    prisma.invitation.delete({ where: { id: invitationId } }),
+  ]);

-  const hash = await createHash(password);
-  await prisma.linkedAuthMec.create({
-    data: {
-      mec: AuthMec.Simple,
-      credentials: [username, hash],
-      userId: user.id,
-    },
-  });
-
-  await prisma.invitation.delete({ where: { id: invitationId } });
-
-  return user;
+  return linkMec.user;
 });
--- a/server/internal/security/simple.ts
+++ b/server/internal/security/simple.ts
@@ -1,11 +1,15 @@
-import bcrypt from 'bcryptjs';
+import bcrypt from "bcryptjs";
+import * as argon2 from "argon2";
+import { type } from "arktype";

-const rounds = 10;
-
-export async function createHash(password: string) {
-    return bcrypt.hashSync(password, rounds);
+export async function checkHashBcrypt(password: string, hash: string) {
+  return await bcrypt.compare(password, hash);
 }

-export async function checkHash(password: string, hash: string) {
-    return bcrypt.compareSync(password, hash);
-}
+export async function createHashArgon2(password: string) {
+  return await argon2.hash(password);
+}
+
+export async function checkHashArgon2(password: string, hash: string) {
+  return await argon2.verify(hash, password);
+}
--- a/server/internal/utils/parseplatform.ts
+++ b/server/internal/utils/parseplatform.ts
@@ -1,16 +1,13 @@
 import { Platform } from "@prisma/client";

 export function parsePlatform(platform: string) {
-  switch (platform) {
+  switch (platform.toLowerCase()) {
    case "linux":
-    case "Linux":
      return Platform.Linux;
    case "windows":
-    case "Windows":
      return Platform.Windows;
-    case "macOS":
-    case "MacOS":
    case "mac":
+    case "macos":
      return Platform.macOS;
  }

--- a/server/plugins/redirect.ts
+++ b/server/plugins/redirect.ts
@@ -18,7 +18,7 @@ export default defineNitroPlugin((nitro) => {
        if (userId) break;
        return sendRedirect(
          event,
-          `/signin?redirect=${encodeURIComponent(event.path)}`
+          `/auth/signin?redirect=${encodeURIComponent(event.path)}`
        );
    }
  });
--- a/server/routes/signout.get.ts
+++ b/server/routes/signout.get.ts
@@ -3,5 +3,5 @@ import sessionHandler from "../internal/session";
 export default defineEventHandler(async (h3) => {
  await sessionHandler.clearSession(h3);

-  return sendRedirect(h3, "/signin");
+  return sendRedirect(h3, "/auth/signin");
 });
--- a/server/tsconfig.json
+++ b/server/tsconfig.json
@@ -1,3 +1,6 @@
 {
-  "extends": "../.nuxt/tsconfig.server.json"
+  "extends": "../.nuxt/tsconfig.server.json",
+  "compilerOptions": {
+    "exactOptionalPropertyTypes": true
+  }
 }