feat:basic auth
This commit is contained in:
@@ -25,6 +25,8 @@
|
|||||||
"@chromatic-com/storybook": "^4.1.1",
|
"@chromatic-com/storybook": "^4.1.1",
|
||||||
"@eslint/compat": "^1.2.5",
|
"@eslint/compat": "^1.2.5",
|
||||||
"@eslint/js": "^9.22.0",
|
"@eslint/js": "^9.22.0",
|
||||||
|
"@oslojs/crypto": "^1.0.1",
|
||||||
|
"@oslojs/encoding": "^1.1.0",
|
||||||
"@storybook/addon-a11y": "^9.1.8",
|
"@storybook/addon-a11y": "^9.1.8",
|
||||||
"@storybook/addon-docs": "^9.1.8",
|
"@storybook/addon-docs": "^9.1.8",
|
||||||
"@storybook/addon-svelte-csf": "^5.0.8",
|
"@storybook/addon-svelte-csf": "^5.0.8",
|
||||||
@@ -53,6 +55,7 @@
|
|||||||
"vite": "^7.0.4"
|
"vite": "^7.0.4"
|
||||||
},
|
},
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
|
"@node-rs/argon2": "^2.0.2",
|
||||||
"postgres": "^3.4.5"
|
"postgres": "^3.4.5"
|
||||||
},
|
},
|
||||||
"pnpm": {
|
"pnpm": {
|
||||||
|
|||||||
16
src/app.d.ts
vendored
16
src/app.d.ts
vendored
@@ -2,12 +2,14 @@
|
|||||||
// for information about these interfaces
|
// for information about these interfaces
|
||||||
declare global {
|
declare global {
|
||||||
namespace App {
|
namespace App {
|
||||||
// interface Error {}
|
interface Locals {
|
||||||
// interface Locals {}
|
user: import('$lib/server/auth').SessionValidationResult['user'];
|
||||||
// interface PageData {}
|
session: import('$lib/server/auth').SessionValidationResult['session'];
|
||||||
// interface PageState {}
|
}
|
||||||
// interface Platform {}
|
} // interface Error {}
|
||||||
}
|
// interface Locals {}
|
||||||
}
|
} // interface PageData {}
|
||||||
|
// interface PageState {}
|
||||||
|
|
||||||
|
// interface Platform {}
|
||||||
export {};
|
export {};
|
||||||
|
|||||||
26
src/hooks.server.ts
Normal file
26
src/hooks.server.ts
Normal file
@@ -0,0 +1,26 @@
|
|||||||
|
import type { Handle } from '@sveltejs/kit';
|
||||||
|
import * as auth from '$lib/server/auth';
|
||||||
|
|
||||||
|
const handleAuth: Handle = async ({ event, resolve }) => {
|
||||||
|
const sessionToken = event.cookies.get(auth.sessionCookieName);
|
||||||
|
|
||||||
|
if (!sessionToken) {
|
||||||
|
event.locals.user = null;
|
||||||
|
event.locals.session = null;
|
||||||
|
return resolve(event);
|
||||||
|
}
|
||||||
|
|
||||||
|
const { session, user } = await auth.validateSessionToken(sessionToken);
|
||||||
|
|
||||||
|
if (session) {
|
||||||
|
auth.setSessionTokenCookie(event, sessionToken, session.expiresAt);
|
||||||
|
} else {
|
||||||
|
auth.deleteSessionTokenCookie(event);
|
||||||
|
}
|
||||||
|
|
||||||
|
event.locals.user = user;
|
||||||
|
event.locals.session = session;
|
||||||
|
return resolve(event);
|
||||||
|
};
|
||||||
|
|
||||||
|
export const handle: Handle = handleAuth;
|
||||||
81
src/lib/server/auth.ts
Normal file
81
src/lib/server/auth.ts
Normal file
@@ -0,0 +1,81 @@
|
|||||||
|
import type { RequestEvent } from '@sveltejs/kit';
|
||||||
|
import { eq } from 'drizzle-orm';
|
||||||
|
import { sha256 } from '@oslojs/crypto/sha2';
|
||||||
|
import { encodeBase64url, encodeHexLowerCase } from '@oslojs/encoding';
|
||||||
|
import { db } from '$lib/server/db';
|
||||||
|
import * as table from '$lib/server/db/schema';
|
||||||
|
|
||||||
|
const DAY_IN_MS = 1000 * 60 * 60 * 24;
|
||||||
|
|
||||||
|
export const sessionCookieName = 'auth-session';
|
||||||
|
|
||||||
|
export function generateSessionToken() {
|
||||||
|
const bytes = crypto.getRandomValues(new Uint8Array(18));
|
||||||
|
const token = encodeBase64url(bytes);
|
||||||
|
return token;
|
||||||
|
}
|
||||||
|
|
||||||
|
export async function createSession(token: string, userId: string) {
|
||||||
|
const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));
|
||||||
|
const session: table.Session = {
|
||||||
|
id: sessionId,
|
||||||
|
userId,
|
||||||
|
expiresAt: new Date(Date.now() + DAY_IN_MS * 30)
|
||||||
|
};
|
||||||
|
await db.insert(table.session).values(session);
|
||||||
|
return session;
|
||||||
|
}
|
||||||
|
|
||||||
|
export async function validateSessionToken(token: string) {
|
||||||
|
const sessionId = encodeHexLowerCase(sha256(new TextEncoder().encode(token)));
|
||||||
|
const [result] = await db
|
||||||
|
.select({
|
||||||
|
// Adjust user table here to tweak returned data
|
||||||
|
user: { id: table.user.id, username: table.user.username },
|
||||||
|
session: table.session
|
||||||
|
})
|
||||||
|
.from(table.session)
|
||||||
|
.innerJoin(table.user, eq(table.session.userId, table.user.id))
|
||||||
|
.where(eq(table.session.id, sessionId));
|
||||||
|
|
||||||
|
if (!result) {
|
||||||
|
return { session: null, user: null };
|
||||||
|
}
|
||||||
|
const { session, user } = result;
|
||||||
|
|
||||||
|
const sessionExpired = Date.now() >= session.expiresAt.getTime();
|
||||||
|
if (sessionExpired) {
|
||||||
|
await db.delete(table.session).where(eq(table.session.id, session.id));
|
||||||
|
return { session: null, user: null };
|
||||||
|
}
|
||||||
|
|
||||||
|
const renewSession = Date.now() >= session.expiresAt.getTime() - DAY_IN_MS * 15;
|
||||||
|
if (renewSession) {
|
||||||
|
session.expiresAt = new Date(Date.now() + DAY_IN_MS * 30);
|
||||||
|
await db
|
||||||
|
.update(table.session)
|
||||||
|
.set({ expiresAt: session.expiresAt })
|
||||||
|
.where(eq(table.session.id, session.id));
|
||||||
|
}
|
||||||
|
|
||||||
|
return { session, user };
|
||||||
|
}
|
||||||
|
|
||||||
|
export type SessionValidationResult = Awaited<ReturnType<typeof validateSessionToken>>;
|
||||||
|
|
||||||
|
export async function invalidateSession(sessionId: string) {
|
||||||
|
await db.delete(table.session).where(eq(table.session.id, sessionId));
|
||||||
|
}
|
||||||
|
|
||||||
|
export function setSessionTokenCookie(event: RequestEvent, token: string, expiresAt: Date) {
|
||||||
|
event.cookies.set(sessionCookieName, token, {
|
||||||
|
expires: expiresAt,
|
||||||
|
path: '/'
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
export function deleteSessionTokenCookie(event: RequestEvent) {
|
||||||
|
event.cookies.delete(sessionCookieName, {
|
||||||
|
path: '/'
|
||||||
|
});
|
||||||
|
}
|
||||||
@@ -1,6 +1,20 @@
|
|||||||
import { pgTable, serial, integer } from 'drizzle-orm/pg-core';
|
import { pgTable, serial, integer, text, timestamp } from 'drizzle-orm/pg-core';
|
||||||
|
|
||||||
export const user = pgTable('user', {
|
export const user = pgTable('user', {
|
||||||
id: serial('id').primaryKey(),
|
id: text('id').primaryKey(),
|
||||||
age: integer('age')
|
age: integer('age'),
|
||||||
|
username: text('username').notNull().unique(),
|
||||||
|
passwordHash: text('password_hash').notNull()
|
||||||
});
|
});
|
||||||
|
|
||||||
|
export const session = pgTable('session', {
|
||||||
|
id: text('id').primaryKey(),
|
||||||
|
userId: text('user_id')
|
||||||
|
.notNull()
|
||||||
|
.references(() => user.id),
|
||||||
|
expiresAt: timestamp('expires_at', { withTimezone: true, mode: 'date' }).notNull()
|
||||||
|
});
|
||||||
|
|
||||||
|
export type Session = typeof session.$inferSelect;
|
||||||
|
|
||||||
|
export type User = typeof user.$inferSelect;
|
||||||
|
|||||||
1
src/routes/demo/+page.svelte
Normal file
1
src/routes/demo/+page.svelte
Normal file
@@ -0,0 +1 @@
|
|||||||
|
<a href="/demo/lucia">lucia</a>
|
||||||
31
src/routes/demo/lucia/+page.server.ts
Normal file
31
src/routes/demo/lucia/+page.server.ts
Normal file
@@ -0,0 +1,31 @@
|
|||||||
|
import * as auth from '$lib/server/auth';
|
||||||
|
import { fail, redirect } from '@sveltejs/kit';
|
||||||
|
import { getRequestEvent } from '$app/server';
|
||||||
|
import type { Actions, PageServerLoad } from './$types';
|
||||||
|
|
||||||
|
export const load: PageServerLoad = async () => {
|
||||||
|
const user = requireLogin();
|
||||||
|
return { user };
|
||||||
|
};
|
||||||
|
|
||||||
|
export const actions: Actions = {
|
||||||
|
logout: async (event) => {
|
||||||
|
if (!event.locals.session) {
|
||||||
|
return fail(401);
|
||||||
|
}
|
||||||
|
await auth.invalidateSession(event.locals.session.id);
|
||||||
|
auth.deleteSessionTokenCookie(event);
|
||||||
|
|
||||||
|
return redirect(302, '/demo/lucia/login');
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
function requireLogin() {
|
||||||
|
const { locals } = getRequestEvent();
|
||||||
|
|
||||||
|
if (!locals.user) {
|
||||||
|
return redirect(302, '/demo/lucia/login');
|
||||||
|
}
|
||||||
|
|
||||||
|
return locals.user;
|
||||||
|
}
|
||||||
12
src/routes/demo/lucia/+page.svelte
Normal file
12
src/routes/demo/lucia/+page.svelte
Normal file
@@ -0,0 +1,12 @@
|
|||||||
|
<script lang="ts">
|
||||||
|
import { enhance } from '$app/forms';
|
||||||
|
import type { PageServerData } from './$types';
|
||||||
|
|
||||||
|
let { data }: { data: PageServerData } = $props();
|
||||||
|
</script>
|
||||||
|
|
||||||
|
<h1>Hi, {data.user.username}!</h1>
|
||||||
|
<p>Your user ID is {data.user.id}.</p>
|
||||||
|
<form method="post" action="?/logout" use:enhance>
|
||||||
|
<button>Sign out</button>
|
||||||
|
</form>
|
||||||
107
src/routes/demo/lucia/login/+page.server.ts
Normal file
107
src/routes/demo/lucia/login/+page.server.ts
Normal file
@@ -0,0 +1,107 @@
|
|||||||
|
import { hash, verify } from '@node-rs/argon2';
|
||||||
|
import { encodeBase32LowerCase } from '@oslojs/encoding';
|
||||||
|
import { fail, redirect } from '@sveltejs/kit';
|
||||||
|
import { eq } from 'drizzle-orm';
|
||||||
|
import * as auth from '$lib/server/auth';
|
||||||
|
import { db } from '$lib/server/db';
|
||||||
|
import * as table from '$lib/server/db/schema';
|
||||||
|
import type { Actions, PageServerLoad } from './$types';
|
||||||
|
|
||||||
|
export const load: PageServerLoad = async (event) => {
|
||||||
|
if (event.locals.user) {
|
||||||
|
return redirect(302, '/demo/lucia');
|
||||||
|
}
|
||||||
|
return {};
|
||||||
|
};
|
||||||
|
|
||||||
|
export const actions: Actions = {
|
||||||
|
login: async (event) => {
|
||||||
|
const formData = await event.request.formData();
|
||||||
|
const username = formData.get('username');
|
||||||
|
const password = formData.get('password');
|
||||||
|
|
||||||
|
if (!validateUsername(username)) {
|
||||||
|
return fail(400, {
|
||||||
|
message: 'Invalid username (min 3, max 31 characters, alphanumeric only)'
|
||||||
|
});
|
||||||
|
}
|
||||||
|
if (!validatePassword(password)) {
|
||||||
|
return fail(400, { message: 'Invalid password (min 6, max 255 characters)' });
|
||||||
|
}
|
||||||
|
|
||||||
|
const results = await db.select().from(table.user).where(eq(table.user.username, username));
|
||||||
|
|
||||||
|
const existingUser = results.at(0);
|
||||||
|
if (!existingUser) {
|
||||||
|
return fail(400, { message: 'Incorrect username or password' });
|
||||||
|
}
|
||||||
|
|
||||||
|
const validPassword = await verify(existingUser.passwordHash, password, {
|
||||||
|
memoryCost: 19456,
|
||||||
|
timeCost: 2,
|
||||||
|
outputLen: 32,
|
||||||
|
parallelism: 1
|
||||||
|
});
|
||||||
|
if (!validPassword) {
|
||||||
|
return fail(400, { message: 'Incorrect username or password' });
|
||||||
|
}
|
||||||
|
|
||||||
|
const sessionToken = auth.generateSessionToken();
|
||||||
|
const session = await auth.createSession(sessionToken, existingUser.id);
|
||||||
|
auth.setSessionTokenCookie(event, sessionToken, session.expiresAt);
|
||||||
|
|
||||||
|
return redirect(302, '/demo/lucia');
|
||||||
|
},
|
||||||
|
register: async (event) => {
|
||||||
|
const formData = await event.request.formData();
|
||||||
|
const username = formData.get('username');
|
||||||
|
const password = formData.get('password');
|
||||||
|
|
||||||
|
if (!validateUsername(username)) {
|
||||||
|
return fail(400, { message: 'Invalid username' });
|
||||||
|
}
|
||||||
|
if (!validatePassword(password)) {
|
||||||
|
return fail(400, { message: 'Invalid password' });
|
||||||
|
}
|
||||||
|
|
||||||
|
const userId = generateUserId();
|
||||||
|
const passwordHash = await hash(password, {
|
||||||
|
// recommended minimum parameters
|
||||||
|
memoryCost: 19456,
|
||||||
|
timeCost: 2,
|
||||||
|
outputLen: 32,
|
||||||
|
parallelism: 1
|
||||||
|
});
|
||||||
|
|
||||||
|
try {
|
||||||
|
await db.insert(table.user).values({ id: userId, username, passwordHash });
|
||||||
|
|
||||||
|
const sessionToken = auth.generateSessionToken();
|
||||||
|
const session = await auth.createSession(sessionToken, userId);
|
||||||
|
auth.setSessionTokenCookie(event, sessionToken, session.expiresAt);
|
||||||
|
} catch {
|
||||||
|
return fail(500, { message: 'An error has occurred' });
|
||||||
|
}
|
||||||
|
return redirect(302, '/demo/lucia');
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
function generateUserId() {
|
||||||
|
// ID with 120 bits of entropy, or about the same as UUID v4.
|
||||||
|
const bytes = crypto.getRandomValues(new Uint8Array(15));
|
||||||
|
const id = encodeBase32LowerCase(bytes);
|
||||||
|
return id;
|
||||||
|
}
|
||||||
|
|
||||||
|
function validateUsername(username: unknown): username is string {
|
||||||
|
return (
|
||||||
|
typeof username === 'string' &&
|
||||||
|
username.length >= 3 &&
|
||||||
|
username.length <= 31 &&
|
||||||
|
/^[a-z0-9_-]+$/.test(username)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
function validatePassword(password: unknown): password is string {
|
||||||
|
return typeof password === 'string' && password.length >= 6 && password.length <= 255;
|
||||||
|
}
|
||||||
21
src/routes/demo/lucia/login/+page.svelte
Normal file
21
src/routes/demo/lucia/login/+page.svelte
Normal file
@@ -0,0 +1,21 @@
|
|||||||
|
<script lang="ts">
|
||||||
|
import { enhance } from '$app/forms';
|
||||||
|
import type { ActionData } from './$types';
|
||||||
|
|
||||||
|
let { form }: { form: ActionData } = $props();
|
||||||
|
</script>
|
||||||
|
|
||||||
|
<h1>Login/Register</h1>
|
||||||
|
<form method="post" action="?/login" use:enhance>
|
||||||
|
<label>
|
||||||
|
Username
|
||||||
|
<input name="username" />
|
||||||
|
</label>
|
||||||
|
<label>
|
||||||
|
Password
|
||||||
|
<input type="password" name="password" />
|
||||||
|
</label>
|
||||||
|
<button>Login</button>
|
||||||
|
<button formaction="?/register">Register</button>
|
||||||
|
</form>
|
||||||
|
<p style="color: red">{form?.message ?? ''}</p>
|
||||||
Reference in New Issue
Block a user