boredgame/src/routes/(auth)/login/+page.server.ts

import { fail, error, type Actions } from '@sveltejs/kit';
import { and, eq } from 'drizzle-orm';
import { Argon2id } from 'oslo/password';
import { decodeHex } from 'oslo/encoding';
import { TOTPController } from 'oslo/otp';
import { zod } from 'sveltekit-superforms/adapters';
import { setError, superValidate } from 'sveltekit-superforms/server';
import { redirect } from 'sveltekit-flash-message/server';
import { RateLimiter } from 'sveltekit-rate-limiter/server';
import db from '$lib/drizzle';
import { lucia } from '$lib/server/auth';
import { signInSchema } from '$lib/validations/auth';
import { users, recovery_codes } from '../../../schema';
import type { PageServerLoad } from './$types';

export const load: PageServerLoad = async (event) => {
	if (event.locals.user) {
		const message = { type: 'success', message: 'You are already signed in' } as const;
		throw redirect('/', message, event);
	}

	const form = await superValidate(event, zod(signInSchema));

	return {
		form,
	};
};

const limiter = new RateLimiter({
	// A rate is defined by [number, unit]
	IPUA: [5, 'm'],
});

export const actions: Actions = {
	default: async (event) => {
		if (await limiter.isLimited(event)) {
			throw error(429);
		}

		const { locals } = event;
		const form = await superValidate(event, zod(signInSchema));

		if (!form.valid) {
			form.data.password = '';
			return fail(400, {
				form,
			});
		}

		let session;
		let sessionCookie;
		try {
			const password = form.data.password;

			const user = await db.query.users.findFirst({
				where: eq(users.username, form.data.username),
			});

			console.log('user', JSON.stringify(user, null, 2));

			if (!user?.hashed_password) {
				form.data.password = '';
				return setError(form, '', 'Your username or password is incorrect.');
			}

			const validPassword = await new Argon2id().verify(user.hashed_password, password);
			if (!validPassword) {
				console.log('invalid password');
				form.data.password = '';
				return setError(form, '', 'Your username or password is incorrect.');
			}

			// await db
			// 	.insert(collections)
			// 	.values({
			// 		user_id: user.id,
			// 	})
			// 	.onConflictDoNothing();
			// await db
			// 	.insert(wishlists)
			// 	.values({
			// 		user_id: user.id,
			// 	})
			// 	.onConflictDoNothing();

			if (user?.two_factor_enabled && user?.two_factor_secret && !form?.data?.totpToken) {
				return fail(400, {
					form,
					twoFactorRequired: true,
				});
			} else if (user?.two_factor_enabled && user?.two_factor_secret && form?.data?.totpToken) {
				console.log('totpToken', form.data.totpToken);
				const validOTP = await new TOTPController().verify(
					form.data.totpToken,
					decodeHex(user.two_factor_secret),
				);
				console.log('validOTP', validOTP);

				if (!validOTP) {
					console.log('invalid TOTP code check for recovery codes');
					const usedRecoveryCode = await checkRecoveryCode(form?.data?.totpToken, user.id);
					if (!usedRecoveryCode) {
						console.log('invalid TOTP code');
						form.errors.totpToken = ['Invalid code'];
						return fail(400, {
							form,
							twoFactorRequired: true,
						});
					}
				}
			}
			console.log('ip', locals.ip);
			console.log('country', locals.country);
			session = await lucia.createSession(user.id, {
				ip_country: locals.country,
				ip_address: locals.ip,
			});
			console.log('logging in session', session);
			sessionCookie = lucia.createSessionCookie(session.id);
			console.log('logging in session cookie', sessionCookie);
		} catch (e) {
			// TODO: need to return error message to the client
			console.error(e);
			form.data.password = '';
			return setError(form, '', 'Your username or password is incorrect.');
		}

		console.log('setting session cookie', sessionCookie);
		event.cookies.set(sessionCookie.name, sessionCookie.value, {
			path: '.',
			...sessionCookie.attributes,
		});

		form.data.username = '';
		form.data.password = '';
		const message = { type: 'success', message: 'Signed In!' } as const;
		redirect(302, '/', message, event);
	},
};

async function checkRecoveryCode(recoveryCode: string, userId: string) {
	const userRecoveryCodes = await db.query.recovery_codes.findMany({
		where: and(eq(recovery_codes.used, false), eq(recovery_codes.userId, userId)),
	});
	for (const code of userRecoveryCodes) {
		const validRecoveryCode = await new Argon2id().verify(code.code, recoveryCode);
		if (validRecoveryCode) {
			await db
				.update(recovery_codes)
				.set({
					used: true,
				})
				.where(eq(recovery_codes.id, code.id));
			return true;
		}
	}
	return false;
}
Removing nanoid, changing main id to uuid for all schemas, adding display cuid2, and adding rate limiter to login and signup. 2024-03-12 18:34:39 +00:00			`import { fail, error, type Actions } from '@sveltejs/kit';`
Changing search to currently just search by like. Adding functions to get order by and direction based on search inputs. 2024-04-28 02:52:57 +00:00			`import { and, eq } from 'drizzle-orm';`
Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`import { Argon2id } from 'oslo/password';`
			`import { decodeHex } from 'oslo/encoding';`
			`import { TOTPController } from 'oslo/otp';`
Moving validations to separate folder, upgrading superforms v2, and shadcn components. 2024-02-26 06:59:29 +00:00			`import { zod } from 'sveltekit-superforms/adapters';`
Adding auth to the site. 2023-05-21 05:18:04 +00:00			`import { setError, superValidate } from 'sveltekit-superforms/server';`
Rename db folder to server, remove levelup dependencies, add sveltekit flash message, add toast library, and use both on signup. 2023-07-30 23:31:39 +00:00			`import { redirect } from 'sveltekit-flash-message/server';`
Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`import { RateLimiter } from 'sveltekit-rate-limiter/server';`
Fixing signup creation of lists. 2024-02-08 03:37:54 +00:00			`import db from '$lib/drizzle';`
Fixing update password and sign out redirect. 2024-03-02 01:17:13 +00:00			`import { lucia } from '$lib/server/auth';`
Removing nanoid, changing main id to uuid for all schemas, adding display cuid2, and adding rate limiter to login and signup. 2024-03-12 18:34:39 +00:00			`import { signInSchema } from '$lib/validations/auth';`
Usage of TOTP Code or Recovery code on login. If recovery code then mark that code as used. Setup disabling of 2FA if a current password is entered. 2024-04-12 00:17:45 +00:00			`import { users, recovery_codes } from '../../../schema';`
Moving drizzle from MySQL to Postgres because more features exist there I like and am used to. 2024-02-09 02:56:09 +00:00			`import type { PageServerLoad } from './$types';`
Adding auth to the site. 2023-05-21 05:18:04 +00:00
Adding explicit types to load and actions, adding the page indicator from Syntax.fm, and hex for that color. 2023-11-05 06:20:34 +00:00			`export const load: PageServerLoad = async (event) => {`
Upgrade to v3 Lucia, change all auth layers, upgrade all dependencies, and update eslint. 2023-12-15 01:53:15 +00:00			`if (event.locals.user) {`
Fixing update password and sign out redirect. 2024-03-02 01:17:13 +00:00			`const message = { type: 'success', message: 'You are already signed in' } as const;`
Updating all dependencies and moving throw errors outside try catches. 2023-12-05 06:25:43 +00:00			`throw redirect('/', message, event);`
Fixing prisma issues by removing from locals and just using as singleton import. Upgrading libraries. 2023-11-05 00:03:28 +00:00			`}`
Upgrade to v3 Lucia, change all auth layers, upgrade all dependencies, and update eslint. 2023-12-15 01:53:15 +00:00
Adding password reset tokens and API routes for creating and verifying token. 2024-03-02 02:00:27 +00:00			`const form = await superValidate(event, zod(signInSchema));`

Updating all dependencies and moving throw errors outside try catches. 2023-12-05 06:25:43 +00:00			`return {`
Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`form,`
Updating all dependencies and moving throw errors outside try catches. 2023-12-05 06:25:43 +00:00			`};`
Adding auth to the site. 2023-05-21 05:18:04 +00:00			`};`

Removing nanoid, changing main id to uuid for all schemas, adding display cuid2, and adding rate limiter to login and signup. 2024-03-12 18:34:39 +00:00			`const limiter = new RateLimiter({`
			`// A rate is defined by [number, unit]`
Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`IPUA: [5, 'm'],`
Removing nanoid, changing main id to uuid for all schemas, adding display cuid2, and adding rate limiter to login and signup. 2024-03-12 18:34:39 +00:00			`});`

Adding explicit types to load and actions, adding the page indicator from Syntax.fm, and hex for that color. 2023-11-05 06:20:34 +00:00			`export const actions: Actions = {`
Adding auth to the site. 2023-05-21 05:18:04 +00:00			`default: async (event) => {`
Removing nanoid, changing main id to uuid for all schemas, adding display cuid2, and adding rate limiter to login and signup. 2024-03-12 18:34:39 +00:00			`if (await limiter.isLimited(event)) {`
			`throw error(429);`
			`}`

Updating auth logic for v3 lucia, fixing types, upgrading dependencies. 2023-12-20 01:54:39 +00:00			`const { locals } = event;`
Moving validations to separate folder, upgrading superforms v2, and shadcn components. 2024-02-26 06:59:29 +00:00			`const form = await superValidate(event, zod(signInSchema));`
Adding auth to the site. 2023-05-21 05:18:04 +00:00
			`if (!form.valid) {`
Fixing all the root imports, installing and adding logging based on auth example. 2023-05-29 06:34:39 +00:00			`form.data.password = '';`
Adding auth to the site. 2023-05-21 05:18:04 +00:00			`return fail(400, {`
Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`form,`
Adding auth to the site. 2023-05-21 05:18:04 +00:00			`});`
			`}`

Upgrade to v3 Lucia, change all auth layers, upgrade all dependencies, and update eslint. 2023-12-15 01:53:15 +00:00			`let session;`
			`let sessionCookie;`
Adding auth to the site. 2023-05-21 05:18:04 +00:00			`try {`
Upgrade to v3 Lucia, change all auth layers, upgrade all dependencies, and update eslint. 2023-12-15 01:53:15 +00:00			`const password = form.data.password;`
Comment out collection until I can fix it. Rewrite wishlist, create users with the default role, add seed roles, update the user with the default role if they don't have it. And other things. 2023-06-16 06:28:49 +00:00
Fixing signup creation of lists. 2024-02-08 03:37:54 +00:00			`const user = await db.query.users.findFirst({`
Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`where: eq(users.username, form.data.username),`
Comment out collection until I can fix it. Rewrite wishlist, create users with the default role, add seed roles, update the user with the default role if they don't have it. And other things. 2023-06-16 06:28:49 +00:00			`});`
Upgrade to v3 Lucia, change all auth layers, upgrade all dependencies, and update eslint. 2023-12-15 01:53:15 +00:00
Adding ip country and address to the session DB, updating libraries and Lucia beta, updating auth flows for newest lucia changes. 2024-01-19 00:57:15 +00:00			`console.log('user', JSON.stringify(user, null, 2));`

Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`if (!user?.hashed_password) {`
Upgrade to v3 Lucia, change all auth layers, upgrade all dependencies, and update eslint. 2023-12-15 01:53:15 +00:00			`form.data.password = '';`
			`return setError(form, '', 'Your username or password is incorrect.');`
			`}`

			`const validPassword = await new Argon2id().verify(user.hashed_password, password);`
			`if (!validPassword) {`
Adding ip country and address to the session DB, updating libraries and Lucia beta, updating auth flows for newest lucia changes. 2024-01-19 00:57:15 +00:00			`console.log('invalid password');`
Upgrade to v3 Lucia, change all auth layers, upgrade all dependencies, and update eslint. 2023-12-15 01:53:15 +00:00			`form.data.password = '';`
			`return setError(form, '', 'Your username or password is incorrect.');`
Adding APIs for different actions to consume down the line in refactor. 2023-07-18 21:23:45 +00:00			`}`
Upgrade to v3 Lucia, change all auth layers, upgrade all dependencies, and update eslint. 2023-12-15 01:53:15 +00:00
Usage of TOTP Code or Recovery code on login. If recovery code then mark that code as used. Setup disabling of 2FA if a current password is entered. 2024-04-12 00:17:45 +00:00			`// await db`
			`// .insert(collections)`
			`// .values({`
			`// user_id: user.id,`
			`// })`
			`// .onConflictDoNothing();`
			`// await db`
			`// .insert(wishlists)`
			`// .values({`
			`// user_id: user.id,`
			`// })`
			`// .onConflictDoNothing();`
Updating schema to have more foreign key constraints in line with prisma migration and primary key on join tables. 2024-02-19 08:22:05 +00:00
Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`if (user?.two_factor_enabled && user?.two_factor_secret && !form?.data?.totpToken) {`
Manually adding totp error and converting to use shadcn form on login. 2024-04-09 00:47:54 +00:00			`return fail(400, {`
Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`form,`
Manually adding totp error and converting to use shadcn form on login. 2024-04-09 00:47:54 +00:00			`twoFactorRequired: true,`
			`});`
Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`} else if (user?.two_factor_enabled && user?.two_factor_secret && form?.data?.totpToken) {`
			`console.log('totpToken', form.data.totpToken);`
			`const validOTP = await new TOTPController().verify(`
			`form.data.totpToken,`
Usage of TOTP Code or Recovery code on login. If recovery code then mark that code as used. Setup disabling of 2FA if a current password is entered. 2024-04-12 00:17:45 +00:00			`decodeHex(user.two_factor_secret),`
Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`);`
			`console.log('validOTP', validOTP);`
Usage of TOTP Code or Recovery code on login. If recovery code then mark that code as used. Setup disabling of 2FA if a current password is entered. 2024-04-12 00:17:45 +00:00
Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`if (!validOTP) {`
Usage of TOTP Code or Recovery code on login. If recovery code then mark that code as used. Setup disabling of 2FA if a current password is entered. 2024-04-12 00:17:45 +00:00			`console.log('invalid TOTP code check for recovery codes');`
			`const usedRecoveryCode = await checkRecoveryCode(form?.data?.totpToken, user.id);`
			`if (!usedRecoveryCode) {`
			`console.log('invalid TOTP code');`
			`form.errors.totpToken = ['Invalid code'];`
			`return fail(400, {`
			`form,`
			`twoFactorRequired: true,`
			`});`
			`}`
Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`}`
			`}`
Adding ip country and address to the session DB, updating libraries and Lucia beta, updating auth flows for newest lucia changes. 2024-01-19 00:57:15 +00:00			`console.log('ip', locals.ip);`
			`console.log('country', locals.country);`
Upgrade to v3 Lucia, change all auth layers, upgrade all dependencies, and update eslint. 2023-12-15 01:53:15 +00:00			`session = await lucia.createSession(user.id, {`
Adding ip country and address to the session DB, updating libraries and Lucia beta, updating auth flows for newest lucia changes. 2024-01-19 00:57:15 +00:00			`ip_country: locals.country,`
Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`ip_address: locals.ip,`
Upgrade to v3 Lucia, change all auth layers, upgrade all dependencies, and update eslint. 2023-12-15 01:53:15 +00:00			`});`
Fixing linting issues. 2024-03-11 06:19:55 +00:00			`console.log('logging in session', session);`
Upgrade to v3 Lucia, change all auth layers, upgrade all dependencies, and update eslint. 2023-12-15 01:53:15 +00:00			`sessionCookie = lucia.createSessionCookie(session.id);`
Fixing linting issues. 2024-03-11 06:19:55 +00:00			`console.log('logging in session cookie', sessionCookie);`
Adding auth to the site. 2023-05-21 05:18:04 +00:00			`} catch (e) {`
			`// TODO: need to return error message to the client`
			`console.error(e);`
Fixing all the root imports, installing and adding logging based on auth example. 2023-05-29 06:34:39 +00:00			`form.data.password = '';`
Alert on login failure and starting light/dark mode change. 2023-07-01 23:12:17 +00:00			`return setError(form, '', 'Your username or password is incorrect.');`
Adding auth to the site. 2023-05-21 05:18:04 +00:00			`}`
Updating auth logic for v3 lucia, fixing types, upgrading dependencies. 2023-12-20 01:54:39 +00:00
Removing nanoid, changing main id to uuid for all schemas, adding display cuid2, and adding rate limiter to login and signup. 2024-03-12 18:34:39 +00:00			`console.log('setting session cookie', sessionCookie);`
Adding ip country and address to the session DB, updating libraries and Lucia beta, updating auth flows for newest lucia changes. 2024-01-19 00:57:15 +00:00			`event.cookies.set(sessionCookie.name, sessionCookie.value, {`
Removing nanoid, changing main id to uuid for all schemas, adding display cuid2, and adding rate limiter to login and signup. 2024-03-12 18:34:39 +00:00			`path: '.',`
Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`...sessionCookie.attributes,`
Adding ip country and address to the session DB, updating libraries and Lucia beta, updating auth flows for newest lucia changes. 2024-01-19 00:57:15 +00:00			`});`

Fixing all the root imports, installing and adding logging based on auth example. 2023-05-29 06:34:39 +00:00			`form.data.username = '';`
			`form.data.password = '';`
Fixing update password and sign out redirect. 2024-03-02 01:17:13 +00:00			`const message = { type: 'success', message: 'Signed In!' } as const;`
Fixing linting issues. 2024-03-11 06:19:55 +00:00			`redirect(302, '/', message, event);`
Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`},`
Adding auth to the site. 2023-05-21 05:18:04 +00:00			`};`
Usage of TOTP Code or Recovery code on login. If recovery code then mark that code as used. Setup disabling of 2FA if a current password is entered. 2024-04-12 00:17:45 +00:00
			`async function checkRecoveryCode(recoveryCode: string, userId: string) {`
			`const userRecoveryCodes = await db.query.recovery_codes.findMany({`
			`where: and(eq(recovery_codes.used, false), eq(recovery_codes.userId, userId)),`
			`});`
			`for (const code of userRecoveryCodes) {`
			`const validRecoveryCode = await new Argon2id().verify(code.code, recoveryCode);`
			`if (validRecoveryCode) {`
			`await db`
			`.update(recovery_codes)`
			`.set({`
			`used: true,`
			`})`
			`.where(eq(recovery_codes.id, code.id));`
			`return true;`
			`}`
			`}`
			`return false;`
			`}`