boredgame/src/routes/(auth)/login/+page.server.ts

import { fail, type Actions } from '@sveltejs/kit';
import { eq, or } from 'drizzle-orm';
import { Argon2id } from 'oslo/password';
import { zod } from 'sveltekit-superforms/adapters';
import { setError, superValidate } from 'sveltekit-superforms/server';
import { redirect } from 'sveltekit-flash-message/server';
import { RateLimiter } from 'sveltekit-rate-limiter/server';
import db from '../../../db';
import { lucia } from '$lib/server/auth';
import { twoFactor, usersTable, type Users } from '$db/schema';
import type { PageServerLoad } from './$types';
import {signinUsernameDto} from "$lib/dtos/signin-username.dto";

export const load: PageServerLoad = async (event) => {
	const { locals } = event;

	const authedUser = await locals.getAuthedUser();

	if (authedUser) {
		const message = { type: 'success', message: 'You are already signed in' } as const;
		throw redirect('/', message, event);
	}

	// if (userFullyAuthenticated(user, session)) {
	// 	const message = { type: 'success', message: 'You are already signed in' } as const;
	// 	throw redirect('/', message, event);
	// } else if (userNotFullyAuthenticated(user, session)) {
	// 	await lucia.invalidateSession(locals.session!.id!);
	// 	const sessionCookie = lucia.createBlankSessionCookie();
	// 	cookies.set(sessionCookie.name, sessionCookie.value, {
	// 		path: '.',
	// 		...sessionCookie.attributes,
	// 	});
	// }
	const form = await superValidate(event, zod(signinUsernameDto));

	return {
		form,
	};
};

export const actions: Actions = {
	default: async (event) => {
		// if (await limiter.isLimited(event)) {
		// 	throw error(429);
		// }

		const { locals } = event;

		const authedUser = await locals.getAuthedUser();

		if (authedUser) {
			const message = { type: 'success', message: 'You are already signed in' } as const;
			throw redirect('/', message, event);
		}

		const form = await superValidate(event, zod(signinUsernameDto));

		const { error } = await locals.api.login.$post({ json: form.data }).then(locals.parseApiResponse);
		if (error) return setError(form, 'username', error);

		if (!form.valid) {
			form.data.password = '';
			return fail(400, {
				form,
			});
		}

		let session;
		let sessionCookie;
		const user: Users | undefined = await db.query.usersTable.findFirst({
			where: or(eq(usersTable.username, form.data.username), eq(usersTable.email, form.data.username)),
		});

		if (!user) {
			form.data.password = '';
			return setError(form, 'username', 'Your username or password is incorrect.');
		}

		let twoFactorDetails;

		try {
			const password = form.data.password;
			console.log('user', JSON.stringify(user, null, 2));

			if (!user?.hashed_password) {
				console.log('invalid username/password');
				form.data.password = '';
				return setError(form, 'password', 'Your username or password is incorrect.');
			}

			const validPassword = await new Argon2id().verify(user.hashed_password, password);
			if (!validPassword) {
				console.log('invalid password');
				form.data.password = '';
				return setError(form, 'password', 'Your username or password is incorrect.');
			}

			console.log('ip', locals.ip);
			console.log('country', locals.country);

			twoFactorDetails = await db.query.twoFactor.findFirst({
				where: eq(twoFactor.userId, user?.id),
			});

			if (twoFactorDetails?.secret && twoFactorDetails?.enabled) {
				await db.update(twoFactor).set({
					initiatedTime: new Date(),
				});

				session = await lucia.createSession(user.id, {
					ip_country: locals.country,
					ip_address: locals.ip,
					twoFactorAuthEnabled:
						twoFactorDetails?.enabled &&
						twoFactorDetails?.secret !== null &&
						twoFactorDetails?.secret !== '',
					isTwoFactorAuthenticated: false,
				});
			} else {
				session = await lucia.createSession(user.id, {
					ip_country: locals.country,
					ip_address: locals.ip,
					twoFactorAuthEnabled: false,
					isTwoFactorAuthenticated: false,
				});
			}
			console.log('logging in session', session);
			sessionCookie = lucia.createSessionCookie(session.id);
			console.log('logging in session cookie', sessionCookie);
		} catch (e) {
			// TODO: need to return error message to the client
			console.error(e);
			form.data.password = '';
			return setError(form, '', 'Your username or password is incorrect.');
		}

		console.log('setting session cookie', sessionCookie);
		event.cookies.set(sessionCookie.name, sessionCookie.value, {
			path: '.',
			...sessionCookie.attributes,
		});

		form.data.username = '';
		form.data.password = '';

		if (
			twoFactorDetails?.enabled &&
			twoFactorDetails?.secret !== null &&
			twoFactorDetails?.secret !== ''
		) {
			console.log('redirecting to TOTP page');
			const message = { type: 'success', message: 'Please enter your TOTP code.' } as const;
			redirect(302, '/totp', message, event);
		} else {
			const message = { type: 'success', message: 'Signed In!' } as const;
			redirect(302, '/', message, event);
		}
	},
};
Fixing login cookie max-age. 2024-08-15 01:07:50 +00:00			`import { fail, type Actions } from '@sveltejs/kit';`
Refactor to use recovery code on TOTP as separate form. 2024-07-15 03:59:51 +00:00			`import { eq, or } from 'drizzle-orm';`
Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`import { Argon2id } from 'oslo/password';`
Moving validations to separate folder, upgrading superforms v2, and shadcn components. 2024-02-26 06:59:29 +00:00			`import { zod } from 'sveltekit-superforms/adapters';`
Adding auth to the site. 2023-05-21 05:18:04 +00:00			`import { setError, superValidate } from 'sveltekit-superforms/server';`
Rename db folder to server, remove levelup dependencies, add sveltekit flash message, add toast library, and use both on signup. 2023-07-30 23:31:39 +00:00			`import { redirect } from 'sveltekit-flash-message/server';`
Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`import { RateLimiter } from 'sveltekit-rate-limiter/server';`
Moving drizzle into it's own DB folder and moving all the table types to separate files. 2024-05-08 00:19:13 +00:00			`import db from '../../../db';`
Fixing update password and sign out redirect. 2024-03-02 01:17:13 +00:00			`import { lucia } from '$lib/server/auth';`
Fixing build but node version 22 is needed and pre-render fails. 2024-08-01 23:46:29 +00:00			`import { twoFactor, usersTable, type Users } from '$db/schema';`
Moving drizzle from MySQL to Postgres because more features exist there I like and am used to. 2024-02-09 02:56:09 +00:00			`import type { PageServerLoad } from './$types';`
Fixing login cookie max-age. 2024-08-15 01:07:50 +00:00			`import {signinUsernameDto} from "$lib/dtos/signin-username.dto";`
Adding auth to the site. 2023-05-21 05:18:04 +00:00
Adding explicit types to load and actions, adding the page indicator from Syntax.fm, and hex for that color. 2023-11-05 06:20:34 +00:00			`export const load: PageServerLoad = async (event) => {`
Fixing login cookie max-age. 2024-08-15 01:07:50 +00:00			`const { locals } = event;`
Checking fully authenticated vs not fully authd vs not authd at all and performing select actions to login, clear cookie, etc. 2024-06-17 20:06:45 +00:00
Fixing login cookie max-age. 2024-08-15 01:07:50 +00:00			`const authedUser = await locals.getAuthedUser();`

			`if (authedUser) {`
Fixing update password and sign out redirect. 2024-03-02 01:17:13 +00:00			`const message = { type: 'success', message: 'You are already signed in' } as const;`
Updating all dependencies and moving throw errors outside try catches. 2023-12-05 06:25:43 +00:00			`throw redirect('/', message, event);`
Fixing prisma issues by removing from locals and just using as singleton import. Upgrading libraries. 2023-11-05 00:03:28 +00:00			`}`
Fixing login cookie max-age. 2024-08-15 01:07:50 +00:00
			`// if (userFullyAuthenticated(user, session)) {`
			`// const message = { type: 'success', message: 'You are already signed in' } as const;`
			`// throw redirect('/', message, event);`
			`// } else if (userNotFullyAuthenticated(user, session)) {`
			`// await lucia.invalidateSession(locals.session!.id!);`
			`// const sessionCookie = lucia.createBlankSessionCookie();`
			`// cookies.set(sessionCookie.name, sessionCookie.value, {`
			`// path: '.',`
			`// ...sessionCookie.attributes,`
			`// });`
			`// }`
			`const form = await superValidate(event, zod(signinUsernameDto));`
Adding password reset tokens and API routes for creating and verifying token. 2024-03-02 02:00:27 +00:00
Updating all dependencies and moving throw errors outside try catches. 2023-12-05 06:25:43 +00:00			`return {`
Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`form,`
Updating all dependencies and moving throw errors outside try catches. 2023-12-05 06:25:43 +00:00			`};`
Adding auth to the site. 2023-05-21 05:18:04 +00:00			`};`

Adding explicit types to load and actions, adding the page indicator from Syntax.fm, and hex for that color. 2023-11-05 06:20:34 +00:00			`export const actions: Actions = {`
Adding auth to the site. 2023-05-21 05:18:04 +00:00			`default: async (event) => {`
Fixing login cookie max-age. 2024-08-15 01:07:50 +00:00			`// if (await limiter.isLimited(event)) {`
			`// throw error(429);`
			`// }`
Removing nanoid, changing main id to uuid for all schemas, adding display cuid2, and adding rate limiter to login and signup. 2024-03-12 18:34:39 +00:00
Updating auth logic for v3 lucia, fixing types, upgrading dependencies. 2023-12-20 01:54:39 +00:00			`const { locals } = event;`
Fixing login cookie max-age. 2024-08-15 01:07:50 +00:00
			`const authedUser = await locals.getAuthedUser();`

			`if (authedUser) {`
			`const message = { type: 'success', message: 'You are already signed in' } as const;`
			`throw redirect('/', message, event);`
			`}`

			`const form = await superValidate(event, zod(signinUsernameDto));`

			`const { error } = await locals.api.login.$post({ json: form.data }).then(locals.parseApiResponse);`
			`if (error) return setError(form, 'username', error);`
Adding auth to the site. 2023-05-21 05:18:04 +00:00
			`if (!form.valid) {`
Fixing all the root imports, installing and adding logging based on auth example. 2023-05-29 06:34:39 +00:00			`form.data.password = '';`
Adding auth to the site. 2023-05-21 05:18:04 +00:00			`return fail(400, {`
Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`form,`
Adding auth to the site. 2023-05-21 05:18:04 +00:00			`});`
			`}`

Upgrade to v3 Lucia, change all auth layers, upgrade all dependencies, and update eslint. 2023-12-15 01:53:15 +00:00			`let session;`
			`let sessionCookie;`
Fixing build but node version 22 is needed and pre-render fails. 2024-08-01 23:46:29 +00:00			`const user: Users \| undefined = await db.query.usersTable.findFirst({`
			`where: or(eq(usersTable.username, form.data.username), eq(usersTable.email, form.data.username)),`
Adding not null to games columns, fixing TOTP form, and fixing TOTP verifying. 2024-06-09 00:25:01 +00:00			`});`
Comment out collection until I can fix it. Rewrite wishlist, create users with the default role, add seed roles, update the user with the default role if they don't have it. And other things. 2023-06-16 06:28:49 +00:00
Starting over migrations, revert schema date string type, using two variables in session for knowing if 2FA is valid, adding checks everywhere on protected routes and APIs. 2024-06-12 02:12:12 +00:00			`if (!user) {`
			`form.data.password = '';`
			`return setError(form, 'username', 'Your username or password is incorrect.');`
			`}`
Upgrade to v3 Lucia, change all auth layers, upgrade all dependencies, and update eslint. 2023-12-15 01:53:15 +00:00
Using Svelte 5, refactor to use a separate table for user two factor details, and update the whole application to use the new table. 2024-07-11 22:53:56 +00:00			`let twoFactorDetails;`

Adding not null to games columns, fixing TOTP form, and fixing TOTP verifying. 2024-06-09 00:25:01 +00:00			`try {`
			`const password = form.data.password;`
Adding ip country and address to the session DB, updating libraries and Lucia beta, updating auth flows for newest lucia changes. 2024-01-19 00:57:15 +00:00			`console.log('user', JSON.stringify(user, null, 2));`

Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`if (!user?.hashed_password) {`
Adding totp enabled to session, restarting migrations, updating many Shadcn svelte components, and refactoring to move 2FA to its own page. 2024-06-08 22:09:21 +00:00			`console.log('invalid username/password');`
Upgrade to v3 Lucia, change all auth layers, upgrade all dependencies, and update eslint. 2023-12-15 01:53:15 +00:00			`form.data.password = '';`
Adding totp enabled to session, restarting migrations, updating many Shadcn svelte components, and refactoring to move 2FA to its own page. 2024-06-08 22:09:21 +00:00			`return setError(form, 'password', 'Your username or password is incorrect.');`
Upgrade to v3 Lucia, change all auth layers, upgrade all dependencies, and update eslint. 2023-12-15 01:53:15 +00:00			`}`

			`const validPassword = await new Argon2id().verify(user.hashed_password, password);`
			`if (!validPassword) {`
Adding ip country and address to the session DB, updating libraries and Lucia beta, updating auth flows for newest lucia changes. 2024-01-19 00:57:15 +00:00			`console.log('invalid password');`
Upgrade to v3 Lucia, change all auth layers, upgrade all dependencies, and update eslint. 2023-12-15 01:53:15 +00:00			`form.data.password = '';`
Adding totp enabled to session, restarting migrations, updating many Shadcn svelte components, and refactoring to move 2FA to its own page. 2024-06-08 22:09:21 +00:00			`return setError(form, 'password', 'Your username or password is incorrect.');`
Adding APIs for different actions to consume down the line in refactor. 2023-07-18 21:23:45 +00:00			`}`
Upgrade to v3 Lucia, change all auth layers, upgrade all dependencies, and update eslint. 2023-12-15 01:53:15 +00:00
Adding ip country and address to the session DB, updating libraries and Lucia beta, updating auth flows for newest lucia changes. 2024-01-19 00:57:15 +00:00			`console.log('ip', locals.ip);`
			`console.log('country', locals.country);`
Using Svelte 5, refactor to use a separate table for user two factor details, and update the whole application to use the new table. 2024-07-11 22:53:56 +00:00
			`twoFactorDetails = await db.query.twoFactor.findFirst({`
			`where: eq(twoFactor.userId, user?.id),`
Upgrade to v3 Lucia, change all auth layers, upgrade all dependencies, and update eslint. 2023-12-15 01:53:15 +00:00			`});`
Using Svelte 5, refactor to use a separate table for user two factor details, and update the whole application to use the new table. 2024-07-11 22:53:56 +00:00
			`if (twoFactorDetails?.secret && twoFactorDetails?.enabled) {`
			`await db.update(twoFactor).set({`
Checking TOTP expiry time. 2024-07-13 00:44:45 +00:00			`initiatedTime: new Date(),`
Using Svelte 5, refactor to use a separate table for user two factor details, and update the whole application to use the new table. 2024-07-11 22:53:56 +00:00			`});`

			`session = await lucia.createSession(user.id, {`
			`ip_country: locals.country,`
			`ip_address: locals.ip,`
			`twoFactorAuthEnabled:`
			`twoFactorDetails?.enabled &&`
			`twoFactorDetails?.secret !== null &&`
			`twoFactorDetails?.secret !== '',`
			`isTwoFactorAuthenticated: false,`
			`});`
			`} else {`
			`session = await lucia.createSession(user.id, {`
			`ip_country: locals.country,`
			`ip_address: locals.ip,`
			`twoFactorAuthEnabled: false,`
			`isTwoFactorAuthenticated: false,`
			`});`
			`}`
Fixing linting issues. 2024-03-11 06:19:55 +00:00			`console.log('logging in session', session);`
Upgrade to v3 Lucia, change all auth layers, upgrade all dependencies, and update eslint. 2023-12-15 01:53:15 +00:00			`sessionCookie = lucia.createSessionCookie(session.id);`
Fixing linting issues. 2024-03-11 06:19:55 +00:00			`console.log('logging in session cookie', sessionCookie);`
Adding auth to the site. 2023-05-21 05:18:04 +00:00			`} catch (e) {`
			`// TODO: need to return error message to the client`
			`console.error(e);`
Fixing all the root imports, installing and adding logging based on auth example. 2023-05-29 06:34:39 +00:00			`form.data.password = '';`
Alert on login failure and starting light/dark mode change. 2023-07-01 23:12:17 +00:00			`return setError(form, '', 'Your username or password is incorrect.');`
Adding auth to the site. 2023-05-21 05:18:04 +00:00			`}`
Updating auth logic for v3 lucia, fixing types, upgrading dependencies. 2023-12-20 01:54:39 +00:00
Removing nanoid, changing main id to uuid for all schemas, adding display cuid2, and adding rate limiter to login and signup. 2024-03-12 18:34:39 +00:00			`console.log('setting session cookie', sessionCookie);`
Adding ip country and address to the session DB, updating libraries and Lucia beta, updating auth flows for newest lucia changes. 2024-01-19 00:57:15 +00:00			`event.cookies.set(sessionCookie.name, sessionCookie.value, {`
Removing nanoid, changing main id to uuid for all schemas, adding display cuid2, and adding rate limiter to login and signup. 2024-03-12 18:34:39 +00:00			`path: '.',`
Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`...sessionCookie.attributes,`
Adding ip country and address to the session DB, updating libraries and Lucia beta, updating auth flows for newest lucia changes. 2024-01-19 00:57:15 +00:00			`});`

Fixing all the root imports, installing and adding logging based on auth example. 2023-05-29 06:34:39 +00:00			`form.data.username = '';`
			`form.data.password = '';`
Adding not null to games columns, fixing TOTP form, and fixing TOTP verifying. 2024-06-09 00:25:01 +00:00
Starting over migrations, revert schema date string type, using two variables in session for knowing if 2FA is valid, adding checks everywhere on protected routes and APIs. 2024-06-12 02:12:12 +00:00			`if (`
Using Svelte 5, refactor to use a separate table for user two factor details, and update the whole application to use the new table. 2024-07-11 22:53:56 +00:00			`twoFactorDetails?.enabled &&`
			`twoFactorDetails?.secret !== null &&`
			`twoFactorDetails?.secret !== ''`
Starting over migrations, revert schema date string type, using two variables in session for knowing if 2FA is valid, adding checks everywhere on protected routes and APIs. 2024-06-12 02:12:12 +00:00			`) {`
Adding not null to games columns, fixing TOTP form, and fixing TOTP verifying. 2024-06-09 00:25:01 +00:00			`console.log('redirecting to TOTP page');`
			`const message = { type: 'success', message: 'Please enter your TOTP code.' } as const;`
			`redirect(302, '/totp', message, event);`
			`} else {`
			`const message = { type: 'success', message: 'Signed In!' } as const;`
			`redirect(302, '/', message, event);`
			`}`
Adding show 2FA on login if it is enabled on the user. 2024-04-08 05:11:52 +00:00			`},`
Adding auth to the site. 2023-05-21 05:18:04 +00:00			`};`