cima-squad/giampy-dogservice
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1e4bb0e560679f67cc80996dd82adfc1a05d999a
giampy-dogservice/src/lib/server/auth.ts
T
falco131 f23aecbbe0 added user manager page
2026-04-20 16:04:05 +02:00

174 lines
5.8 KiB
TypeScript
Raw Blame History

import { readJson, writeJson } from './storage';
import { randomBytes, scryptSync, timingSafeEqual } from 'node:crypto';
import type { Cookies } from '@sveltejs/kit';
const ADMIN_FILE = 'admin.json';
const SESSION_FILE = 'sessions.json';
const SESSION_COOKIE = 'gds_admin';
const SESSION_TTL_MS = 1000 * 60 * 60 * 24 * 7; // 7 days
type AdminRecord = {
username: string;
salt: string;
hash: string;
createdAt?: number;
};
type SessionRecord = {
token: string;
username: string;
expiresAt: number;
};
function hashPassword(password: string, salt: string): string {
return scryptSync(password, salt, 64).toString('hex');
}
function loadAdmins(): AdminRecord[] {
const raw = readJson<AdminRecord | AdminRecord[] | null>(ADMIN_FILE, null);
if (!raw) return [];
if (Array.isArray(raw)) return raw;
// Legacy single-record format — migrate in-memory (persisted on next write).
return [raw];
}
function saveAdmins(admins: AdminRecord[]): void {
writeJson(ADMIN_FILE, admins);
}
export function seedDefaultAdminIfMissing(): { username: string; tempPassword?: string } {
const admins = loadAdmins();
if (admins.length > 0) {
// Ensure migration is persisted if legacy format was detected.
const raw = readJson<AdminRecord | AdminRecord[] | null>(ADMIN_FILE, null);
if (raw && !Array.isArray(raw)) saveAdmins(admins);
return { username: admins[0].username };
}
const username = process.env.ADMIN_USERNAME || 'admin';
const password = process.env.ADMIN_PASSWORD || 'changeme';
const salt = randomBytes(16).toString('hex');
const record: AdminRecord = {
username,
salt,
hash: hashPassword(password, salt),
createdAt: Date.now()
};
saveAdmins([record]);
return { username, tempPassword: password };
}
export function verifyCredentials(username: string, password: string): boolean {
const record = loadAdmins().find((a) => a.username === username);
if (!record) return false;
const candidate = Buffer.from(hashPassword(password, record.salt), 'hex');
const stored = Buffer.from(record.hash, 'hex');
if (candidate.length !== stored.length) return false;
return timingSafeEqual(candidate, stored);
}
export function changePassword(
username: string,
currentPassword: string,
newPassword: string
): boolean {
if (!verifyCredentials(username, currentPassword)) return false;
const admins = loadAdmins();
const idx = admins.findIndex((a) => a.username === username);
if (idx === -1) return false;
const salt = randomBytes(16).toString('hex');
admins[idx] = {
...admins[idx],
salt,
hash: hashPassword(newPassword, salt)
};
saveAdmins(admins);
return true;
}
export type AdminSummary = { username: string; createdAt?: number };
export function listAdmins(): AdminSummary[] {
return loadAdmins().map(({ username, createdAt }) => ({ username, createdAt }));
}
export function createAdmin(username: string, password: string): { ok: true } | { ok: false; error: string } {
const clean = username.trim();
if (!clean) return { ok: false, error: 'Username obbligatorio.' };
if (clean.length < 3) return { ok: false, error: 'Username troppo corto (min 3 caratteri).' };
if (!/^[a-zA-Z0-9_.-]+$/.test(clean)) {
return { ok: false, error: 'Username: usa solo lettere, numeri, . _ -' };
}
if (password.length < 8) return { ok: false, error: 'Password troppo corta (min 8 caratteri).' };
const admins = loadAdmins();
if (admins.some((a) => a.username === clean)) {
return { ok: false, error: 'Username già in uso.' };
}
const salt = randomBytes(16).toString('hex');
admins.push({
username: clean,
salt,
hash: hashPassword(password, salt),
createdAt: Date.now()
});
saveAdmins(admins);
return { ok: true };
}
export function deleteAdmin(username: string): { ok: true } | { ok: false; error: string } {
const admins = loadAdmins();
if (admins.length <= 1) {
return { ok: false, error: 'Impossibile eliminare l\'ultimo amministratore.' };
}
const next = admins.filter((a) => a.username !== username);
if (next.length === admins.length) return { ok: false, error: 'Amministratore non trovato.' };
saveAdmins(next);
// Revoke any active sessions for the removed user.
const sessions = readJson<SessionRecord[]>(SESSION_FILE, []).filter((s) => s.username !== username);
writeJson(SESSION_FILE, sessions);
return { ok: true };
}
function loadSessions(): SessionRecord[] {
const now = Date.now();
const all = readJson<SessionRecord[]>(SESSION_FILE, []);
const live = all.filter((s) => s.expiresAt > now);
if (live.length !== all.length) writeJson(SESSION_FILE, live);
return live;
}
export function createSession(username: string, cookies: Cookies): string {
const sessions = loadSessions();
const token = randomBytes(32).toString('hex');
const record: SessionRecord = { token, username, expiresAt: Date.now() + SESSION_TTL_MS };
sessions.push(record);
writeJson(SESSION_FILE, sessions);
cookies.set(SESSION_COOKIE, token, {
path: '/',
httpOnly: true,
sameSite: 'lax',
secure: process.env.NODE_ENV === 'production',
maxAge: SESSION_TTL_MS / 1000
});
return token;
}
export function destroySession(cookies: Cookies): void {
const token = cookies.get(SESSION_COOKIE);
if (token) {
const sessions = loadSessions().filter((s) => s.token !== token);
writeJson(SESSION_FILE, sessions);
}
cookies.delete(SESSION_COOKIE, { path: '/' });
}
export function getSessionUser(cookies: Cookies): { username: string } | null {
const token = cookies.get(SESSION_COOKIE);
if (!token) return null;
const session = loadSessions().find((s) => s.token === token);
if (!session) return null;
// If the user has been removed since, invalidate.
const exists = loadAdmins().some((a) => a.username === session.username);
if (!exists) return null;
return { username: session.username };
}
Reference in New Issue View Git Blame Copy Permalink