sveltekit-auth-example 1.0.3 → 1.0.6

package/CHANGELOG.md

@@ -1,3 +1,15 @@
+# 1.0.5
+* Bump dependencies
+* [Fix] Flaw in register allowing user to register over top of an existing account
+* Additional checks of submitted data
+
+# 1.0.4
+* Bump dependencies
+
+# 1.0.4
+* [Fix] If you login with a Google account, you cannot Update the Profile (UI is looking for password and confirm password which don't make sense in this context)
+* Added Content Security Policy
+
 # 1.0.3
 * [Fix] user created or updated when password mismatches (@lxy-yz)
 * Updated project dependencies
@@ -5,18 +17,15 @@
 * Added declarations for Session and Locals for type safety
 
 # 1.0.2
-
 * [Fix] Updated endpoints and hooks to conform to SvelteKit's API changes.
 * Updated project dependencies
 
 # 1.0.1
-
 * Switched to dotenv vs. VITE_ env values for better security
 * Load Sign in with Google via code instead of static template
 * Fix logout (didn't work if session expired)
 * Fix login button rendering if that's the starting page
 
 # Backlog
-
 * [Low] Add password complexity check
 * [Low] Add Google reCaptcha 3

package/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2021 Nate Stuyvesant
+Copyright (c) 2022 Nate Stuyvesant
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/db_create.sql

@@ -210,7 +210,7 @@ DECLARE
   input_first_name varchar(20) := TRIM((input->>'firstName')::varchar);
   input_last_name varchar(20) := TRIM((input->>'lastName')::varchar);
 BEGIN
-  SELECT json_build_object('id', create_session(users.id), 'user', json_build_object('id', users.id, 'role', users.role, 'email', input_email, 'firstName', users.first_name, 'lastName', users.last_name, 'phone', users.phone)) INTO user_session FROM users WHERE email = input_email;
+  PERFORM id FROM users WHERE email = input_email;
   IF NOT FOUND THEN
     INSERT INTO users(role, email, first_name, last_name)
       VALUES('student', input_email, input_first_name, input_last_name)
@@ -219,6 +219,8 @@ BEGIN
           'id', create_session(users.id),
           'user', json_build_object('id', users.id, 'role', 'student', 'email', input_email, 'firstName', input_first_name, 'lastName', input_last_name, 'phone', null)
         ) INTO user_session;
+  ELSE
+    SELECT authenticate(input) INTO user_session;
   END IF;
 END;
 $BODY$;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "sveltekit-auth-example",
   "description": "SvelteKit Authentication Example",
-  "version": "1.0.3",
+  "version": "1.0.6",
   "private": false,
   "author": "Nate Stuyvesant",
   "license": "https://github.com/nstuyvesant/sveltekit-auth-example/blob/master/LICENSE",
@@ -12,6 +12,15 @@
   "bugs": {
     "url": "https://github.com/nstuyvesant/sveltekit-auth-example/issues"
   },
+  "keywords": [
+    "svelte",
+    "sveltekit",
+    "authentication",
+    "example",
+    "google",
+    "postgresql",
+    "example"
+  ],
   "scripts": {
     "dev": "svelte-kit dev",
     "serve": "npm run dev -- --open",
@@ -24,36 +33,36 @@
   },
   "engines": {
     "node": "~16.14.2",
-    "npm": "^8.6.0"
+    "npm": "^8.8.0"
   },
   "type": "module",
   "dependencies": {
-    "cookie": "^0.4.2",
+    "cookie": "^0.5.0",
     "dotenv": "^16.0.0",
-    "google-auth-library": "^7.11.1",
+    "google-auth-library": "^8.0.1",
     "jsonwebtoken": "^8.5.1",
     "pg": "^8.7.3",
     "pg-native": "^3.0.0"
   },
   "devDependencies": {
-    "@sveltejs/adapter-node": "next",
-    "@sveltejs/kit": "next",
+    "@sveltejs/adapter-node": "latest",
+    "@sveltejs/kit": "latest",
     "@types/jsonwebtoken": "^8.5.8",
     "@types/pg": "^8.6.5",
-    "@typescript-eslint/eslint-plugin": "^5.18.0",
-    "@typescript-eslint/parser": "^5.18.0",
+    "@typescript-eslint/eslint-plugin": "^5.21.0",
+    "@typescript-eslint/parser": "^5.21.0",
     "bootstrap": "^5.1.3",
     "bootstrap-icons": "^1.8.1",
-    "eslint": "^8.12.0",
+    "eslint": "^8.14.0",
     "eslint-config-prettier": "^8.5.0",
     "eslint-plugin-svelte3": "^3.4.1",
     "prettier": "^2.6.2",
-    "prettier-plugin-svelte": "^2.6.0",
-    "sass": "^1.49.11",
-    "svelte": "^3.46.6",
-    "svelte-check": "^2.4.6",
-    "svelte-preprocess": "^4.10.5",
-    "tslib": "^2.3.1",
+    "prettier-plugin-svelte": "^2.7.0",
+    "sass": "^1.51.0",
+    "svelte": "^3.47.0",
+    "svelte-check": "^2.7.0",
+    "svelte-preprocess": "^4.10.6",
+    "tslib": "^2.4.0",
     "typescript": "^4.6.3"
   }
 }

package/src/routes/auth/[slug].ts

@@ -9,12 +9,6 @@ export const post: RequestHandler = async event => {
 
   try {
     switch (slug) {
-      case 'login': 
-        sql = `SELECT authenticate($1) AS "authenticationResult";`
-        break
-      case 'register':
-        sql = `SELECT register($1) AS "authenticationResult";`
-        break
       case 'logout':
         if (event.locals.user) { // if user is null, they are logged out anyway (session might have ended)
           sql = `CALL delete_session($1);`
@@ -29,6 +23,13 @@ export const post: RequestHandler = async event => {
             message: 'Logout successful.'
           }
         }
+      case 'login': 
+        sql = `SELECT authenticate($1) AS "authenticationResult";`
+        break
+      case 'register':
+        sql = `SELECT register($1) AS "authenticationResult";`
+        break
+
       default:
         return {
           status: 404,
@@ -41,8 +42,18 @@ export const post: RequestHandler = async event => {
 
     // Only /auth/login and /auth/register at this point
     const body = await event.request.json()
-    result = await query(sql, [JSON.stringify(body)])
 
+    // While client checks for these to be non-null, register() in the database does not
+    if (slug == 'register' && (!body.email || !body.password || !body.firstName || !body.lastName))
+    return {
+      status: 400,
+      body: {
+        message: 'Please supply all required fields: email, password, first and last name.',
+        user: null
+      }
+    }
+
+    result = await query(sql, [JSON.stringify(body)])
   } catch (error) {
     return {
       status: 503,

package/src/routes/profile.svelte

@@ -32,7 +32,7 @@
     message = ''
     const form = document.forms['profile']
 
-    if (!passwordMatch()) {
+    if (!user.email.includes('gmail.com') && !passwordMatch()) {
       confirmPassword.classList.add('is-invalid')
       return
     }

package/svelte.config.js

@@ -1,6 +1,19 @@
 import adapter from '@sveltejs/adapter-node'
 import preprocess from 'svelte-preprocess'
 
+const production = process.env.NODE_ENV === 'production'
+
+const baseCsp = [
+	'self',
+	// 'strict-dynamic', // issues with datepicker on classes, add to calendar scripts
+	'https://www.gstatic.com/recaptcha/', // recaptcha
+	'https://accounts.google.com/gsi/', // sign-in w/google
+	'https://www.google.com/recaptcha/', // recapatcha
+	'https://fonts.gstatic.com/' // recaptcha fonts
+]
+
+if (!production) baseCsp.push('ws://localhost:3000')
+
 /** @type {import('@sveltejs/kit').Config} */
 const config = {
 	preprocess: preprocess(),
@@ -8,7 +21,24 @@ const config = {
 	kit: {
 		adapter: adapter({
 			out: 'build'
-		})
+		}),
+		csp: {
+			mode: 'auto',
+			directives: {
+				'default-src': [...baseCsp],
+				'script-src': ['unsafe-inline', ...baseCsp],
+				'img-src': ['data:', 'blob:', ...baseCsp],
+				'style-src': ['unsafe-inline', ...baseCsp],
+				'object-src': ['none'],
+				'base-uri': ['self'],
+				// 'require-trusted-types-for': ["'script'"] // will require effort to get this working
+			}
+		},
+		vite: {
+			serviceWorker: {
+				files: (filepath) => !/\.DS_Store/.test(filepath)
+			}
+		}
 	}
 }