sveltekit-auth-example 1.0.3

package/.eslintrc.cjs

@@ -0,0 +1,20 @@
+module.exports = {
+	root: true,
+	parser: '@typescript-eslint/parser',
+	extends: ['eslint:recommended', 'plugin:@typescript-eslint/recommended', 'prettier'],
+	plugins: ['svelte3', '@typescript-eslint'],
+	ignorePatterns: ['*.cjs'],
+	overrides: [{ files: ['*.svelte'], processor: 'svelte3/svelte3' }],
+	settings: {
+		'svelte3/typescript': () => require('typescript')
+	},
+	parserOptions: {
+		sourceType: 'module',
+		ecmaVersion: 2019
+	},
+	env: {
+		browser: true,
+		es2017: true,
+		node: true
+	}
+};

package/.prettierrc

@@ -0,0 +1,6 @@
+{
+	"useTabs": true,
+	"singleQuote": true,
+	"trailingComma": "none",
+	"printWidth": 100
+}

package/CHANGELOG.md

@@ -0,0 +1,22 @@
+# 1.0.3
+* [Fix] user created or updated when password mismatches (@lxy-yz)
+* Updated project dependencies
+* Replaced Sveltestrap's Toast with native Bootstrap 5 JavaScript to avoid error with @popperjs import (lacks type=module)
+* Added declarations for Session and Locals for type safety
+
+# 1.0.2
+
+* [Fix] Updated endpoints and hooks to conform to SvelteKit's API changes.
+* Updated project dependencies
+
+# 1.0.1
+
+* Switched to dotenv vs. VITE_ env values for better security
+* Load Sign in with Google via code instead of static template
+* Fix logout (didn't work if session expired)
+* Fix login button rendering if that's the starting page
+
+# Backlog
+
+* [Low] Add password complexity check
+* [Low] Add Google reCaptcha 3

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 Nate Stuyvesant
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,86 @@
+# SvelteKit Authentication and Authorization Example
+
+This is an example of how to register, authenticate, and update users and limit their access to
+areas of the website by role (admin, teacher, student).
+
+It's an SPA built with SvelteKit and a PostgreSQL database back-end. Code is TypeScript and the website is styled using Bootstrap. PostgreSQL functions handle password hashing and UUID generation for the session ID. 
+
+Unlike most authentication examples, this SPA does not use callbacks that redirect back to the site (causing the website to be reloaded with a visual flash). Because of that, **getSession()** in hooks.ts is not useful. Instead, the client makes REST calls, gets the user in the body of the response (if successful) and adds the user to the client-side session store.
+
+The website supports two types of authentication:
+1. **Local accounts** via username (email) and password
+   - The login form (/src/routes/login.svelte) sends the login info as JSON to endpoint /auth/login
+   - The endpoint passes the JSON to PostgreSQL function authenticate(json) which hashes the password and compares it to the stored hashed password in the users table. The function returns JSON containing a session ID (v4 UUID) and user object (sans password).
+   - The endpoint sends session ID as an httpOnly SameSite cookie and the user object in the body of the response.
+   - The client stores the user object in SvelteKit's session store.
+2. **Sign in with Google**
+   - **Sign in with Google** is initialized in /src/routes/__layout.svelte.
+   - **One Tap** "dialog" is displayed on the Home page (/src/routes/index.svelte) while the **Sign in with Google** button is on the login page (/src/routes/login.svelte).
+   - Clicking either button opens a new window asking the user to authorize this website. If they OK it, a JWT is sent to a callback function.
+   - The callback function (in /src/lib/auth.ts) sends the JWT to an endpoint on this server /auth/google.
+   - The endpoint decodes and validates the user information then calls the PostgreSQL function start_gmail_user_session to upsert the user to the database returing a session id in an httpOnly SameSite cookie and user in the body of the response.
+   - The client stores the user object in SvelteKit's session store.
+
+As the client calls endpoints, each request to the server includes the session ID in the httpOnly cookie. The handle() function in hooks.ts checks the database for this session ID. If it exists and is not expired, it attaches the user (including role) to request.locals. Each endpoint can then examine request.locals.user.role to determine whether to respond or return a 401.
+
+> There is some overhead to checking the user session in a database each time versus using a JSON web token; however, validating each request avoids problems discussed in [this article](https://redis.com/blog/json-web-tokens-jwt-are-dangerous-for-user-sessions/) and [this one](https://scotch.io/bar-talk/why-jwts-suck-as-session-tokens). For a high-volume website, I would use Redis or the equivalent.
+
+Pages use the session.user.role to determine whether they are authorized. While a malicious user could alter the client-side session store to see pages they should not, the dynamic data in those restricted pages is served via endpoints which check request.locals.user to determine whether to grant access.
+
+The forgot password functionality uses SendInBlue to send the email. You would need to have a SendInBlue account and set three environmental variables. Email sending is in /src/routes/auth/forgot.ts. This code could easily be replaced by nodemailer or something similar.
+
+## Prerequisites
+- PostgreSQL 13 or higher
+- Node.js 16.13.0 or higher
+- npm 8.1.0 or higher
+- Google API client
+- SendInBlue account (only used for emailing password reset link - the sample can run without it but forgot password will not work)
+
+## Setting up the project
+
+Here are the steps using a macOS, Linux or UNIX command-line:
+
+1. Get the project and setup the database
+```bash
+# Clone the repo to your current directory
+git clone https://github.com/nstuyvesant/sveltekit-auth-example.git
+
+# Install the dependencies
+cd /sveltekit-auth-example
+npm install
+
+# Create PostgreSQL database
+psql -d postgres -f db_create.sql
+```
+
+2. Create a **Google API client ID** per [these instructions](https://developers.google.com/identity/gsi/web/guides/get-google-api-clientid).
+
+3. Create an **.env** file at the top level of the project with the following values (substituting your own id and PostgreSQL username and password):
+```bash
+DATABASE_URL=postgres://user:password@localhost:5432/auth
+DOMAIN=http://localhost:3000
+JWT_SECRET=replace_with_your_own
+SEND_IN_BLUE_URL=https://api.sendinblue.com
+SEND_IN_BLUE_KEY=replace_with_your_own
+SEND_IN_BLUE_FROM='{ "email":"jdoe@example.com", "name":"John Doe" }'
+SEND_IN_BLUE_ADMINS='{ "email":"jdoe@example.com", "name":"John Doe" }'
+VITE_GOOGLE_CLIENT_ID=replace_with_your_own
+```
+
+## Run locally
+
+```bash
+# Start the server and open the app in a new browser tab
+npm run dev -- --open
+```
+
+## Valid logins
+
+The db_create.sql script adds three users to the database with obvious roles:
+- admin@example.com password admin123
+- teacher@example.com password teacher123
+- student@example.com password student123
+
+## My ask of you
+
+Please report any issues or areas where the code can be optimized. I am still learning Svelte and SvelteKit. All feedback is appreciated.

package/db_create.sql

@@ -0,0 +1,307 @@
+-- Invoke this script via
+-- $ psql -d postgres -f db_create.sql
+
+-- Create role if not already there
+DO
+$do$
+BEGIN
+  IF NOT EXISTS (
+    SELECT -- SELECT list can stay empty for this
+    FROM   pg_catalog.pg_roles
+    WHERE  rolname = 'auth') THEN
+
+    CREATE ROLE auth;
+  END IF;
+END
+$do$;
+
+-- Forcefully disconnect anyone
+SELECT pid, pg_terminate_backend(pid) 
+FROM pg_stat_activity 
+WHERE datname = 'auth' AND pid <> pg_backend_pid();
+
+DROP DATABASE IF EXISTS auth;
+
+CREATE DATABASE auth
+  WITH 
+  OWNER = auth
+  ENCODING = 'UTF8'
+  TABLESPACE = pg_default
+  CONNECTION LIMIT = -1;
+
+COMMENT ON DATABASE auth IS 'SvelteKit Auth Example';
+
+-- Connect to auth database
+\connect auth
+
+-- Required for password hashing
+CREATE EXTENSION IF NOT EXISTS pgcrypto;
+
+-- Required to generate UUIDs for sessions
+CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
+
+-- Using hard-coded roles (often this would be a table)
+CREATE TYPE public.roles AS ENUM
+  ('student', 'teacher', 'admin');
+
+ALTER TYPE public.roles OWNER TO auth;
+
+CREATE TABLE IF NOT EXISTS public.users (
+  id integer NOT NULL GENERATED ALWAYS AS IDENTITY ( INCREMENT 1 START 1 MINVALUE 1 MAXVALUE 2147483647 CACHE 1 ),
+  role roles NOT NULL DEFAULT 'student'::roles,
+  email character varying(80) COLLATE pg_catalog."default" NOT NULL,
+  password character varying(80) COLLATE pg_catalog."default",
+  first_name character varying(20) COLLATE pg_catalog."default" NOT NULL,
+  last_name character varying(20) COLLATE pg_catalog."default" NOT NULL,
+  phone character varying(23) COLLATE pg_catalog."default",
+  CONSTRAINT users_pkey PRIMARY KEY (id),
+  CONSTRAINT users_email_unique UNIQUE (email)
+) TABLESPACE pg_default;
+
+ALTER TABLE public.users OWNER to auth;
+
+CREATE INDEX users_first_name_index
+  ON public.users USING btree
+  (first_name COLLATE pg_catalog."default" ASC NULLS LAST)
+  TABLESPACE pg_default;
+
+CREATE INDEX users_last_name_index
+  ON public.users USING btree
+  (last_name COLLATE pg_catalog."default" ASC NULLS LAST)
+  TABLESPACE pg_default;
+
+CREATE INDEX users_password
+  ON public.users USING btree
+  (password COLLATE pg_catalog."default" ASC NULLS LAST)
+  TABLESPACE pg_default;
+
+CREATE TABLE IF NOT EXISTS public.sessions (
+  id uuid NOT NULL DEFAULT uuid_generate_v4(),
+  user_id integer NOT NULL,
+  expires timestamp with time zone DEFAULT (CURRENT_TIMESTAMP + '02:00:00'::interval),
+  CONSTRAINT sessions_pkey PRIMARY KEY (id),
+  CONSTRAINT sessions_user_fkey FOREIGN KEY (user_id)
+    REFERENCES public.users (id) MATCH SIMPLE
+    ON UPDATE NO ACTION
+    ON DELETE CASCADE
+    NOT VALID
+) TABLESPACE pg_default;
+
+ALTER TABLE public.sessions OWNER to auth;
+
+CREATE OR REPLACE FUNCTION public.authenticate(
+	input json,
+	OUT response json)
+    RETURNS json
+    LANGUAGE 'plpgsql'
+    COST 100
+    VOLATILE PARALLEL UNSAFE
+AS $BODY$
+DECLARE
+  input_email varchar(80) := LOWER(TRIM((input->>'email')::varchar));
+  input_password varchar(80) := (input->>'password')::varchar;
+BEGIN
+  IF input_email IS NULL OR input_password IS NULL THEN
+    response := json_build_object('statusCode', 400, 'status', 'Please provide an email address and password to authenticate.', 'user', NULL);
+	RETURN;
+  END IF;
+
+  WITH user_authenticated AS (
+    SELECT users.id, role, first_name, last_name, phone
+    FROM users
+    WHERE email = input_email AND password = crypt(input_password, password) LIMIT 1
+  )
+  SELECT json_build_object(
+	'statusCode', CASE WHEN (SELECT COUNT(*) FROM user_authenticated) > 0 THEN 200 ELSE 401 END,
+	'status', CASE WHEN (SELECT COUNT(*) FROM user_authenticated) > 0
+	  THEN 'Login successful.'
+	  ELSE 'Invalid username/password combination.'
+	END,
+	'user', CASE WHEN (SELECT COUNT(*) FROM user_authenticated) > 0
+	  THEN (SELECT json_build_object(
+		  'id', user_authenticated.id,
+		  'role', user_authenticated.role,
+		  'email', input_email,
+		  'firstName', user_authenticated.first_name,
+		  'lastName', user_authenticated.last_name,
+		  'phone', user_authenticated.phone)
+		 FROM user_authenticated)
+	  ELSE NULL
+	  END,
+	'sessionId', (SELECT create_session(user_authenticated.id) FROM user_authenticated)
+  ) INTO response;
+END;
+$BODY$;
+
+ALTER FUNCTION public.authenticate(json) OWNER TO auth;
+
+CREATE OR REPLACE FUNCTION public.create_session(
+	input_user_id integer)
+    RETURNS uuid
+    LANGUAGE 'sql'
+    COST 100
+    VOLATILE PARALLEL UNSAFE
+AS $BODY$
+DELETE FROM sessions WHERE user_id = input_user_id;
+INSERT INTO sessions(user_id) VALUES (input_user_id) RETURNING sessions.id;
+$BODY$;
+
+ALTER FUNCTION public.create_session(integer) OWNER TO auth;
+
+CREATE OR REPLACE FUNCTION public.get_session(input_session_id uuid)
+  RETURNS json
+  LANGUAGE 'sql'
+AS $BODY$
+SELECT json_build_object(
+  'id', sessions.user_id,
+  'role', users.role,
+  'email', users.email,
+  'firstName', users.first_name,
+  'lastName', users.last_name,
+  'phone', users.phone
+) AS user
+FROM sessions
+  INNER JOIN users ON sessions.user_id = users.id
+WHERE sessions.id = input_session_id AND expires > CURRENT_TIMESTAMP LIMIT 1;
+$BODY$;
+
+ALTER FUNCTION public.get_session(uuid) OWNER TO auth;
+
+CREATE OR REPLACE FUNCTION public.register(
+	input json,
+	OUT user_session json)
+    RETURNS json
+    LANGUAGE 'plpgsql'
+    COST 100
+    VOLATILE PARALLEL UNSAFE
+AS $BODY$
+DECLARE
+  input_email varchar(80) := LOWER(TRIM((input->>'email')::varchar));
+  input_first_name varchar(20) := TRIM((input->>'firstName')::varchar);
+  input_last_name varchar(20) := TRIM((input->>'lastName')::varchar);
+  input_phone varchar(23) := TRIM((input->>'phone')::varchar);
+  input_password varchar(80) := (input->>'password')::varchar;
+BEGIN
+  SELECT json_build_object('id', create_session(users.id), 'user', json_build_object('id', users.id, 'role', users.role, 'email', input_email, 'firstName', users.first_name, 'lastName', users.last_name, 'phone', users.phone)) INTO user_session FROM users WHERE email = input_email;
+  IF NOT FOUND THEN
+    INSERT INTO users(role, password, email, first_name, last_name, phone)
+      VALUES('student', crypt(input_password, input_password), input_email, input_first_name, input_last_name, input_phone)
+      RETURNING
+        json_build_object(
+          'sessionId', create_session(users.id),
+          'user', json_build_object('id', users.id, 'role', 'student', 'email', input_email, 'firstName', input_first_name, 'lastName', input_last_name, 'phone', input_phone)
+        ) INTO user_session;
+  END IF;
+END;
+$BODY$;
+
+ALTER FUNCTION public.register(json) OWNER TO auth;
+
+CREATE OR REPLACE FUNCTION public.start_gmail_user_session(
+	input json,
+	OUT user_session json)
+    RETURNS json
+    LANGUAGE 'plpgsql'
+    COST 100
+    VOLATILE PARALLEL UNSAFE
+AS $BODY$
+DECLARE
+  input_email varchar(80) := LOWER(TRIM((input->>'email')::varchar));
+  input_first_name varchar(20) := TRIM((input->>'firstName')::varchar);
+  input_last_name varchar(20) := TRIM((input->>'lastName')::varchar);
+BEGIN
+  SELECT json_build_object('id', create_session(users.id), 'user', json_build_object('id', users.id, 'role', users.role, 'email', input_email, 'firstName', users.first_name, 'lastName', users.last_name, 'phone', users.phone)) INTO user_session FROM users WHERE email = input_email;
+  IF NOT FOUND THEN
+    INSERT INTO users(role, email, first_name, last_name)
+      VALUES('student', input_email, input_first_name, input_last_name)
+      RETURNING
+        json_build_object(
+          'id', create_session(users.id),
+          'user', json_build_object('id', users.id, 'role', 'student', 'email', input_email, 'firstName', input_first_name, 'lastName', input_last_name, 'phone', null)
+        ) INTO user_session;
+  END IF;
+END;
+$BODY$;
+
+ALTER FUNCTION public.start_gmail_user_session(json) OWNER TO auth;
+
+CREATE PROCEDURE public.delete_session(input_id integer)
+    LANGUAGE sql
+    AS $$
+DELETE FROM sessions WHERE user_id = input_id;
+$$;
+
+CREATE OR REPLACE PROCEDURE public.reset_password(
+	input_id integer,
+	input_password text)
+LANGUAGE 'sql'
+AS $BODY$
+  UPDATE users SET password = crypt(input_password, gen_salt('bf', 8)) WHERE id = input_id;
+END;
+$BODY$;
+
+ALTER PROCEDURE public.reset_password(integer, text) OWNER TO auth;
+
+CREATE OR REPLACE PROCEDURE public.upsert_user(input json)
+LANGUAGE plpgsql
+AS $BODY$
+DECLARE
+  input_id integer := COALESCE((input->>'id')::integer,0);
+  input_role roles := COALESCE((input->>'role')::roles, 'student');
+  input_email varchar(80) := LOWER(TRIM((input->>'email')::varchar));
+  input_password varchar(80) := COALESCE((input->>'password')::varchar, '');
+  input_first_name varchar(20) := TRIM((input->>'firstName')::varchar);
+  input_last_name varchar(20) := TRIM((input->>'lastName')::varchar);
+  input_phone varchar(23) := TRIM((input->>'phone')::varchar);
+BEGIN
+  IF input_id = 0 THEN
+    INSERT INTO users (role, email, password, first_name, last_name, phone)
+    VALUES (
+	  input_role, input_email, crypt(input_password, gen_salt('bf', 8)),
+	  input_first_name, input_last_name, input_phone);
+  ELSE
+    UPDATE users SET
+	  role = input_role,
+	  email = input_email,
+	  password = CASE WHEN input_password = ''
+		  THEN password -- leave as is (we are updating fields other than the password)
+		  ELSE crypt(input_password, gen_salt('bf', 8))
+	  END,
+	  first_name = input_first_name,
+	  last_name = input_last_name,
+	  phone = input_phone
+	WHERE id = input_id;
+  END IF;
+END;
+$BODY$;
+
+ALTER PROCEDURE public.upsert_user(json) OWNER TO auth;
+
+CREATE OR REPLACE PROCEDURE public.update_user(input_id integer, input json)
+LANGUAGE plpgsql
+AS $BODY$
+DECLARE
+  input_email varchar(80) := LOWER(TRIM((input->>'email')::varchar));
+  input_password varchar(80) := COALESCE((input->>'password')::varchar, '');
+  input_first_name varchar(20) := TRIM((input->>'firstName')::varchar);
+  input_last_name varchar(20) := TRIM((input->>'lastName')::varchar);
+  input_phone varchar(23) := TRIM((input->>'phone')::varchar);
+BEGIN
+  UPDATE users SET
+    email = input_email,
+	password = CASE WHEN input_password = ''
+      THEN password -- leave as is (we are updating fields other than the password)
+	  ELSE crypt(input_password, gen_salt('bf', 8))
+	END,
+	first_name = input_first_name,
+	last_name = input_last_name,
+	phone = input_phone
+  WHERE id = input_id;
+END;
+$BODY$;
+
+ALTER PROCEDURE public.update_user(integer, json) OWNER TO auth;
+
+CALL public.upsert_user('{"id":0, "role":"admin", "email":"admin@example.com", "password":"admin123", "firstName":"Jane", "lastName":"Doe", "phone":"412-555-1212"}'::json);
+CALL public.upsert_user('{"id":0, "role":"teacher", "email":"teacher@example.com", "password":"teacher123", "firstName":"John", "lastName":"Doe", "phone":"724-555-1212"}'::json);
+CALL public.upsert_user('{"id":0, "role":"student", "email":"student@example.com", "password":"student123", "firstName":"Justin", "lastName":"Case", "phone":"814-555-1212"}'::json);

package/package.json

@@ -0,0 +1,59 @@
+{
+  "name": "sveltekit-auth-example",
+  "description": "SvelteKit Authentication Example",
+  "version": "1.0.3",
+  "private": false,
+  "author": "Nate Stuyvesant",
+  "license": "https://github.com/nstuyvesant/sveltekit-auth-example/blob/master/LICENSE",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/nstuyvesant/sveltekit-auth-example.git"
+  },
+  "bugs": {
+    "url": "https://github.com/nstuyvesant/sveltekit-auth-example/issues"
+  },
+  "scripts": {
+    "dev": "svelte-kit dev",
+    "serve": "npm run dev -- --open",
+    "build": "svelte-kit build",
+    "preview": "svelte-kit preview",
+    "check": "svelte-check --tsconfig ./tsconfig.json",
+    "check:watch": "svelte-check --tsconfig ./tsconfig.json --watch",
+    "lint": "prettier --ignore-path .gitignore --check --plugin-search-dir=. . && eslint --ignore-path .gitignore .",
+    "format": "prettier --ignore-path .gitignore --write --plugin-search-dir=. ."
+  },
+  "engines": {
+    "node": "~16.14.2",
+    "npm": "^8.6.0"
+  },
+  "type": "module",
+  "dependencies": {
+    "cookie": "^0.4.2",
+    "dotenv": "^16.0.0",
+    "google-auth-library": "^7.11.1",
+    "jsonwebtoken": "^8.5.1",
+    "pg": "^8.7.3",
+    "pg-native": "^3.0.0"
+  },
+  "devDependencies": {
+    "@sveltejs/adapter-node": "next",
+    "@sveltejs/kit": "next",
+    "@types/jsonwebtoken": "^8.5.8",
+    "@types/pg": "^8.6.5",
+    "@typescript-eslint/eslint-plugin": "^5.18.0",
+    "@typescript-eslint/parser": "^5.18.0",
+    "bootstrap": "^5.1.3",
+    "bootstrap-icons": "^1.8.1",
+    "eslint": "^8.12.0",
+    "eslint-config-prettier": "^8.5.0",
+    "eslint-plugin-svelte3": "^3.4.1",
+    "prettier": "^2.6.2",
+    "prettier-plugin-svelte": "^2.6.0",
+    "sass": "^1.49.11",
+    "svelte": "^3.46.6",
+    "svelte-check": "^2.4.6",
+    "svelte-preprocess": "^4.10.5",
+    "tslib": "^2.3.1",
+    "typescript": "^4.6.3"
+  }
+}

package/src/app.html

@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html lang="en">
+	<head>
+		<meta charset="utf-8" />
+		<link rel="icon" href="/favicon.png" />
+		<meta name="viewport" content="width=device-width, initial-scale=1" />
+		%svelte.head%
+	</head>
+	<body>
+		<div id="svelte">%svelte.body%</div>
+	</body>
+</html>

package/src/global.d.ts

@@ -0,0 +1,71 @@
+/// <reference types="@sveltejs/kit" />
+
+/* eslint-disable @typescript-eslint/no-explicit-any */
+
+// See https://kit.svelte.dev/docs/typescript
+// for information about these interfaces
+declare namespace App {
+	interface Locals {
+    user: User
+  }
+
+	// interface Platform {}
+
+	interface Session {
+    reservationDate: Date
+    scheduledClass?: ScheduledClass
+    user?: User
+  }
+
+	// interface Stuff {}
+}
+
+interface ImportMetaEnv {
+  VITE_GOOGLE_CLIENT_ID: string
+}
+
+type AuthenticationResult = {
+  statusCode: number
+  status: string
+  user: User
+  sessionId: string
+}
+
+type Credentials = {
+  email: string
+  password: string
+}
+
+type MessageAddressee = {
+  email: string
+  name?: string
+}
+
+type Message = {
+  sender?: MessageAddressee[]
+  to: MessageAddressee[]
+  subject: string
+  htmlContent?: string
+  textContent?: string
+  tags?: string[]
+  contact?: Person
+}
+
+type User = {
+  id?: number
+  role?: 'student' | 'teacher' | 'admin'
+  password?: string
+  firstName?: string
+  lastName?: string
+  email?: string
+  phone?: string
+}
+
+type UserSession = {
+  id: string,
+  user: User
+}
+
+interface Window {
+  google?: any
+}

package/src/hooks.ts

@@ -0,0 +1,43 @@
+import * as cookie from 'cookie'
+import type { Handle, GetSession, RequestEvent } from '@sveltejs/kit'
+import { query } from './routes/_db'
+
+// Attach authorization to each server request (role may have changed)
+async function attachUserToRequest(sessionId: string, event: RequestEvent) {
+  const sql = `
+    SELECT * FROM get_session($1);`
+  const { rows } = await query(sql, [sessionId])
+  if (rows?.length > 0) {
+    event.locals.user = rows[0].get_session
+  }
+}
+
+function deleteCookieIfNoUser(event: RequestEvent, response: Response) {
+  if (!event.locals.user) {
+    response.headers['Set-Cookie'] = `session=; Path=/; HttpOnly; SameSite=Lax; Expires=${new Date().toUTCString()}`
+  }
+}
+
+// Invoked for each endpoint called and initially for SSR router
+export const handle: Handle = async ({ event, resolve }) => {
+
+  // before endpoint or page is called
+  const cookies = cookie.parse(event.request.headers.get('Cookie') || '')
+  if (cookies.session) {
+    await attachUserToRequest(cookies.session, event)
+  }
+
+  const response = await resolve(event)
+
+  // after endpoint or page is called
+  deleteCookieIfNoUser(event, response)
+  return response
+}
+
+// Only useful for authentication schemes that redirect back to the website - not
+// an SPA with client-side routing that handles authentication seamlessly
+export const getSession: GetSession = event => {
+  return event.locals.user ?
+    { user: event.locals.user }
+    : {}
+}