npm - sveltekit-auth-example - Versions diffs - 5.1.0 → 5.1.1 - Mend

sveltekit-auth-example 5.1.0 → 5.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

package/db_create.sql +51 -31
package/package.json +1 -1
package/src/app.d.ts +1 -1
package/src/hooks.server.ts +40 -6
package/src/lib/app-state.svelte.ts +19 -0
package/src/lib/auth-redirect.ts +25 -0
package/src/lib/google.ts +7 -26
package/src/lib/server/db.ts +3 -2
package/src/lib/server/sendgrid.ts +5 -9
package/src/routes/+layout.svelte +33 -18
package/src/routes/api/v1/user/+server.ts +16 -0
package/src/routes/auth/[slug]/+server.ts +5 -56
package/src/routes/auth/forgot/+server.ts +6 -1
package/src/routes/auth/google/+server.ts +1 -1
package/src/routes/auth/login/+server.ts +68 -0
package/src/routes/auth/logout/+server.ts +19 -0
package/src/routes/auth/register/+server.ts +64 -0
package/src/routes/auth/reset/+server.ts +7 -0
package/src/routes/auth/reset/[token]/+page.svelte +42 -32
package/src/routes/auth/verify/[token]/+server.ts +48 -0
package/src/routes/forgot/+page.svelte +32 -24
package/src/routes/layout.css +46 -0
package/src/routes/login/+page.server.ts +9 -0
package/src/routes/login/+page.svelte +28 -35
package/src/routes/profile/+page.svelte +70 -31
package/src/routes/register/+page.svelte +139 -128
package/src/service-worker.ts +22 -4
package/src/stores.ts +0 -13
/package/{.env.sample → .env.example} +0 -0

package/db_create.sql CHANGED Viewed

@@ -76,6 +76,7 @@ CREATE TABLE IF NOT EXISTS public.users (
   first_name persons_name,
   last_name persons_name,
   opt_out boolean NOT NULL DEFAULT false,
+  email_verified boolean NOT NULL DEFAULT false,
   phone phone_number,
   CONSTRAINT users_pkey PRIMARY KEY (id),
   CONSTRAINT users_email_unique UNIQUE (email)
@@ -123,37 +124,28 @@ AS $BODY$
 DECLARE
   input_email text := trim(input->>'email');
   input_password text := input->>'password';
+  v_user users%ROWTYPE;
 BEGIN
   IF input_email IS NULL OR input_password IS NULL THEN
-    response := json_build_object('statusCode', 400, 'status', 'Please provide an email address and password to authenticate.', 'user', NULL);
-	RETURN;
+    response := json_build_object('statusCode', 400, 'status', 'Please provide an email address and password to authenticate.', 'user', NULL, 'sessionId', NULL);
+    RETURN;
   END IF;
-  WITH user_authenticated AS (
-    SELECT users.id, role, first_name, last_name, phone, opt_out
-    FROM users
-    WHERE email = input_email AND password = crypt(input_password, password) LIMIT 1
-  )
-  SELECT json_build_object(
-	'statusCode', CASE WHEN EXISTS (SELECT 1 FROM user_authenticated) THEN 200 ELSE 401 END,
-	'status', CASE WHEN EXISTS (SELECT 1 FROM user_authenticated)
-	  THEN 'Login successful.'
-	  ELSE 'Invalid username/password combination.'
-	END,
-	'user', CASE WHEN EXISTS (SELECT 1 FROM user_authenticated)
-	  THEN (SELECT json_build_object(
-		  'id', user_authenticated.id,
-		  'role', user_authenticated.role,
-		  'email', input_email,
-		  'firstName', user_authenticated.first_name,
-		  'lastName', user_authenticated.last_name,
-		  'phone', user_authenticated.phone,
-		  'optOut', user_authenticated.opt_out)
-		 FROM user_authenticated)
-	  ELSE NULL
-	  END,
-	'sessionId', (SELECT create_session(user_authenticated.id) FROM user_authenticated)
-  ) INTO response;
+  SELECT * INTO v_user FROM users
+  WHERE email = input_email AND password = crypt(input_password, password) LIMIT 1;
+  IF NOT FOUND THEN
+    response := json_build_object('statusCode', 401, 'status', 'Invalid username/password combination.', 'user', NULL, 'sessionId', NULL);
+  ELSIF NOT v_user.email_verified THEN
+    response := json_build_object('statusCode', 403, 'status', 'Please verify your email address before logging in.', 'user', NULL, 'sessionId', NULL);
+  ELSE
+    response := json_build_object(
+      'statusCode', 200,
+      'status', 'Login successful.',
+      'user', json_build_object('id', v_user.id, 'role', v_user.role, 'email', input_email, 'firstName', v_user.first_name, 'lastName', v_user.last_name, 'phone', v_user.phone, 'optOut', v_user.opt_out),
+      'sessionId', create_session(v_user.id)
+    );
+  END IF;
 END;
 $BODY$;
@@ -197,6 +189,23 @@ $BODY$;
 ALTER FUNCTION public.get_session(uuid) OWNER TO auth;
+CREATE OR REPLACE FUNCTION public.verify_email_and_create_session(input_id integer)
+    RETURNS uuid
+    LANGUAGE 'plpgsql'
+    COST 100
+    VOLATILE PARALLEL UNSAFE
+AS $BODY$
+DECLARE
+  session_id uuid;
+BEGIN
+  UPDATE users SET email_verified = true WHERE id = input_id;
+  SELECT create_session(input_id) INTO session_id;
+  RETURN session_id;
+END;
+$BODY$;
+ALTER FUNCTION public.verify_email_and_create_session(integer) OWNER TO auth;
 CREATE OR REPLACE FUNCTION public.register(
 	input json,
 	OUT user_session json)
@@ -242,10 +251,12 @@ DECLARE
   input_first_name varchar(20) := TRIM((input->>'firstName')::varchar);
   input_last_name varchar(20) := TRIM((input->>'lastName')::varchar);
 BEGIN
+  -- Google verifies email ownership; mark user as verified on every sign-in
+  UPDATE users SET email_verified = true WHERE email = input_email;
   SELECT json_build_object('id', create_session(users.id), 'user', json_build_object('id', users.id, 'role', users.role, 'email', input_email, 'firstName', users.first_name, 'lastName', users.last_name, 'phone', users.phone)) INTO user_session FROM users WHERE email = input_email;
   IF NOT FOUND THEN
-    INSERT INTO users(role, email, first_name, last_name)
-      VALUES('student', input_email, input_first_name, input_last_name)
+    INSERT INTO users(role, email, first_name, last_name, email_verified)
+      VALUES('student', input_email, input_first_name, input_last_name, true)
       RETURNING
         json_build_object(
           'id', create_session(users.id),
@@ -263,6 +274,14 @@ CREATE PROCEDURE public.delete_session(input_id integer)
 DELETE FROM sessions WHERE user_id = input_id;
 $$;
+CREATE OR REPLACE PROCEDURE public.delete_user(input_id integer)
+    LANGUAGE sql
+    AS $$
+DELETE FROM users WHERE id = input_id;
+$$;
+ALTER PROCEDURE public.delete_user(integer) OWNER TO auth;
 CREATE OR REPLACE PROCEDURE public.reset_password(IN input_id integer, IN input_password text)
   LANGUAGE plpgsql
 AS $procedure$
@@ -287,14 +306,15 @@ DECLARE
   input_phone varchar(23) := TRIM((input->>'phone')::varchar);
 BEGIN
   IF input_id = 0 THEN
-    INSERT INTO users (role, email, password, first_name, last_name, phone)
+    INSERT INTO users (role, email, password, first_name, last_name, phone, email_verified)
     VALUES (
 	  input_role, input_email, crypt(input_password, gen_salt('bf', 8)),
-	  input_first_name, input_last_name, input_phone);
+	  input_first_name, input_last_name, input_phone, true);
   ELSE
     UPDATE users SET
 	  role = input_role,
 	  email = input_email,
+	  email_verified = true,
 	  password = CASE WHEN input_password = ''
 		  THEN password -- leave as is (we are updating fields other than the password)
 		  ELSE crypt(input_password, gen_salt('bf', 8))

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
 	"name": "sveltekit-auth-example",
 	"description": "SvelteKit Authentication Example",
-	"version": "5.1.0",
+	"version": "5.1.1",
 	"author": "Nate Stuyvesant",
 	"license": "https://github.com/nstuyvesant/sveltekit-auth-example/blob/master/LICENSE",
 	"repository": {

package/src/app.d.ts CHANGED Viewed

@@ -5,7 +5,7 @@
 // and what to do when importing types
 declare namespace App {
 	interface Locals {
-		user: User
+		user: User | undefined
 	}
 	// interface Platform {}

package/src/hooks.server.ts CHANGED Viewed

@@ -1,16 +1,42 @@
 import type { Handle, RequestEvent } from '@sveltejs/kit'
+import { error } from '@sveltejs/kit'
 import { query } from '$lib/server/db'
+// In-memory IP-based rate limiter for sensitive auth endpoints.
+// For multi-instance deployments, replace with a shared store like Redis.
+const ipRateLimit = new Map<string, { count: number; resetAt: number }>()
+const RATE_LIMIT_WINDOW_MS = 15 * 60 * 1000 // 15 minutes
+const RATE_LIMIT_MAX_REQUESTS = 20
+const RATE_LIMITED_PATHS = new Set(['/auth/login', '/auth/register', '/auth/forgot'])
+function checkRateLimit(ip: string): boolean {
+	const now = Date.now()
+	const entry = ipRateLimit.get(ip)
+	if (!entry || now > entry.resetAt) {
+		ipRateLimit.set(ip, { count: 1, resetAt: now + RATE_LIMIT_WINDOW_MS })
+		return true
+	}
+	if (entry.count >= RATE_LIMIT_MAX_REQUESTS) return false
+	entry.count++
+	return true
+}
+// Periodically clean up expired entries to prevent unbounded memory growth
+setInterval(() => {
+	const now = Date.now()
+	for (const [key, value] of ipRateLimit) {
+		if (now > value.resetAt) ipRateLimit.delete(key)
+	}
+}, 60 * 60 * 1000)
 // Attach authorization to each server request (role may have changed)
 async function attachUserToRequestEvent(sessionId: string, event: RequestEvent) {
-	const { rows } = await query('SELECT * FROM get_session($1::uuid)', [sessionId], 'get-session')
-	if (rows?.length > 0) {
-		event.locals.user = <User>rows[0].get_session
-	}
+	const result = await query('SELECT * FROM get_session($1::uuid)', [sessionId], 'get-session')
+	event.locals.user = result.rows[0]?.get_session // undefined if not found
 }
 // Invoked for each endpoint called and initially for SSR router
-export const handle: Handle = async ({ event, resolve }) => {
+export const handle = (async ({ event, resolve }) => {
 	const { cookies, url } = event
 	// Skip auth overhead for static asset requests
@@ -18,6 +44,14 @@ export const handle: Handle = async ({ event, resolve }) => {
 		return resolve(event)
 	}
+	// Rate limit sensitive auth endpoints by IP
+	if (RATE_LIMITED_PATHS.has(url.pathname)) {
+		const ip = event.getClientAddress()
+		if (!checkRateLimit(ip)) {
+			error(429, 'Too many requests. Please try again later.')
+		}
+	}
 	// before endpoint or page is called
 	const sessionId = cookies.get('session')
 	if (sessionId) {
@@ -31,4 +65,4 @@ export const handle: Handle = async ({ event, resolve }) => {
 	// after endpoint or page is called
 	return response
-}
+}) satisfies Handle

package/src/lib/app-state.svelte.ts ADDED Viewed

@@ -0,0 +1,19 @@
+interface Toast {
+	title: string
+	body: string
+	isOpen: boolean
+}
+class AppState {
+	/** Currently logged-in user, undefined when not authenticated */
+	user = $state<User | undefined>(undefined)
+	/** Toast notification displayed at the top-right of the screen */
+	toast = $state<Toast>({ title: '', body: '', isOpen: false })
+	/** Whether the Google Identity Services SDK has been initialized */
+	googleInitialized = $state(false)
+}
+/** Singleton application state — import this throughout the app */
+export const appState = new AppState()

package/src/lib/auth-redirect.ts ADDED Viewed

@@ -0,0 +1,25 @@
+import { goto } from '$app/navigation'
+import { page } from '$app/state'
+/**
+ * Redirect the user to the appropriate page after a successful login,
+ * respecting an optional ?referrer= query parameter.
+ */
+export function redirectAfterLogin(user: User): void {
+	if (!user) return
+	const referrer = page.url.searchParams.get('referrer')
+	if (referrer) {
+		goto(referrer)
+		return
+	}
+	switch (user.role) {
+		case 'teacher':
+			goto('/teachers')
+			break
+		case 'admin':
+			goto('/admin')
+			break
+		default:
+			goto('/')
+	}
+}

package/src/lib/google.ts CHANGED Viewed

@@ -1,7 +1,6 @@
-import { page } from '$app/stores'
-import { goto } from '$app/navigation'
 import { PUBLIC_GOOGLE_CLIENT_ID } from '$env/static/public'
-import { googleInitialized, loginSession } from '../stores'
+import { appState } from '$lib/app-state.svelte'
+import { redirectAfterLogin } from '$lib/auth-redirect'
 export function renderGoogleButton() {
 	const btn = document.getElementById('googleButton')
@@ -10,26 +9,19 @@ export function renderGoogleButton() {
 			type: 'standard',
 			theme: 'filled_blue',
 			size: 'large',
-			width: 367
+			width: btn.offsetWidth || 400
 		})
 	}
 }
 export function initializeGoogleAccounts() {
-	let initialized = false
-	const unsubscribe = googleInitialized.subscribe(value => {
-		initialized = value
-	})
-	if (!initialized) {
+	if (!appState.googleInitialized) {
 		google.accounts.id.initialize({
 			client_id: PUBLIC_GOOGLE_CLIENT_ID,
 			callback: googleCallback
 		})
-		googleInitialized.set(true)
+		appState.googleInitialized = true
 	}
-	unsubscribe()
 	async function googleCallback(response: google.accounts.id.CredentialResponse) {
 		const res = await fetch('/auth/google', {
@@ -42,19 +34,8 @@ export function initializeGoogleAccounts() {
 		if (res.ok) {
 			const fromEndpoint = await res.json()
-			loginSession.set(fromEndpoint.user) // update loginSession store
-			const { role } = fromEndpoint.user
-			let referrer
-			const unsubscribe = page.subscribe(p => {
-				referrer = p.url.searchParams.get('referrer')
-			})
-			unsubscribe()
-			if (referrer) return goto(referrer)
-			if (role === 'teacher') return goto('/teachers')
-			if (role === 'admin') return goto('/admin')
-			if (location.pathname === '/login') goto('/') // logged in so go home
+			appState.user = fromEndpoint.user
+			redirectAfterLogin(fromEndpoint.user)
 		}
 	}
 }

package/src/lib/server/db.ts CHANGED Viewed

@@ -64,5 +64,6 @@ queryFn = <T extends QueryResultRow>(
  */
 export const query = <T extends QueryResultRow = any>(
 	sql: string,
-	params?: (string | number | boolean | object | null)[]
-): Promise<QueryResult<T>> => queryFn<T>(sql, params)
+	params?: (string | number | boolean | object | null)[],
+	name?: string
+): Promise<QueryResult<T>> => queryFn<T>(sql, params, name)

package/src/lib/server/sendgrid.ts CHANGED Viewed

@@ -4,14 +4,10 @@ import { env } from '$env/dynamic/private'
 export const sendMessage = async (message: Partial<MailDataRequired>) => {
 	const { SENDGRID_SENDER, SENDGRID_KEY } = env
-	try {
-		sgMail.setApiKey(SENDGRID_KEY)
-		const completeMessage = <MailDataRequired>{
-			from: SENDGRID_SENDER, // default sender can be altered
-			...message
-		}
-		await sgMail.send(completeMessage)
-	} catch (errSendingMail) {
-		console.error(errSendingMail)
+	sgMail.setApiKey(SENDGRID_KEY)
+	const completeMessage = <MailDataRequired>{
+		from: SENDGRID_SENDER, // default sender can be altered
+		...message
 	}
+	await sgMail.send(completeMessage)
 }

package/src/routes/+layout.svelte CHANGED Viewed

@@ -2,7 +2,7 @@
 	import { onMount } from 'svelte'
 	import type { LayoutServerData } from './$types'
 	import { goto, beforeNavigate } from '$app/navigation'
-	import { loginSession, toast } from '../stores'
+	import { appState } from '$lib/app-state.svelte'
 	import { initializeGoogleAccounts } from '$lib/google'
 	import './layout.css'
@@ -15,37 +15,46 @@
 	let { data, children }: Props = $props()
 	$effect(() => {
-		$loginSession = data.user
+		appState.user = data.user
 	})
 	let navOpen = $state(false)
 	let dropdownOpen = $state(false)
+	let dropdownEl: HTMLDivElement | undefined = $state()
+	function handleWindowClick(e: MouseEvent) {
+		if (dropdownOpen && dropdownEl && !dropdownEl.contains(e.target as Node)) {
+			dropdownOpen = false
+		}
+	}
 	beforeNavigate(() => {
 		navOpen = false
 		dropdownOpen = false
-		const expirationDate = $loginSession?.expires ? new Date($loginSession.expires) : undefined
+		const expirationDate = appState.user?.expires ? new Date(appState.user.expires) : undefined
 		if (expirationDate && expirationDate < new Date()) {
 			console.log('Login session expired.')
-			$loginSession = null
+			appState.user = undefined
 		}
 	})
 	onMount(() => {
 		initializeGoogleAccounts()
-		if (!$loginSession) google.accounts.id.prompt()
+		if (!appState.user) google.accounts.id.prompt()
 	})
 	async function logout(event: MouseEvent) {
 		event.preventDefault()
 		const res = await fetch('/auth/logout', { method: 'POST' })
 		if (res.ok) {
-			loginSession.set(undefined)
+			appState.user = undefined
 			goto('/login')
 		} else console.error(`Logout not successful: ${res.statusText} (${res.status})`)
 	}
 </script>
+<svelte:window onclick={handleWindowClick} />
 <nav class="tw:bg-gray-100 tw:border-b tw:border-gray-200">
 	<div class="tw:mx-auto tw:max-w-5xl tw:px-4 tw:flex tw:items-center tw:justify-between tw:h-14">
 		<a class="tw:font-semibold tw:text-gray-800 tw:no-underline" href="/">SvelteKit-Auth-Example</a>
@@ -66,35 +75,41 @@
 			<a class="tw:text-sm tw:text-gray-700 tw:no-underline hover:tw:text-gray-900" href="/">Home</a>
 			<a class="tw:text-sm tw:text-gray-700 tw:no-underline hover:tw:text-gray-900" href="/info">Info</a>
-			{#if $loginSession?.role === 'admin'}
+			{#if appState.user?.role === 'admin'}
 				<a class="tw:text-sm tw:text-gray-700 tw:no-underline hover:tw:text-gray-900" href="/admin">Admin</a>
 			{/if}
-			{#if $loginSession && $loginSession.role !== 'student'}
+			{#if appState.user && appState.user.role !== 'student'}
 				<a class="tw:text-sm tw:text-gray-700 tw:no-underline hover:tw:text-gray-900" href="/teachers">Teachers</a>
 			{/if}
-			{#if $loginSession}
+			{#if appState.user}
 				<!-- User dropdown -->
-				<div class="tw:relative">
+				<div class="tw:relative" bind:this={dropdownEl}>
 					<button
 						class="tw:flex tw:items-center tw:gap-1 tw:text-sm tw:text-gray-700 hover:tw:text-gray-900 tw:bg-transparent tw:border-0 tw:cursor-pointer"
 						onclick={() => (dropdownOpen = !dropdownOpen)}
 						aria-expanded={dropdownOpen}
+						aria-haspopup="true"
 					>
 						<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16" class="tw:relative tw:top-[-1.5px]">
 							<path d="M11 6a3 3 0 1 1-6 0 3 3 0 0 1 6 0z" />
 							<path fill-rule="evenodd" d="M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8zm8-7a7 7 0 0 0-5.468 11.37C3.242 11.226 4.805 10 8 10s4.757 1.225 5.468 2.37A7 7 0 0 0 8 1z" />
 						</svg>
-						{$loginSession.firstName}
+						{appState.user?.firstName}
 						<svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="currentColor" viewBox="0 0 16 16">
 							<path d="M7.247 11.14 2.451 5.658C1.885 5.013 2.345 4 3.204 4h9.592a1 1 0 0 1 .753 1.659l-4.796 5.48a1 1 0 0 1-1.506 0z"/>
 						</svg>
 					</button>
 					{#if dropdownOpen}
-						<ul class="tw:absolute tw:right-0 tw:mt-1 tw:w-36 tw:rounded tw:border tw:border-gray-200 tw:bg-white tw:shadow-md tw:py-1 tw:z-50 tw:list-none tw:p-0">
+					<ul class="tw:absolute tw:right-0 tw:mt-1 tw:w-36 tw:rounded tw:border tw:border-gray-200 tw:bg-white tw:shadow-md tw:py-1 tw:z-50 tw:list-none">
 							<li><a class="tw:block tw:px-4 tw:py-2 tw:text-sm tw:text-gray-700 tw:no-underline hover:tw:bg-gray-100" href="/profile">Profile</a></li>
-							{#if $loginSession.id !== 0}
-								<li><a onclick={logout} class="tw:block tw:px-4 tw:py-2 tw:text-sm tw:text-gray-700 tw:no-underline hover:tw:bg-gray-100" href="#">Logout</a></li>
+							{#if appState.user?.id !== 0}
+							<li>
+								<button
+									onclick={logout}
+									class="tw:block tw:w-full tw:text-left tw:px-4 tw:py-2 tw:text-sm tw:text-gray-700 tw:bg-transparent tw:border-0 tw:cursor-pointer hover:tw:bg-gray-100"
+								>Logout</button>
+							</li>
 							{/if}
 						</ul>
 					{/if}
@@ -111,7 +126,7 @@
 </main>
 <!-- Toast notification -->
-{#if $toast.isOpen}
+{#if appState.toast.isOpen}
 	<div
 		role="alert"
 		aria-live="assertive"
@@ -119,13 +134,13 @@
 		class="tw:fixed tw:top-4 tw:right-4 tw:z-50 tw:min-w-64 tw:rounded tw:shadow-lg tw:border tw:border-gray-200 tw:bg-white tw:overflow-hidden"
 	>
 		<div class="tw:flex tw:items-center tw:justify-between tw:bg-blue-600 tw:px-4 tw:py-2">
-			<strong class="tw:text-white tw:text-sm">{$toast.title}</strong>
+			<strong class="tw:text-white tw:text-sm">{appState.toast.title}</strong>
 			<button
 				type="button"
 				aria-label="Close"
 				class="tw:text-white tw:bg-transparent tw:border-0 tw:cursor-pointer tw:text-lg tw:leading-none"
-				onclick={() => ($toast = { ...$toast, isOpen: false })}>&times;</button>
+				onclick={() => (appState.toast = { ...appState.toast, isOpen: false })}>&times;</button>
 		</div>
-		<div class="tw:px-4 tw:py-3 tw:text-sm">{$toast.body}</div>
+		<div class="tw:px-4 tw:py-3 tw:text-sm">{appState.toast.body}</div>
 	</div>
 {/if}

package/src/routes/api/v1/user/+server.ts CHANGED Viewed

@@ -18,3 +18,19 @@ export const PUT: RequestHandler = async event => {
 		message: 'Successfully updated user profile.'
 	})
 }
+export const DELETE: RequestHandler = async event => {
+	const { user } = event.locals
+	if (!user) error(401, 'Unauthorized')
+	try {
+		// Deleting the user cascades to sessions via ON DELETE CASCADE
+		await query(`CALL delete_user($1);`, [user.id])
+	} catch {
+		error(503, 'Could not communicate with database.')
+	}
+	event.cookies.delete('session', { path: '/' })
+	return json({ message: 'Account successfully deleted.' })
+}

package/src/routes/auth/[slug]/+server.ts CHANGED Viewed

@@ -1,59 +1,8 @@
-import { error, json } from '@sveltejs/kit'
+import { error } from '@sveltejs/kit'
 import type { RequestHandler } from './$types'
-import { query } from '$lib/server/db'
-export const POST: RequestHandler = async event => {
-	const { cookies } = event
-	const { slug } = event.params
-	let result
-	let sql
-	try {
-		switch (slug) {
-			case 'logout':
-				if (event.locals.user) {
-					// else they are logged out / session ended
-					sql = `CALL delete_session($1);`
-					result = await query(sql, [event.locals.user.id])
-				}
-				cookies.delete('session', { path: '/' })
-				return json({ message: 'Logout successful.' })
-			case 'login':
-				sql = `SELECT authenticate($1) AS "authenticationResult";`
-				break
-			case 'register':
-				sql = `SELECT register($1) AS "authenticationResult";`
-				break
-			default:
-				error(404, 'Invalid endpoint.')
-		}
-		// Only /auth/login and /auth/register at this point
-		const body = await event.request.json()
-		// While client checks for these to be non-null, register() in the database does not
-		if (slug == 'register' && (!body.email || !body.password || !body.firstName || !body.lastName))
-			error(400, 'Please supply all required fields: email, password, first and last name.')
-		result = await query(sql, [JSON.stringify(body)])
-	} catch (err) {
-		error(503, 'Could not communicate with database.')
-	}
-	const { authenticationResult }: { authenticationResult: AuthenticationResult } = result.rows[0]
-	if (!authenticationResult.user)
-		// includes when a user tries to register an existing email account with wrong password
-		error(authenticationResult.statusCode, authenticationResult.status)
-	// Ensures hooks.server.ts:handle() will not delete session cookie
-	event.locals.user = authenticationResult.user
-	cookies.set('session', authenticationResult.sessionId, {
-		httpOnly: true,
-		sameSite: 'lax',
-		path: '/'
-	})
-	return json({ message: authenticationResult.status, user: authenticationResult.user })
+// Specific auth routes (login, register, logout) have their own +server.ts files
+// and take precedence over this dynamic segment. Any unrecognized path falls here.
+export const POST: RequestHandler = async () => {
+	error(404, 'Invalid endpoint.')
 }

package/src/routes/auth/forgot/+server.ts CHANGED Viewed

@@ -30,7 +30,12 @@ export const POST: RequestHandler = async event => {
         new password with a confirmation then redirect you to your login page.
       `
 		}
-		sendMessage(message)
+		try {
+			await sendMessage(message)
+		} catch (err) {
+			console.error('Failed to send password reset email:', err)
+			// Still return 204 to avoid leaking whether the email exists in our system
+		}
 	}
 	return new Response(undefined, { status: 204 })

package/src/routes/auth/google/+server.ts CHANGED Viewed

@@ -52,7 +52,7 @@ export const POST: RequestHandler = async event => {
 		// Prevent hooks.server.ts's handler() from deleting cookie thinking no one has authenticated
 		event.locals.user = userSession.user
-		cookies.set('session', userSession.id, { httpOnly: true, sameSite: 'lax', path: '/' })
+		cookies.set('session', userSession.id, { httpOnly: true, sameSite: 'lax', secure: true, path: '/' })
 		return json({ message: 'Successful Google Sign-In.', user: userSession.user })
 	} catch (err) {
 		let message = ''