sveltekit-auth-example 5.6.0 → 5.8.2

package/.env.example

@@ -2,6 +2,8 @@ DATABASE_URL=postgres://REPLACE_WITH_USER:REPLACE_WITH_PASSWORD@localhost:5432/a
 DATABASE_SSL=false
 DOMAIN=http://localhost:3000
 JWT_SECRET=replace_with_your_own
-SENDGRID_KEY=replace_with_your_own
-SENDGRID_SENDER=replace_with_your_own
-PUBLIC_GOOGLE_CLIENT_ID=REPLACE_WITH_YOUR_OWN
+BREVO_KEY=replace_with_your_own
+EMAIL=replace_with_your_own
+PUBLIC_GOOGLE_CLIENT_ID=replace_with_your_own
+PUBLIC_TURNSTILE_SITE_KEY=replace_with_your_own
+TURNSTILE_SECRET_KEY=replace_with_your_own

package/CHANGELOG.md

@@ -2,6 +2,38 @@
 
 - Add password complexity checking on /register and /profile pages (only checks for length currently despite what the pages say)
 
+# 5.8.2
+
+- Add Chrome DevTools
+
+# 5.8.1
+
+- Fix MFA verification code always showing "6-digit verification code required" for valid codes: replaced `form.checkValidity()` and `codeInput.checkValidity()` (which picked up Cloudflare Turnstile's injected form elements) with a direct JS regex test against the bound `mfaCode` value
+- Move `<Turnstile>` outside the MFA `<form>` so its injected inputs are never part of the form's element collection
+- Fix `google is not defined` crash on hard reload of `/login`: Google GSI script is loaded `async defer` and may not be ready when `onMount` fires; added `whenGoogleReady()` helper in `src/lib/google.ts` that polls until `google` is available (up to 10 s) before calling `initializeGoogleAccounts()` and `renderGoogleButton()`
+
+# 5.8.0
+
+- Replace SendGrid with Brevo for all transactional email (password reset, email verification, MFA code)
+- New `src/lib/server/brevo.ts` sends email via the Brevo API with exponential-backoff retry logic (up to 4 attempts), 30-second per-request timeout, and `Retry-After` header support
+- Email templates (`password-reset.ts`, `mfa-code.ts`, `verify-email.ts`) updated to use Brevo message format (`sender`, `to[]`, `htmlContent`, `tags`)
+- Env vars changed: `SENDGRID_KEY` → `BREVO_KEY`, `SENDGRID_SENDER` → `EMAIL`
+- `app.d.ts` `PrivateEnv` updated to reflect new env vars
+- README updated with Brevo setup instructions and new env var names
+
+# 5.7.0
+
+- Add Cloudflare Turnstile CAPTCHA to login, register, forgot password, MFA, and password reset forms
+- New `src/lib/Turnstile.svelte` reusable Svelte 5 component wraps the Turnstile widget with `reset()` export
+- New `src/lib/server/turnstile.ts` server-side token verification utility (`verifyTurnstileToken`)
+- All auth endpoints verify the Turnstile challenge token before processing requests
+- New env vars: `PUBLIC_TURNSTILE_SITE_KEY` (client) and `TURNSTILE_SECRET_KEY` (server)
+- Extend `app.d.ts` with `PublicEnv`, `PrivateEnv` (add `TURNSTILE_SECRET_KEY`), and `Window.turnstile` types; wrap in `declare global`
+
+# 5.6.1
+
+- Add JSDoc comments throughout the codebase (`app.d.ts`, server hooks, route handlers, lib utilities, Svelte components)
+
 # 5.6.0
 
 - Split `db_create.sql` into `db_create.sql` (role + database creation) and `db_schema.sql` (schema, functions, seed data)

package/README.md

@@ -4,7 +4,7 @@
 [![Node](https://img.shields.io/node/v/sveltekit-auth-example)](https://nodejs.org)
 [![Svelte](https://img.shields.io/badge/Svelte-5-orange)](https://svelte.dev)
 
-A complete, production-ready authentication and authorization starter for **Svelte 5** and **SvelteKit 2**. Skip the boilerplate — get secure local accounts, Google OAuth, MFA, email verification, role-based access control, and OWASP-compliant password hashing out of the box.
+A complete, production-ready authentication and authorization starter for **Svelte 5** and **SvelteKit 2**. Skip the boilerplate — get secure local accounts, Google OAuth, MFA, email verification, role-based access control, OWASP-compliant password hashing, and bot protection out of the box.
 
 ## Features
 
@@ -12,10 +12,11 @@ A complete, production-ready authentication and authorization starter for **Svel
 | ---------------------------------------------- | --------------------------------------- |
 | ✅ Local accounts (email + password)           | ✅ Sign in with Google / Google One Tap |
 | ✅ Multi-factor authentication (MFA via email) | ✅ Email verification                   |
-| ✅ Forgot password / email reset (SendGrid)    | ✅ User profile management              |
+| ✅ Forgot password / email reset (Brevo)       | ✅ User profile management              |
 | ✅ Session management + timeout                | ✅ Rate limiting                        |
 | ✅ Role-based access control                   | ✅ Password complexity enforcement      |
 | ✅ Content Security Policy (CSP)               | ✅ OWASP-compliant password hashing     |
+| ✅ Cloudflare Turnstile CAPTCHA (bot protection) |                                       |
 
 ## Stack
 
@@ -28,8 +29,9 @@ A complete, production-ready authentication and authorization starter for **Svel
 
 - Node.js 24.14.0 or later
 - PostgreSQL 16 or later
-- A [SendGrid](https://sendgrid.com) account (for password reset emails)
+- A [Brevo](https://brevo.com) account (for transactional emails)
 - A [Google API client ID](https://developers.google.com/identity/gsi/web/guides/get-google-api-clientid) (for Sign in with Google)
+- A [Cloudflare Turnstile](https://www.cloudflare.com/products/turnstile/) site key and secret key (for bot protection on auth forms)
 
 ## Setting up the project
 
@@ -49,7 +51,7 @@ bash db_create.sh
 
 2. Create a **Google API client ID** per [these instructions](https://developers.google.com/identity/gsi/web/guides/get-google-api-clientid). Make sure you include `http://localhost:3000` and `http://localhost` in the Authorized JavaScript origins, and `http://localhost:3000/auth/google/callback` in the Authorized redirect URIs for your Client ID for Web application. **Do not access the site using http://127.0.0.1:3000** — use `http://localhost:3000` or it will not work.
 
-3. [Create a free Twilio SendGrid account](https://signup.sendgrid.com) and generate an API Key following [this documentation](https://docs.sendgrid.com/ui/account-and-settings/api-keys) and add a sender as documented [here](https://docs.sendgrid.com/ui/sending-email/senders).
+3. [Create a free Brevo account](https://app.brevo.com/account/register) and generate an API Key under **SMTP & API** settings. Set `EMAIL` to the sender address verified in your Brevo account.
 
 4. Create a **.env** file at the top level of the project with the following values (substituting your own id and PostgreSQL username and password):
 
@@ -58,9 +60,11 @@ DATABASE_URL=postgres://user:password@localhost:5432/auth
 DATABASE_SSL=false
 DOMAIN=http://localhost:3000
 JWT_SECRET=replace_with_your_own
-SENDGRID_KEY=replace_with_your_own
-SENDGRID_SENDER=replace_with_your_own
+BREVO_KEY=replace_with_your_own
+EMAIL=replace_with_your_own
 PUBLIC_GOOGLE_CLIENT_ID=replace_with_your_own
+PUBLIC_TURNSTILE_SITE_KEY=replace_with_your_own
+TURNSTILE_SECRET_KEY=replace_with_your_own
 ```
 
 ## Run locally
@@ -86,9 +90,11 @@ The db_create.sql script adds three users to the database with obvious roles:
 
 | Email               | Password   | Role    |
 | ------------------- | ---------- | ------- |
-| admin@example.com   | admin123   | admin   |
-| teacher@example.com | teacher123 | teacher |
-| student@example.com | student123 | student |
+| admin@example.com   | Admin1234!   | admin   |
+| teacher@example.com | Teacher1234! | teacher |
+| student@example.com | Student1234! | student |
+
+> **MFA note:** Local account logins require a 6-digit code sent to the user's email address. To successfully log in with the seed accounts above, either update their email addresses in the database to your own (`UPDATE users SET email = 'you@yourdomain.com' WHERE email = 'admin@example.com';`), or retrieve the code directly from the `mfa_codes` table after submitting the login form (`SELECT code FROM mfa_codes;`).
 
 ## How it works
 

package/db_create.sql

@@ -1,5 +1,6 @@
 -- Run via db_create.sh or:
 -- $ psql -d postgres -f db_create.sql && psql -d auth -f db_schema.sql
+
 -- Create role if not already there
 DO $do$
 BEGIN
@@ -32,367 +33,3 @@ LIMIT
 	= -1;
 
 COMMENT ON DATABASE auth IS 'SvelteKit Auth Example';
-
--- Required to generate UUIDs for sessions
-CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
-
--- Required for case-insensitive text (email_address domain)
-CREATE EXTENSION IF NOT EXISTS citext;
-
--- Using hard-coded roles (often this would be a table)
-CREATE TYPE public.roles AS ENUM('student', 'teacher', 'admin');
-
-ALTER TYPE public.roles OWNER TO auth;
-
--- Domains
-CREATE DOMAIN public.email_address AS citext CHECK (
-	length(VALUE) <= 254
-	AND VALUE = btrim(VALUE)
-	AND VALUE ~* '^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}$'
-);
-
-COMMENT ON DOMAIN public.email_address IS 'RFC-compliant email address (case-insensitive, max 254 chars)';
-
-CREATE DOMAIN public.persons_name AS text CHECK (length(VALUE) <= 20) NOT NULL;
-
-COMMENT ON DOMAIN public.persons_name IS 'Person first or last name (max 20 characters)';
-
-CREATE DOMAIN public.phone_number AS text CHECK (
-	VALUE IS NULL
-	OR length(VALUE) <= 50
-);
-
-COMMENT ON DOMAIN public.phone_number IS 'Phone number (max 50 characters)';
-
-CREATE TABLE IF NOT EXISTS public.users (
-	id integer NOT NULL GENERATED ALWAYS AS IDENTITY (
-		INCREMENT 1 START 1 MINVALUE 1 MAXVALUE 2147483647 CACHE 1
-	),
-	role roles NOT NULL DEFAULT 'student'::roles,
-	email email_address NOT NULL,
-	password character varying(80) COLLATE pg_catalog."default",
-	first_name persons_name,
-	last_name persons_name,
-	opt_out boolean NOT NULL DEFAULT false,
-	email_verified boolean NOT NULL DEFAULT false,
-	phone phone_number,
-	CONSTRAINT users_pkey PRIMARY KEY (id),
-	CONSTRAINT users_email_unique UNIQUE (email)
-) TABLESPACE pg_default;
-
-ALTER TABLE public.users OWNER to auth;
-
-CREATE INDEX users_first_name_index ON public.users USING btree (
-	first_name COLLATE pg_catalog."default" ASC NULLS LAST
-) TABLESPACE pg_default;
-
-CREATE INDEX users_last_name_index ON public.users USING btree (
-	last_name COLLATE pg_catalog."default" ASC NULLS LAST
-) TABLESPACE pg_default;
-
-CREATE INDEX users_password ON public.users USING btree (
-	password COLLATE pg_catalog."default" ASC NULLS LAST
-) TABLESPACE pg_default;
-
-CREATE TABLE IF NOT EXISTS public.sessions (
-	id uuid NOT NULL DEFAULT uuid_generate_v4 (),
-	user_id integer NOT NULL,
-	expires timestamptz NOT NULL DEFAULT (CURRENT_TIMESTAMP + INTERVAL '2 hours'),
-	CONSTRAINT sessions_pkey PRIMARY KEY (id),
-	CONSTRAINT sessions_user_fkey FOREIGN KEY (user_id) REFERENCES public.users (id) MATCH SIMPLE ON UPDATE CASCADE ON DELETE CASCADE,
-	CONSTRAINT sessions_one_per_user UNIQUE (user_id)
-) TABLESPACE pg_default;
-
-ALTER TABLE public.sessions OWNER to auth;
-
-CREATE OR REPLACE FUNCTION public.authenticate (input json, OUT response json) RETURNS json LANGUAGE 'plpgsql' COST 100 VOLATILE PARALLEL UNSAFE AS $BODY$
-DECLARE
-  input_email text := trim(input->>'email');
-  input_password text := input->>'password';
-  v_user users%ROWTYPE;
-BEGIN
-  IF input_email IS NULL OR input_password IS NULL THEN
-    response := json_build_object('statusCode', 400, 'status', 'Please provide an email address and password to authenticate.', 'user', NULL, 'sessionId', NULL);
-    RETURN;
-  END IF;
-
-  SELECT * INTO v_user FROM users
-  WHERE email = input_email AND password = crypt(input_password, password) LIMIT 1;
-
-  IF NOT FOUND THEN
-    response := json_build_object('statusCode', 401, 'status', 'Invalid username/password combination.', 'user', NULL, 'sessionId', NULL);
-  ELSIF NOT v_user.email_verified THEN
-    response := json_build_object('statusCode', 403, 'status', 'Please verify your email address before logging in.', 'user', NULL, 'sessionId', NULL);
-  ELSE
-    response := json_build_object(
-      'statusCode', 200,
-      'status', 'Login successful.',
-      'user', json_build_object('id', v_user.id, 'role', v_user.role, 'email', input_email, 'firstName', v_user.first_name, 'lastName', v_user.last_name, 'phone', v_user.phone, 'optOut', v_user.opt_out),
-      'sessionId', create_session(v_user.id)
-    );
-  END IF;
-END;
-$BODY$;
-
-ALTER FUNCTION public.authenticate (json) OWNER TO auth;
-
-CREATE OR REPLACE FUNCTION public.create_session (input_user_id integer) RETURNS uuid LANGUAGE 'sql' COST 100 VOLATILE PARALLEL UNSAFE AS $BODY$
-  -- Remove expired sessions (index-friendly cleanup)
-  DELETE FROM sessions WHERE expires < CURRENT_TIMESTAMP;
-  -- Remove any existing session(s) for this user
-  DELETE FROM sessions WHERE user_id = input_user_id;
-  -- Create the new session
-  INSERT INTO sessions(user_id) VALUES (input_user_id) RETURNING sessions.id;
-$BODY$;
-
-ALTER FUNCTION public.create_session (integer) OWNER TO auth;
-
-CREATE OR REPLACE FUNCTION public.get_session (input_session_id uuid) RETURNS json LANGUAGE 'sql' AS $BODY$
-SELECT json_build_object(
-  'id', sessions.user_id,
-  'role', users.role,
-  'email', users.email,
-  'firstName', users.first_name,
-  'lastName', users.last_name,
-  'phone', users.phone,
-  'optOut', users.opt_out,
-  'expires', sessions.expires
-) AS user
-FROM sessions
-  INNER JOIN users ON sessions.user_id = users.id
-WHERE sessions.id = input_session_id AND expires > CURRENT_TIMESTAMP LIMIT 1;
-$BODY$;
-
-ALTER FUNCTION public.get_session (uuid) OWNER TO auth;
-
--- Like get_session but also bumps the expiry (sliding sessions).
--- Returns NULL if the session is expired or does not exist.
-CREATE OR REPLACE FUNCTION public.get_and_update_session (input_session_id uuid) RETURNS json LANGUAGE 'plpgsql' AS $BODY$
-DECLARE
-  result json;
-BEGIN
-  UPDATE sessions
-    SET expires = CURRENT_TIMESTAMP + INTERVAL '2 hours'
-  WHERE id = input_session_id AND expires > CURRENT_TIMESTAMP;
-
-  IF NOT FOUND THEN
-    RETURN NULL;
-  END IF;
-
-  SELECT json_build_object(
-    'id', sessions.user_id,
-    'role', users.role,
-    'email', users.email,
-    'firstName', users.first_name,
-    'lastName', users.last_name,
-    'phone', users.phone,
-    'optOut', users.opt_out,
-    'expires', sessions.expires
-  ) INTO result
-  FROM sessions
-    INNER JOIN users ON sessions.user_id = users.id
-  WHERE sessions.id = input_session_id;
-
-  RETURN result;
-END;
-$BODY$;
-
-ALTER FUNCTION public.get_and_update_session (uuid) OWNER TO auth;
-
-CREATE OR REPLACE FUNCTION public.verify_email_and_create_session (input_id integer) RETURNS uuid LANGUAGE 'plpgsql' COST 100 VOLATILE PARALLEL UNSAFE AS $BODY$
-DECLARE
-  session_id uuid;
-BEGIN
-  UPDATE users SET email_verified = true WHERE id = input_id;
-  SELECT create_session(input_id) INTO session_id;
-  RETURN session_id;
-END;
-$BODY$;
-
-ALTER FUNCTION public.verify_email_and_create_session (integer) OWNER TO auth;
-
-CREATE OR REPLACE FUNCTION public.register (input json, OUT user_session json) RETURNS json LANGUAGE 'plpgsql' COST 100 VOLATILE PARALLEL UNSAFE AS $BODY$
-DECLARE
-  input_email text := trim(input->>'email');
-  input_first_name text := trim(input->>'firstName');
-  input_last_name text := trim(input->>'lastName');
-  input_phone text := trim(input->>'phone');
-  input_password text := input->>'password';
-BEGIN
-  PERFORM id FROM users WHERE email = input_email;
-  IF NOT FOUND THEN
-    INSERT INTO users(role, password, email, first_name, last_name, phone)
-      VALUES('student', crypt(input_password, gen_salt('bf', 12)), input_email, input_first_name, input_last_name, input_phone)
-      RETURNING
-        json_build_object(
-          'sessionId', create_session(users.id),
-          'user', json_build_object('id', users.id, 'role', 'student', 'email', input_email, 'firstName', input_first_name, 'lastName', input_last_name, 'phone', input_phone, 'optOut', users.opt_out)
-        ) INTO user_session;
-  ELSE -- user is registering account that already exists so set sessionId and user to null so client can let them know
-  	SELECT authenticate(input) INTO user_session;
-  END IF;
-END;
-$BODY$;
-
-ALTER FUNCTION public.register (json) OWNER TO auth;
-
-CREATE OR REPLACE FUNCTION public.start_gmail_user_session (input json, OUT user_session json) RETURNS json LANGUAGE 'plpgsql' COST 100 VOLATILE PARALLEL UNSAFE AS $BODY$
-DECLARE
-  input_email varchar(80) := LOWER(TRIM((input->>'email')::varchar));
-  input_first_name varchar(20) := TRIM((input->>'firstName')::varchar);
-  input_last_name varchar(20) := TRIM((input->>'lastName')::varchar);
-BEGIN
-  -- Google verifies email ownership; mark user as verified on every sign-in
-  UPDATE users SET email_verified = true WHERE email = input_email;
-  SELECT json_build_object('id', create_session(users.id), 'user', json_build_object('id', users.id, 'role', users.role, 'email', input_email, 'firstName', users.first_name, 'lastName', users.last_name, 'phone', users.phone)) INTO user_session FROM users WHERE email = input_email;
-  IF NOT FOUND THEN
-    INSERT INTO users(role, email, first_name, last_name, email_verified)
-      VALUES('student', input_email, input_first_name, input_last_name, true)
-      RETURNING
-        json_build_object(
-          'id', create_session(users.id),
-          'user', json_build_object('id', users.id, 'role', 'student', 'email', input_email, 'firstName', input_first_name, 'lastName', input_last_name, 'phone', null)
-        ) INTO user_session;
-  END IF;
-END;
-$BODY$;
-
-ALTER FUNCTION public.start_gmail_user_session (json) OWNER TO auth;
-
-CREATE PROCEDURE public.delete_session (input_id integer) LANGUAGE sql AS $$
-DELETE FROM sessions WHERE user_id = input_id;
-$$;
-
-CREATE OR REPLACE PROCEDURE public.delete_user (input_id integer) LANGUAGE sql AS $$
-DELETE FROM users WHERE id = input_id;
-$$;
-
-ALTER PROCEDURE public.delete_user (integer) OWNER TO auth;
-
-CREATE OR REPLACE PROCEDURE public.reset_password (IN input_id integer, IN input_password text) LANGUAGE plpgsql AS $procedure$
-BEGIN
-  UPDATE users SET password = crypt(input_password, gen_salt('bf', 12)) WHERE id = input_id;
-END;
-$procedure$;
-
-ALTER PROCEDURE public.reset_password (integer, text) OWNER TO auth;
-
-CREATE OR REPLACE PROCEDURE public.upsert_user (input json) LANGUAGE plpgsql AS $BODY$
-DECLARE
-  input_id integer := COALESCE((input->>'id')::integer,0);
-  input_role roles := COALESCE((input->>'role')::roles, 'student');
-  input_email varchar(80) := LOWER(TRIM((input->>'email')::varchar));
-  input_password varchar(80) := COALESCE((input->>'password')::varchar, '');
-  input_first_name varchar(20) := TRIM((input->>'firstName')::varchar);
-  input_last_name varchar(20) := TRIM((input->>'lastName')::varchar);
-  input_phone varchar(23) := TRIM((input->>'phone')::varchar);
-BEGIN
-  IF input_id = 0 THEN
-    INSERT INTO users (role, email, password, first_name, last_name, phone, email_verified)
-    VALUES (
-	  input_role, input_email, crypt(input_password, gen_salt('bf', 12)),
-	  input_first_name, input_last_name, input_phone, true);
-  ELSE
-    UPDATE users SET
-	  role = input_role,
-	  email = input_email,
-	  email_verified = true,
-	  password = CASE WHEN input_password = ''
-		  THEN password -- leave as is (we are updating fields other than the password)
-		  ELSE crypt(input_password, gen_salt('bf', 12))
-	  END,
-	  first_name = input_first_name,
-	  last_name = input_last_name,
-	  phone = input_phone
-	WHERE id = input_id;
-  END IF;
-END;
-$BODY$;
-
-ALTER PROCEDURE public.upsert_user (json) OWNER TO auth;
-
-CREATE OR REPLACE PROCEDURE public.update_user (input_id integer, input json) LANGUAGE plpgsql AS $BODY$
-DECLARE
-  input_email varchar(80) := LOWER(TRIM((input->>'email')::varchar));
-  input_password varchar(80) := COALESCE((input->>'password')::varchar, '');
-  input_first_name varchar(20) := TRIM((input->>'firstName')::varchar);
-  input_last_name varchar(20) := TRIM((input->>'lastName')::varchar);
-  input_phone varchar(23) := TRIM((input->>'phone')::varchar);
-BEGIN
-  UPDATE users SET
-    email = input_email,
-	password = CASE WHEN input_password = ''
-      THEN password -- leave as is (we are updating fields other than the password)
-	  ELSE crypt(input_password, gen_salt('bf', 12))
-	END,
-	first_name = input_first_name,
-	last_name = input_last_name,
-	phone = input_phone
-  WHERE id = input_id;
-END;
-$BODY$;
-
-ALTER PROCEDURE public.update_user (integer, json) OWNER TO auth;
-
--- MFA codes table (one pending code per user, replaced on each new login attempt)
-CREATE TABLE IF NOT EXISTS public.mfa_codes (
-	user_id integer NOT NULL,
-	code varchar(6) NOT NULL,
-	expires timestamptz NOT NULL DEFAULT (CURRENT_TIMESTAMP + INTERVAL '10 minutes'),
-	CONSTRAINT mfa_codes_pkey PRIMARY KEY (user_id),
-	CONSTRAINT mfa_codes_user_fkey FOREIGN KEY (user_id) REFERENCES public.users (id) ON DELETE CASCADE
-) TABLESPACE pg_default;
-
-ALTER TABLE public.mfa_codes OWNER TO auth;
-
--- Generate and store a fresh 6-digit MFA code for a user, returning the code
-CREATE OR REPLACE FUNCTION public.create_mfa_code (input_user_id integer) RETURNS varchar LANGUAGE plpgsql AS $BODY$
-DECLARE
-  v_code varchar(6) := lpad(floor(random() * 1000000)::integer::text, 6, '0');
-BEGIN
-  DELETE FROM mfa_codes WHERE expires < CURRENT_TIMESTAMP;
-  INSERT INTO mfa_codes(user_id, code)
-  VALUES (input_user_id, v_code)
-  ON CONFLICT (user_id) DO UPDATE
-    SET code = EXCLUDED.code,
-        expires = CURRENT_TIMESTAMP + INTERVAL '10 minutes';
-  RETURN v_code;
-END;
-$BODY$;
-
-ALTER FUNCTION public.create_mfa_code (integer) OWNER TO auth;
-
--- Verify an MFA code for a given email address.
--- Returns the user_id on success (and deletes the code), or NULL on failure.
-CREATE OR REPLACE FUNCTION public.verify_mfa_code (input_email text, input_code text) RETURNS integer LANGUAGE plpgsql AS $BODY$
-DECLARE
-  v_user_id integer;
-BEGIN
-  SELECT mfa_codes.user_id INTO v_user_id
-  FROM mfa_codes
-    INNER JOIN users ON mfa_codes.user_id = users.id
-  WHERE users.email = input_email
-    AND mfa_codes.code = input_code
-    AND mfa_codes.expires > CURRENT_TIMESTAMP;
-
-  IF FOUND THEN
-    DELETE FROM mfa_codes WHERE user_id = v_user_id;
-  END IF;
-
-  RETURN v_user_id;
-END;
-$BODY$;
-
-ALTER FUNCTION public.verify_mfa_code (text, text) OWNER TO auth;
-
-CALL public.upsert_user (
-	'{"id":0, "role":"admin", "email":"admin@example.com", "password":"admin123", "firstName":"Jane", "lastName":"Doe", "phone":"412-555-1212"}'::json
-);
-
-CALL public.upsert_user (
-	'{"id":0, "role":"teacher", "email":"teacher@example.com", "password":"teacher123", "firstName":"John", "lastName":"Doe", "phone":"724-555-1212"}'::json
-);
-
-CALL public.upsert_user (
-	'{"id":0, "role":"student", "email":"student@example.com", "password":"student123", "firstName":"Justin", "lastName":"Case", "phone":"814-555-1212"}'::json
-);

package/db_schema.sql

@@ -357,13 +357,13 @@ $BODY$;
 ALTER FUNCTION public.verify_mfa_code (text, text) OWNER TO auth;
 
 CALL public.upsert_user (
-	'{"id":0, "role":"admin", "email":"admin@example.com", "password":"admin123", "firstName":"Jane", "lastName":"Doe", "phone":"412-555-1212"}'::json
+	'{"id":0, "role":"admin", "email":"admin@example.com", "password":"Admin1234!", "firstName":"Jane", "lastName":"Doe", "phone":"412-555-1212"}'::json
 );
 
 CALL public.upsert_user (
-	'{"id":0, "role":"teacher", "email":"teacher@example.com", "password":"teacher123", "firstName":"John", "lastName":"Doe", "phone":"724-555-1212"}'::json
+	'{"id":0, "role":"teacher", "email":"teacher@example.com", "password":"Teacher1234!", "firstName":"John", "lastName":"Doe", "phone":"724-555-1212"}'::json
 );
 
 CALL public.upsert_user (
-	'{"id":0, "role":"student", "email":"student@example.com", "password":"student123", "firstName":"Justin", "lastName":"Case", "phone":"814-555-1212"}'::json
+	'{"id":0, "role":"student", "email":"student@example.com", "password":"Student1234!", "firstName":"Justin", "lastName":"Case", "phone":"814-555-1212"}'::json
 );

package/package.json

@@ -1,7 +1,7 @@
 {
 	"name": "sveltekit-auth-example",
 	"description": "SvelteKit Authentication Example",
-	"version": "5.6.0",
+	"version": "5.8.2",
 	"author": "Nate Stuyvesant",
 	"license": "https://github.com/nstuyvesant/sveltekit-auth-example/blob/master/LICENSE",
 	"repository": {
@@ -29,6 +29,7 @@
 		"check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch",
 		"lint": "prettier --check . && eslint .",
 		"format": "prettier --write .",
+		"coverage": "vitest run --coverage",
 		"test:e2e": "playwright test",
 		"test:unit": "vitest"
 	},
@@ -48,7 +49,7 @@
 		"@sveltejs/adapter-node": "^5.5.4",
 		"@sveltejs/kit": "^2.54.0",
 		"@sveltejs/mcp": "^0.1.21",
-		"@sveltejs/vite-plugin-svelte": "^6.2.4",
+		"@sveltejs/vite-plugin-svelte": "^7.0.0",
 		"@tailwindcss/vite": "^4.2.1",
 		"@types/bootstrap": "5.2.10",
 		"@types/google.accounts": "^0.0.18",
@@ -63,13 +64,14 @@
 		"prettier-plugin-sql": "^0.19.2",
 		"prettier-plugin-svelte": "^3.5.1",
 		"prettier-plugin-tailwindcss": "^0.7.2",
-		"svelte": "^5.53.10",
+		"svelte": "^5.53.11",
 		"svelte-check": "^4.4.5",
 		"tslib": "^2.8.1",
 		"typescript": "^5.9.3",
 		"typescript-eslint": "^8.57.0",
-		"vite": "^7.3.1",
-		"vitest": "^4.0.18",
+		"vite": "^8.0.0",
+		"vite-plugin-devtools-json": "^1.0.0",
+		"vitest": "^4.1.0",
 		"vitest-browser-svelte": "^2.0.2"
 	},
 	"packageManager": "yarn@4.13.0"