toiljs 0.0.52 → 0.0.54

package/src/client/auth.ts

@@ -11,7 +11,7 @@
  * JSON, byte-identical to the server's `AuthService.buildLoginMessage`.
  */
 
-import { argon2id, sha256, createSHA256 } from 'hash-wasm';
+import { argon2id, createSHA256, createHMAC } from 'hash-wasm';
 import { ml_dsa44 } from '@dacely/noble-post-quantum/ml-dsa.js';
 import { ml_kem768 } from '@dacely/noble-post-quantum/ml-kem.js';
 import { ristretto255_oprf } from '@noble/curves/ed25519.js';
@@ -22,7 +22,9 @@ import { DataReader, DataWriter } from 'toiljs/io';
 export const LOGIN_CONTEXT = 'qauth:login:v1';
 /** Registration proof-of-possession context (binds a sig to "register"). */
 export const REGISTER_CONTEXT = 'qauth:register:v1';
-/** Domain separator for the server's mutual-auth confirmation tag. */
+/** Domain separators for the session-key derivation and the confirmation tag.
+ *  Byte-identical to the server. */
+export const SESSION_KEY_LABEL = 'toil-session-key-v1';
 export const SERVER_CONFIRM_LABEL = 'toil-server-confirm-v1';
 
 /** ML-KEM-768 sizes (FIPS 203). */
@@ -98,6 +100,16 @@ async function sha256Bytes(data: Uint8Array): Promise<Uint8Array> {
     return h.digest('binary') as unknown as Uint8Array;
 }
 
+/** HMAC-SHA256(key, msg) -> 32 raw bytes, via hash-wasm (pure WASM, works in an
+ *  insecure context). Mirrors the server's `AuthService` HMAC for the session-key
+ *  derivation and the mutual-auth confirmation tag. */
+async function hmacSha256(key: Uint8Array, msg: Uint8Array): Promise<Uint8Array> {
+    const h = await createHMAC(createSHA256(), key);
+    h.init();
+    h.update(msg);
+    return h.digest('binary') as unknown as Uint8Array;
+}
+
 function concatBytes(...parts: Uint8Array[]): Uint8Array {
     let n = 0;
     for (const p of parts) n += p.length;
@@ -118,8 +130,11 @@ function bytesEqual(a: Uint8Array, b: Uint8Array): boolean {
     return diff === 0;
 }
 
-/** The canonical login message `M`, fixed binary layout (see the server's
- *  `AuthService.buildLoginMessage`). Both ends MUST produce identical bytes. */
+/** The canonical login message `M` -- ONE fixed binary layout, byte-identical to
+ *  the server's `AuthService.buildLoginMessage`. Binds the ML-KEM ciphertext (so
+ *  the signature commits to the key encapsulation), the Argon2id params (so a
+ *  MITM cannot slip a downgrade past the signature), and the server KEM key id
+ *  (so it commits to which server key was encapsulated to). */
 export function buildLoginMessage(
     sub: string,
     aud: string,
@@ -127,32 +142,14 @@ export function buildLoginMessage(
     nonce: Uint8Array,
     iat: bigint,
     exp: bigint,
-): Uint8Array {
-    return new DataWriter()
-        .writeU8(1)
-        .writeString(sub)
-        .writeString(aud)
-        .writeBytes(cid)
-        .writeBytes(nonce)
-        .writeU64(iat)
-        .writeU64(exp)
-        .toBytes();
-}
-
-/** Login message `M` v2: the v1 fields plus the ML-KEM ciphertext, so the
- *  ML-DSA signature binds the key encapsulation. Byte-identical to the server's
- *  `AuthService.buildLoginMessageV2`. */
-export function buildLoginMessageV2(
-    sub: string,
-    aud: string,
-    cid: Uint8Array,
-    nonce: Uint8Array,
-    iat: bigint,
-    exp: bigint,
     ciphertext: Uint8Array,
+    memKiB: number,
+    iterations: number,
+    parallelism: number,
+    serverKemKeyId: Uint8Array,
 ): Uint8Array {
     return new DataWriter()
-        .writeU8(2)
+        .writeU8(1)
         .writeString(sub)
         .writeString(aud)
         .writeBytes(cid)
@@ -160,6 +157,10 @@ export function buildLoginMessageV2(
         .writeU64(iat)
         .writeU64(exp)
         .writeBytes(ciphertext)
+        .writeU32(memKiB)
+        .writeU32(iterations)
+        .writeU32(parallelism)
+        .writeBytes(serverKemKeyId)
         .toBytes();
 }
 
@@ -170,7 +171,6 @@ export function buildRegisterMessage(username: string, publicKey: Uint8Array): U
     return new DataWriter().writeU8(1).writeString(username).writeBytes(publicKey).toBytes();
 }
 
-// ---- wire codecs (the example `Auth` @rest controller mirrors these) -------
 
 function decodeKdf(r: DataReader): KdfParams {
     return {
@@ -199,7 +199,7 @@ export interface AuthOptions {
 }
 
 /**
- * Register a new account (OPAQUE-style). The password never leaves the browser:
+ * Register a new account. The password never leaves the browser:
  * it is blinded and run through the server-keyed OPRF, the OPRF output is
  * stretched with Argon2id into an ML-DSA-44 keypair, and ONLY the public key
  * (plus a proof-of-possession signature) is submitted. Throws on failure.
@@ -249,11 +249,13 @@ export async function register(username: string, password: string, opts: AuthOpt
         '/register/finish',
         new DataWriter().writeString(username).writeBytes(publicKey).writeBytes(regProof).toBytes(),
     );
-    if (finish.readU8() !== 0) throw new Error('auth: registration rejected');
+    const finishStatus = finish.readU8();
+    if (finishStatus === 1) throw new Error('auth: username already registered (log in instead)');
+    if (finishStatus !== 0) throw new Error('auth: registration rejected');
 }
 
 /**
- * Log in (OPAQUE-style, with ML-KEM mutual auth). Steps:
+ * Log in (challenge-response with ML-KEM mutual auth). Steps:
  *   1. Blind the password; `login/start` returns the challenge + the OPRF
  *      evaluation (a fully-formed response even for unknown users -> no oracle).
  *   2. Finalize the OPRF -> keyed salt -> seed -> ML-DSA keypair.
@@ -292,9 +294,14 @@ export async function login(username: string, password: string, opts: AuthOption
     const oprfOutput = oprf.finalize(pw, blind, evaluated);
     const seed = await deriveSeed(oprfOutput, kdf);
 
-    // 3. Encapsulate to the pinned server KEM key, build + sign the v2 message.
+    // 3. Encapsulate to the pinned server KEM key; build + sign the message,
+    //    which binds the ciphertext, the KDF params, and the server key id.
     const { cipherText, sharedSecret } = ml_kem768.encapsulate(SERVER_KEM_PUBLIC_KEY);
-    const message = buildLoginMessageV2(username, aud, cid, nonce, iat, exp, cipherText);
+    const serverKemKeyId = await sha256Bytes(SERVER_KEM_PUBLIC_KEY);
+    const message = buildLoginMessage(
+        username, aud, cid, nonce, iat, exp,
+        cipherText, kdf.memKiB, kdf.iterations, kdf.parallelism, serverKemKeyId,
+    );
     let signature: Uint8Array;
     try {
         const kp = ml_dsa44.keygen(seed);
@@ -321,135 +328,18 @@ export async function login(username: string, password: string, opts: AuthOption
     const session = res.readBytes();
     const serverConfirm = res.readBytes();
 
-    // 5. Mutual auth: only a server that decapsulated correctly can produce
-    //    SHA-256(label || sharedSecret || sha256(M)). Verify before trusting.
+    // 5. Mutual auth: derive the session key K = HMAC(sharedSecret, label || H(M)),
+    //    then check the server's tag = HMAC(K, label || H(M)). Only a server that
+    //    decapsulated correctly derives the same K, so a valid tag proves its
+    //    identity. Verify before returning the session.
     const transcriptHash = await sha256Bytes(message);
-    const expected = await sha256Bytes(
-        concatBytes(utf8(SERVER_CONFIRM_LABEL), sharedSecret, transcriptHash),
-    );
+    const sessionKey = await hmacSha256(sharedSecret, concatBytes(utf8(SESSION_KEY_LABEL), transcriptHash));
     wipe(sharedSecret);
+    const expected = await hmacSha256(sessionKey, concatBytes(utf8(SERVER_CONFIRM_LABEL), transcriptHash));
     if (!bytesEqual(expected, serverConfirm)) throw new Error('auth: server authentication failed');
 
     return session; // session token
 }
 
-/** Lowercase hex of `bytes`. */
-function toHex(bytes: Uint8Array): string {
-    let s = '';
-    for (const b of bytes) s += b.toString(16).padStart(2, '0');
-    return s;
-}
-
-/** The signed identity proof produced by {@link proveIdentity}. */
-export interface IdentityProof {
-    /** The wire envelope to POST to `/pq/verify`: `str(sub) str(token)
-     *  bytes(publicKey) bytes(signature)`, where `token` is the edge's
-     *  HMAC-signed challenge. The server re-opens the token, rebuilds the login
-     *  message from the values inside it, and `AuthService.verifyLogin`s it. */
-    readonly envelope: Uint8Array;
-    /** First bytes of the 1312-byte ML-DSA-44 public key, for display. */
-    readonly publicKeyHex: string;
-    /** First bytes of the SERVER-issued nonce that was signed, for display. */
-    readonly nonceHex: string;
-    /** Signature length (always 2420 for ML-DSA-44), for display. */
-    readonly signatureLen: number;
-    /** Argon2id wall-clock spent deriving the keypair, ms (for display). */
-    readonly deriveMs: number;
-}
-
-/** Deterministic 16-byte Argon2id salt for the demo, so the same
- *  username + password always maps to the same identity (keypair).
- *  Uses hash-wasm's SHA-256 (pure WebAssembly), not `crypto.subtle`, so it
- *  works in an insecure context (plain HTTP), where `crypto.subtle` is
- *  undefined. */
-async function demoSalt(username: string): Promise<Uint8Array> {
-    const hex = await sha256('pq-demo|' + username);
-    const out = new Uint8Array(16);
-    for (let i = 0; i < 16; i++) out[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
-    return out;
-}
-
-/**
- * DEMO helper: run the full post-quantum challenge-response in the browser.
- * Fetches a SERVER-issued challenge (`GET {baseUrl}/challenge`), stretches the
- * password with Argon2id into an ML-DSA-44 keypair, signs the login message
- * built from the SERVER's nonce/cid/iat/exp, and returns the wire envelope the
- * edge verifies (`AuthService.verifyLogin`). The secret key and seed are wiped
- * before returning; only the public key + signature leave the tab.
- *
- * The nonce is server-chosen and tamper-proof (the challenge token is
- * HMAC-signed by the edge), so a client cannot pre-sign or substitute its own.
- * It is still NOT the full production login -- there is no single-use consume, so
- * within the challenge TTL a captured proof could be replayed; that needs an
- * atomic store (see {@link login} and server/routes/Auth.ts). Demo-light
- * Argon2id params (16 MiB / 2 passes) keep it responsive in a tab; a real
- * deployment uses >= 256 MiB.
- */
-export async function proveIdentity(
-    username: string,
-    password: string,
-    opts: { baseUrl?: string } = {},
-): Promise<IdentityProof> {
-    const baseUrl = opts.baseUrl ?? '/pq';
-
-    // 1. Server-issued challenge: aud, cid, nonce, iat, exp, and the signed token.
-    const cres = await fetch(baseUrl + '/challenge', { credentials: 'same-origin' });
-    if (!cres.ok) throw new Error('pq: challenge request failed');
-    const cr = new DataReader(new Uint8Array(await cres.arrayBuffer()));
-    const aud = cr.readString();
-    const cid = cr.readBytes();
-    const nonce = cr.readBytes();
-    const iat = cr.readU64();
-    const exp = cr.readU64();
-    const token = cr.readString();
-
-    // 2. Derive the keypair and sign the message built from the SERVER's values.
-    const salt = await demoSalt(username);
-    const t0 = Date.now();
-    const seed = await argon2id({
-        password: new TextEncoder().encode(password.normalize('NFKC')),
-        salt,
-        iterations: 2,
-        parallelism: 1,
-        memorySize: 16 * 1024, // 16 MiB: demo-light, responsive in a tab
-        hashLength: SEED_LEN,
-        outputType: 'binary',
-    });
-    const deriveMs = Date.now() - t0;
-
-    const message = buildLoginMessage(username, aud, cid, nonce, iat, exp);
-    let publicKey: Uint8Array;
-    let signature: Uint8Array;
-    try {
-        const kp = ml_dsa44.keygen(seed);
-        publicKey = kp.publicKey;
-        try {
-            signature = ml_dsa44.sign(message, kp.secretKey, {
-                context: new TextEncoder().encode(LOGIN_CONTEXT),
-            });
-        } finally {
-            wipe(kp.secretKey);
-        }
-    } finally {
-        wipe(seed);
-    }
-
-    // 3. Envelope: sub + the server's token + the public key + the signature.
-    const envelope = new DataWriter()
-        .writeString(username)
-        .writeString(token)
-        .writeBytes(publicKey)
-        .writeBytes(signature)
-        .toBytes();
-
-    return {
-        envelope,
-        publicKeyHex: toHex(publicKey.slice(0, 16)),
-        nonceHex: toHex(nonce.slice(0, 16)),
-        signatureLen: signature.length,
-        deriveMs,
-    };
-}
-
 /** The client auth surface, grouped for `Auth.register` / `Auth.login` use. */
-export const Auth = { register, login, proveIdentity, buildLoginMessage, LOGIN_CONTEXT } as const;
+export const Auth = { register, login, buildLoginMessage, LOGIN_CONTEXT } as const;

package/src/client/index.ts

@@ -10,8 +10,8 @@
 
 export { mount } from './routing/mount.js';
 export { Router } from './routing/Router.js';
-export { Auth, register as authRegister, login as authLogin, proveIdentity, buildLoginMessage, LOGIN_CONTEXT } from './auth.js';
-export type { KdfParams, AuthOptions, IdentityProof } from './auth.js';
+export { Auth, register as authRegister, login as authLogin, buildLoginMessage, LOGIN_CONTEXT } from './auth.js';
+export type { KdfParams, AuthOptions } from './auth.js';
 export { Link } from './navigation/Link.js';
 export type { LinkProps } from './navigation/Link.js';
 export { NavLink, matchActive } from './navigation/NavLink.js';

package/src/compiler/generate.ts

@@ -122,7 +122,7 @@ export const TOIL_SERVER_ENV_DTS =
     `declare class TwoFactorIssue { code: string; token: string; constructor(code: string, token: string); }\n` +
     `declare class TwoFactorChallenge { token: string; status: EmailStatus; constructor(token: string, status: EmailStatus); }\n` +
     `declare namespace TwoFactor { const DEFAULT_TTL_SECS: u64; const DEFAULT_DIGITS: i32; function setSecret(secret: Uint8Array): void; function issue(recipient: string, purpose: string, ttlSecs?: u64, digits?: i32): TwoFactorIssue; function send(recipient: string, purpose: string, ttlSecs?: u64, digits?: i32): TwoFactorChallenge; function verify(token: string, recipient: string, code: string): bool; }\n` +
-    `declare namespace AuthService { const SESSION_COOKIE: string; const USER_COOKIE: string; const LOGIN_CONTEXT: string; const PUBLIC_KEY_LEN: i32; const SIGNATURE_LEN: i32; const DEFAULT_SESSION_TTL_SECS: u64; function setSecret(secret: Uint8Array): void; function hasSession(): bool; function getSessionBytes(): Uint8Array | null; function getUser(): __ToilAuthUser | null; function mintSession(userData: Uint8Array, ttlSecs?: u64): Cookie; function clearSession(): Cookie; function userCookie(userData: Uint8Array, ttlSecs?: u64): Cookie; function clearUserCookie(): Cookie; function buildLoginMessage(sub: string, aud: string, cid: Uint8Array, nonce: Uint8Array, iat: u64, exp: u64): Uint8Array; function verifyLogin(publicKey: Uint8Array, message: Uint8Array, signature: Uint8Array): bool; const KEM_CIPHERTEXT_LEN: i32; const KEM_SECRET_KEY_LEN: i32; const KEM_PUBLIC_KEY_LEN: i32; const SHARED_SECRET_LEN: i32; const OPRF_ELEMENT_LEN: i32; const OPRF_SEED_LEN: i32; const SERVER_CONFIRM_LABEL: string; function setOprfSeed(seed: Uint8Array): void; function setServerKemSecretKey(secretKey: Uint8Array): void; function oprfEvaluate(username: string, blinded: Uint8Array): Uint8Array; function mlkemDecapsulate(ciphertext: Uint8Array): Uint8Array; function sha256(data: Uint8Array): Uint8Array; function buildLoginMessageV2(sub: string, aud: string, cid: Uint8Array, nonce: Uint8Array, iat: u64, exp: u64, ciphertext: Uint8Array): Uint8Array; function serverConfirmTag(sharedSecret: Uint8Array, transcriptHash: Uint8Array): Uint8Array; const REGISTER_CONTEXT: string; function buildRegisterMessage(username: string, publicKey: Uint8Array): Uint8Array; function verifyRegister(publicKey: Uint8Array, message: Uint8Array, signature: Uint8Array): bool; }\n` +
+    `declare namespace AuthService { const SESSION_COOKIE: string; const USER_COOKIE: string; const LOGIN_CONTEXT: string; const PUBLIC_KEY_LEN: i32; const SIGNATURE_LEN: i32; const DEFAULT_SESSION_TTL_SECS: u64; function setSecret(secret: Uint8Array): void; function hasSession(): bool; function getSessionBytes(): Uint8Array | null; function getUser(): __ToilAuthUser | null; function mintSession(userData: Uint8Array, ttlSecs?: u64): Cookie; function clearSession(): Cookie; function userCookie(userData: Uint8Array, ttlSecs?: u64): Cookie; function clearUserCookie(): Cookie; function buildLoginMessage(sub: string, aud: string, cid: Uint8Array, nonce: Uint8Array, iat: u64, exp: u64, ciphertext: Uint8Array, memKiB: u32, iterations: u32, parallelism: u32, serverKemKeyId: Uint8Array): Uint8Array; function verifyLogin(publicKey: Uint8Array, message: Uint8Array, signature: Uint8Array): bool; const KEM_CIPHERTEXT_LEN: i32; const KEM_SECRET_KEY_LEN: i32; const KEM_PUBLIC_KEY_LEN: i32; const SHARED_SECRET_LEN: i32; const OPRF_ELEMENT_LEN: i32; const OPRF_SEED_LEN: i32; const SESSION_KEY_LABEL: string; const SERVER_CONFIRM_LABEL: string; function setOprfSeed(seed: Uint8Array): void; function setServerKemSecretKey(secretKey: Uint8Array): void; function setServerKemPublicKey(publicKey: Uint8Array): void; function serverKemKeyId(): Uint8Array; function oprfEvaluate(username: string, blinded: Uint8Array): Uint8Array; function mlkemDecapsulate(ciphertext: Uint8Array): Uint8Array; function sha256(data: Uint8Array): Uint8Array; function deriveSessionKey(sharedSecret: Uint8Array, transcriptHash: Uint8Array): Uint8Array; function serverConfirmTag(sessionKey: Uint8Array, transcriptHash: Uint8Array): Uint8Array; const REGISTER_CONTEXT: string; function buildRegisterMessage(username: string, publicKey: Uint8Array): Uint8Array; function verifyRegister(publicKey: Uint8Array, message: Uint8Array, signature: Uint8Array): bool; }\n` +
     `interface __ToilAuthUser {}\n`;
 
 /**

package/src/devserver/crypto.ts

@@ -260,7 +260,7 @@ export function buildCryptoImports(
         },
 
         // RFC 9497 OPRF (mode 0x00, ristretto255-SHA512) server evaluation for
-        // the OPAQUE-style keyed salt. Mirrors the edge host
+        // the keyed-salt OPRF. Mirrors the edge host
         // (`voprf_evaluate_import.rs` / the `voprf` crate): derive the per-user
         // key from (seed, info=username) and blind-evaluate the client's blinded
         // element, writing the 32-byte evaluated element to `outPtr`. Backed by

package/src/devserver/kv.ts

@@ -1,21 +1,18 @@
 /**
  * DEV-ONLY persistent key-value store host imports (`env::kv.*`).
  *
- * ============================ REMOVE KV LATER ============================
- * This exists ONLY so the post-quantum auth example can run the full
- * register -> login chain end-to-end under `toiljs dev`. A tenant's wasm linear
- * memory is wiped after every request, so account records and login challenges
- * cannot live in the guest across the two round trips; they need an external
- * store. This module is a single-process `Map` standing in for that store.
+ * REMOVE LATER. This exists ONLY so the post-quantum auth example can run the
+ * full register -> login chain end-to-end under `toiljs dev`. A tenant's wasm
+ * linear memory is wiped after every request, so account records and login
+ * challenges cannot live in the guest across the two round trips; they need an
+ * external store. This module is a single-process `Map` standing in for that.
  *
  * It is intentionally NOT registered on the production Rust edge
  * (`toil-backend` `HOST_IMPORTS`), so a module using `kv.*` will not instantiate
- * there. REPLACE THIS once toildb is implemented: move the example's account +
- * challenge stores onto toildb (which provides the atomic fetch-and-delete the
- * challenge consume needs) and delete this whole module. DO NOT ship this `Map`
- * as a production storage path: it is single-instance, unbounded, and lost on
- * restart.
- * ========================================================================
+ * there. Once toildb is implemented, move the example's account + challenge
+ * stores onto toildb (which provides the atomic fetch-and-delete the challenge
+ * consume needs) and delete this whole module. DO NOT ship this `Map` as a
+ * production storage path: it is single-instance, unbounded, and lost on restart.
  *
  * Wire ABI (mirrors the crypto imports' caller-allocated-buffer convention):
  *   kv.put(keyPtr, keyLen, valPtr, valLen)            -> void

package/test/pqauth-e2e.test.ts

@@ -40,20 +40,32 @@ function loadModule(): WasmServerModule {
 /** Route the client's `fetch(path, {body})` into the dev wasm dispatcher. */
 function installFetchShim(m: WasmServerModule): () => void {
     const original = globalThis.fetch;
+    const jar = new Map<string, string>();
     globalThis.fetch = (async (input: RequestInfo | URL, init?: RequestInit): Promise<Response> => {
         const url = typeof input === 'string' ? input : input.toString();
         const pathname = new URL(url, 'http://localhost').pathname;
         const bodyBytes =
             init?.body == null ? new Uint8Array(0) : new Uint8Array(init.body as ArrayBuffer);
+        const headers: [string, string][] = [
+            ['host', 'localhost:3000'],
+            ['content-type', 'application/octet-stream'],
+        ];
+        if (jar.size > 0)
+            headers.push(['cookie', [...jar.entries()].map(([k, v]) => `${k}=${v}`).join('; ')]);
         const r = m.dispatch({
             method: (init?.method ?? 'GET') as 'GET' | 'POST',
             path: pathname,
-            headers: [
-                ['host', 'localhost:3000'],
-                ['content-type', 'application/octet-stream'],
-            ],
+            headers,
             body: bodyBytes,
         });
+        // Fold any Set-Cookie (`name=value; Path=/; ...`) into the jar so the next
+        // request replays it, exactly like a browser.
+        for (const [name, value] of r.headers) {
+            if (name.toLowerCase() !== 'set-cookie') continue;
+            const pair = value.split(';', 1)[0];
+            const eq = pair.indexOf('=');
+            if (eq > 0) jar.set(pair.slice(0, eq).trim(), pair.slice(eq + 1).trim());
+        }
         const ab = r.body.buffer.slice(r.body.byteOffset, r.body.byteOffset + r.body.byteLength);
         return {
             ok: r.status >= 200 && r.status < 300,
@@ -86,6 +98,26 @@ describe.skipIf(!haveWasm)('post-quantum auth end-to-end (client <-> example was
             // verified against the client's own shared secret.
             const session = await Auth.login('ada', 'correct horse battery staple');
             expect(session.length).toBeGreaterThan(0);
+
+            // Regression guard: the freshly minted session cookie (captured by the
+            // shim jar) must be ACCEPTED by the `@auth`-gated `/session/me`, which
+            // runs in a separate fresh wasm instance from `login/finish`. The bug
+            // was that login configured a different HMAC secret than the verify
+            // path used, so the MAC failed and `/session/me` returned 401.
+            const meRes = await fetch('/session/me');
+            expect(meRes.status).toBe(200);
+            const me = new DataReader(new Uint8Array(await meRes.arrayBuffer()));
+            expect(me.readString()).toBe('ada');
+            expect(me.readBool()).toBe(false); // 'ada' is not 'root' -> not admin
+        },
+        60_000,
+    );
+
+    it(
+        'rejects /session/me with no session cookie (the @auth gate holds)',
+        async () => {
+            const meRes = await fetch('/session/me');
+            expect(meRes.status).toBe(401);
         },
         60_000,
     );
@@ -106,6 +138,19 @@ describe.skipIf(!haveWasm)('post-quantum auth end-to-end (client <-> example was
         },
         60_000,
     );
+
+    it(
+        'rejects a duplicate registration with a clear (not generic) message',
+        async () => {
+            await Auth.register('dupe', 'correct horse battery staple');
+            // Second registration of the same username must say so explicitly,
+            // not return the generic "request failed".
+            await expect(Auth.register('dupe', 'correct horse battery staple')).rejects.toThrow(
+                /already registered/,
+            );
+        },
+        60_000,
+    );
 });
 
 // Lower-level wire checks that don't need the heavy Argon2id derivation.

package/examples/basic/server/routes/PqDemo.ts

@@ -1,127 +0,0 @@
-import { Response, RouteContext, SecureCookies, base64UrlEncode, base64UrlDecode } from 'toiljs/server/runtime';
-import { DataReader, DataWriter } from 'data';
-
-import { encodeSessionUser } from './Session';
-
-/**
- * Post-quantum identity demo (server half), challenge-response.
- *
- *   1. GET  /pq/challenge -> the edge mints a fresh nonce + cid + iat/exp and
- *      returns them PLUS an HMAC-signed `token` over those values. The token is
- *      the server-issued challenge: signed with a server-only key, it proves
- *      "the edge issued exactly this" WITHOUT any cross-request storage (the
- *      guest's memory is wiped every request).
- *   2. POST /pq/verify   -> the client signs the login message built from the
- *      SERVER's nonce/cid/iat/exp (ML-DSA-44, derived from the password) and
- *      returns {sub, token, publicKey, signature}. The edge re-opens the token
- *      (rejecting a forged or expired one), rebuilds the message from the values
- *      INSIDE the token (never client-echoed), and verifies the signature via
- *      `crypto.mldsa_verify` (`AuthService.verifyLogin`).
- *
- * The nonce is server-chosen and tamper-proof, and the challenge is time-bound,
- * so a client cannot pre-sign or substitute its own nonce. What this stateless
- * form does NOT have is single-use: within the TTL a captured {token, signature}
- * could be replayed, because that needs an atomic consume against a store (Redis
- * GETDEL / SQL DELETE RETURNING). The production login in server/routes/Auth.ts
- * does exactly that; see docs/auth.md. Pairs with client/routes/pq.tsx.
- */
-
-const AUD = 'pq-demo'; // this demo's audience id (server config; never client-echoed)
-const CHALLENGE_TTL_SECS: u64 = 120;
-
-/** Server-only key for signing challenge tokens (demo constant; a real
- *  deployment uses a per-deployment secret, like the session secret). */
-function challengeKey(): Uint8Array {
-    return crypto.sha256Text('toil-pq-demo-challenge-key-v1');
-}
-
-function randomBytes(n: i32): Uint8Array {
-    const b = new Uint8Array(n);
-    crypto.getRandomValues(b);
-    return b;
-}
-
-@rest('pq')
-class PqDemo {
-    /** GET /pq/challenge
-     *  resp: str(aud) bytes(cid) bytes(nonce) u64(iat) u64(exp) str(token) */
-    @get('/challenge')
-    public challenge(_ctx: RouteContext): Response {
-        const cid = randomBytes(16);
-        const nonce = randomBytes(32);
-        const iat = Time.nowSeconds();
-        const exp = iat + CHALLENGE_TTL_SECS;
-
-        // Sign (iat, exp, cid, nonce) so /verify can confirm the edge issued
-        // this exact challenge with no stored state.
-        const blob = new DataWriter()
-            .writeU64(iat)
-            .writeU64(exp)
-            .writeBytes(cid)
-            .writeBytes(nonce)
-            .toBytes();
-        const token = SecureCookies.signed(challengeKey()).sign('pqchal', base64UrlEncode(blob));
-
-        const w = new DataWriter();
-        w.writeString(AUD);
-        w.writeBytes(cid);
-        w.writeBytes(nonce);
-        w.writeU64(iat);
-        w.writeU64(exp);
-        w.writeString(token);
-        return Response.bytes(w.toBytes());
-    }
-
-    /** POST /pq/verify
-     *  body: str(sub) str(token) bytes(publicKey 1312) bytes(signature 2420)
-     *  resp: text VALID / INVALID */
-    @post('/verify')
-    public verify(ctx: RouteContext): Response {
-        const r = new DataReader(ctx.request.body);
-        const sub = r.readString();
-        const token = r.readString();
-        const pk = r.readBytes();
-        const sig = r.readBytes();
-        if (!r.ok) return Response.text('malformed envelope\n', 400);
-
-        // 1. Re-open the challenge token: must be server-issued + untampered.
-        const blobB64 = SecureCookies.signed(challengeKey()).unsign('pqchal', token);
-        if (blobB64 == null) return Response.text('INVALID: forged or unsigned challenge\n', 401);
-        const blob = base64UrlDecode(blobB64);
-        if (blob == null) return Response.text('INVALID: malformed challenge\n', 401);
-        const br = new DataReader(blob);
-        const iat = br.readU64();
-        const exp = br.readU64();
-        const cid = br.readBytes();
-        const nonce = br.readBytes();
-        if (!br.ok) return Response.text('INVALID: malformed challenge\n', 401);
-        if (Time.nowSeconds() >= exp) return Response.text('INVALID: challenge expired\n', 401);
-
-        // TODO(db): single-use consume is NOT implemented yet (no KV/DB host
-        // binding available). The real fix is an ATOMIC consume of `cid` here --
-        // Redis GETDEL / SQL DELETE ... RETURNING -- so a given challenge verifies
-        // at most once. Until that exists, this token is replayable within its
-        // TTL: a captured {token, signature} re-verifies until `exp`. The
-        // production login (server/routes/Auth.ts) shows the atomic-consume shape.
-
-        // 2. Rebuild the message from the SERVER's values (inside the token,
-        //    never client-echoed) and verify the ML-DSA-44 signature.
-        const message = AuthService.buildLoginMessage(sub, AUD, cid, nonce, iat, exp);
-        if (!AuthService.verifyLogin(pk, message, sig)) {
-            return Response.text('INVALID: signature did not verify\n', 401);
-        }
-
-        // 3. FULL AUTH: a valid post-quantum proof logs the user in. Mint the
-        //    signed session for the proven `sub` via the @user codec, plus the
-        //    readable companion. Every `@auth` route now recognises this user
-        //    and `AuthService.getUser()` returns `{ username: sub, ... }`.
-        const userData = encodeSessionUser(sub);
-        const resp = Response.text(
-            'VALID: ML-DSA-44 (FIPS 204) verified; session established (@auth ready)\n',
-            200,
-        );
-        resp.setCookie(AuthService.mintSession(userData, 3600));
-        resp.setCookie(AuthService.userCookie(userData, 3600));
-        return resp;
-    }
-}