dragonflight/services/mam-api/src/routes/auth.js

import express from 'express';
import pool from '../db/pool.js';
import { DEV_USER_ID, requireAuth } from '../middleware/auth.js';
import { hashPassword, comparePassword } from '../auth/passwords.js';
import { ipBackoff } from '../auth/rate-limit.js';

const DUMMY_PASSWORD_HASH = '$2b$12$gSeC58PregWedNFK/8Q61OephUo.JJ7EUs0LCTdnJV5AzCS5qQH7K';

const router = express.Router();

// Real users = anyone except the seeded dev row.
async function realUserCount() {
  const { rows } = await pool.query(
    `SELECT COUNT(*)::int AS n FROM users WHERE id <> $1`, [DEV_USER_ID]);
  return rows[0].n;
}

// GET /api/v1/auth/setup-required
// Cheap, no auth. Used by AuthGate to decide between Login and Setup screens.
router.get('/setup-required', async (_req, res, next) => {
  try {
    res.json({ required: (await realUserCount()) === 0 });
  } catch (err) { next(err); }
});


const MIN_PASSWORD_LEN = 12;

function badRequest(res, msg) { return res.status(400).json({ error: msg }); }

// POST /api/v1/auth/setup — first-run admin creation, locked out forever once a real user exists.
router.post('/setup', async (req, res, next) => {
  try {
    const { username, password } = req.body || {};
    if (!username || typeof username !== 'string') return badRequest(res, 'username required');
    if (!password || typeof password !== 'string') return badRequest(res, 'password required');
    if (password.length < MIN_PASSWORD_LEN)        return badRequest(res, 'password must be at least ' + MIN_PASSWORD_LEN + ' characters');

    if ((await realUserCount()) > 0) {
      return res.status(409).json({ error: 'setup already complete' });
    }

    const hash = await hashPassword(password);
    const { rows } = await pool.query(
      `INSERT INTO users (username, password_hash, display_name, role)
       VALUES ($1, $2, $1, 'admin')
       RETURNING id, username, display_name`,
      [username.trim(), hash]
    );
    const user = rows[0];

    // Immediately log them in.
    req.session.user_id       = user.id;
    req.session.first_seen_at = Date.now();
    req.session.last_seen_at  = Date.now();
    await new Promise((resolve, reject) => req.session.save(err => err ? reject(err) : resolve()));

    res.json({ user });
  } catch (err) {
    if (err.code === '23505') return res.status(409).json({ error: 'username already exists' });
    next(err);
  }
});

// POST /api/v1/auth/login — authenticate an existing user by username + password.
router.post('/login', async (req, res, next) => {
  try {
    const ip = req.ip || req.socket?.remoteAddress || 'unknown';
    const delay = ipBackoff.delayMs(ip);
    if (delay > 0) await new Promise(r => setTimeout(r, delay));
    
    const { username, password } = req.body || {};
    if (!username || !password) {
      ipBackoff.recordFailure(ip);
      return res.status(401).json({ error: 'invalid credentials' });
    }

    const { rows } = await pool.query(
      `SELECT id, username, display_name, password_hash FROM users WHERE username = $1 AND id <> $2`,
      [username.trim(), DEV_USER_ID]
    );
    if (rows.length === 0) {
      // Pre-computed bcrypt hash of a value that no real password input will match.
      // Used to keep the user-not-found response time uniform with the wrong-password
      // path (~180ms at cost 12) so user enumeration via timing isn't possible.
      await comparePassword(password, DUMMY_PASSWORD_HASH);
      ipBackoff.recordFailure(ip);
      return res.status(401).json({ error: 'invalid credentials' });
    }
    const user = rows[0];
    if (!(await comparePassword(password, user.password_hash))) {
      ipBackoff.recordFailure(ip);
      return res.status(401).json({ error: 'invalid credentials' });
    }

    req.session.user_id       = user.id;
    req.session.first_seen_at = Date.now();
    req.session.last_seen_at  = Date.now();
    // The critical line — wait for the row to land in `sessions` before responding.
    // Without this, the SPA's next request races the store write, hits 401, and
    // the prior bounce-to-login logic produced an infinite loop.
    await new Promise((resolve, reject) => req.session.save(err => err ? reject(err) : resolve()));

    pool.query(`UPDATE users SET last_login_at = NOW() WHERE id = $1`, [user.id])
      .catch(err => console.error('[auth] last_login_at update failed:', err.message));

    ipBackoff.recordSuccess(ip);
    res.json({ user: { id: user.id, username: user.username, display_name: user.display_name } }); } catch (err) { next(err); }
});

// POST /api/v1/auth/logout — destroys the session and clears the cookie.
router.post('/logout', (req, res) => {
  if (!req.session) return res.status(204).end();
  req.session.destroy(err => {
    if (err) console.error('[auth] session destroy failed:', err.message);
    res.clearCookie('dragonflight.sid', { path: '/' });
    res.status(204).end();
  });
});

// GET /api/v1/auth/me
router.get('/me', requireAuth, (req, res) => {
  res.json({ id: req.user.id, username: req.user.username, display_name: req.user.display_name });
});

// POST /api/v1/auth/password { current_password, new_password }
router.post('/password', requireAuth, async (req, res, next) => {
  try {
    const { current_password, new_password } = req.body || {};
    if (!current_password || !new_password) return badRequest(res, 'current_password and new_password required');
    if (new_password.length < MIN_PASSWORD_LEN) return badRequest(res, 'new password must be at least ' + MIN_PASSWORD_LEN + ' characters');

    const { rows } = await pool.query(`SELECT password_hash FROM users WHERE id = $1`, [req.user.id]);
    if (!rows.length) return res.status(401).json({ error: 'unauthorized' });
    if (!(await comparePassword(current_password, rows[0].password_hash))) {
      return badRequest(res, 'current password is incorrect');
    }
    const newHash = await hashPassword(new_password);
    await pool.query(
      `UPDATE users SET password_hash = $1, password_updated_at = NOW() WHERE id = $2`,
      [newHash, req.user.id]
    );
    res.status(204).end();
  } catch (err) { next(err); }
});

export default router;
export { realUserCount };
feat(mam-api): auth router skeleton + setup-required endpoint 2026-05-27 14:21:32 -04:00			`import express from 'express';`
			`import pool from '../db/pool.js';`
feat(mam-api): GET /auth/me + POST /auth/password 2026-05-27 14:42:53 -04:00			`import { DEV_USER_ID, requireAuth } from '../middleware/auth.js';`
feat(mam-api): POST /auth/login + redirect-loop regression test 2026-05-27 14:28:18 -04:00			`import { hashPassword, comparePassword } from '../auth/passwords.js';`
feat(mam-api): login rate limit + X-Requested-With CSRF header check 2026-05-27 14:58:02 -04:00			`import { ipBackoff } from '../auth/rate-limit.js';`
feat(mam-api): auth router skeleton + setup-required endpoint 2026-05-27 14:21:32 -04:00
fix(mam-api): real dummy bcrypt hash + log last_login_at failures Code-review feedback: - Dummy hash for user-enumeration-defense timing was 63 chars (bcrypt strings are 60 chars). Worked by accident because bcrypt 5.x is lenient about trailing chars; a future tightening would silently regress the timing defense. Replaced with a real pre-computed bcrypt hash. - last_login_at UPDATE now logs errors instead of silently swallowing them, matching the pattern in requireAuth for api_tokens.last_used_at. - Removed dead import of comparePassword from auth.test.js. 2026-05-27 14:35:59 -04:00			`const DUMMY_PASSWORD_HASH = '$2b$12$gSeC58PregWedNFK/8Q61OephUo.JJ7EUs0LCTdnJV5AzCS5qQH7K';`

feat(mam-api): auth router skeleton + setup-required endpoint 2026-05-27 14:21:32 -04:00			`const router = express.Router();`

			`// Real users = anyone except the seeded dev row.`
			`async function realUserCount() {`
			`const { rows } = await pool.query(`
			`SELECT COUNT(*)::int AS n FROM users WHERE id <> $1`, [DEV_USER_ID]);
			`return rows[0].n;`
			`}`

			`// GET /api/v1/auth/setup-required`
			`// Cheap, no auth. Used by AuthGate to decide between Login and Setup screens.`
			`router.get('/setup-required', async (_req, res, next) => {`
			`try {`
			`res.json({ required: (await realUserCount()) === 0 });`
			`} catch (err) { next(err); }`
			`});`

feat(mam-api): POST /auth/setup — first-run admin creation 2026-05-27 14:24:56 -04:00
			`const MIN_PASSWORD_LEN = 12;`

			`function badRequest(res, msg) { return res.status(400).json({ error: msg }); }`

			`// POST /api/v1/auth/setup — first-run admin creation, locked out forever once a real user exists.`
			`router.post('/setup', async (req, res, next) => {`
			`try {`
			`const { username, password } = req.body \|\| {};`
			`if (!username \|\| typeof username !== 'string') return badRequest(res, 'username required');`
			`if (!password \|\| typeof password !== 'string') return badRequest(res, 'password required');`
			`if (password.length < MIN_PASSWORD_LEN) return badRequest(res, 'password must be at least ' + MIN_PASSWORD_LEN + ' characters');`

			`if ((await realUserCount()) > 0) {`
			`return res.status(409).json({ error: 'setup already complete' });`
			`}`

			`const hash = await hashPassword(password);`
			`const { rows } = await pool.query(`
			`INSERT INTO users (username, password_hash, display_name, role)
			`VALUES ($1, $2, $1, 'admin')`
			RETURNING id, username, display_name`,
			`[username.trim(), hash]`
			`);`
			`const user = rows[0];`

			`// Immediately log them in.`
			`req.session.user_id = user.id;`
			`req.session.first_seen_at = Date.now();`
			`req.session.last_seen_at = Date.now();`
			`await new Promise((resolve, reject) => req.session.save(err => err ? reject(err) : resolve()));`

			`res.json({ user });`
			`} catch (err) {`
			`if (err.code === '23505') return res.status(409).json({ error: 'username already exists' });`
			`next(err);`
			`}`
			`});`

feat(mam-api): POST /auth/login + redirect-loop regression test 2026-05-27 14:28:18 -04:00			`// POST /api/v1/auth/login — authenticate an existing user by username + password.`
			`router.post('/login', async (req, res, next) => {`
			`try {`
feat(mam-api): login rate limit + X-Requested-With CSRF header check 2026-05-27 14:58:02 -04:00			`const ip = req.ip \|\| req.socket?.remoteAddress \|\| 'unknown';`
			`const delay = ipBackoff.delayMs(ip);`
			`if (delay > 0) await new Promise(r => setTimeout(r, delay));`

feat(mam-api): POST /auth/login + redirect-loop regression test 2026-05-27 14:28:18 -04:00			`const { username, password } = req.body \|\| {};`
feat(mam-api): login rate limit + X-Requested-With CSRF header check 2026-05-27 14:58:02 -04:00			`if (!username \|\| !password) {`
			`ipBackoff.recordFailure(ip);`
			`return res.status(401).json({ error: 'invalid credentials' });`
			`}`
feat(mam-api): POST /auth/login + redirect-loop regression test 2026-05-27 14:28:18 -04:00
			`const { rows } = await pool.query(`
			`SELECT id, username, display_name, password_hash FROM users WHERE username = $1 AND id <> $2`,
			`[username.trim(), DEV_USER_ID]`
			`);`
			`if (rows.length === 0) {`
fix(mam-api): real dummy bcrypt hash + log last_login_at failures Code-review feedback: - Dummy hash for user-enumeration-defense timing was 63 chars (bcrypt strings are 60 chars). Worked by accident because bcrypt 5.x is lenient about trailing chars; a future tightening would silently regress the timing defense. Replaced with a real pre-computed bcrypt hash. - last_login_at UPDATE now logs errors instead of silently swallowing them, matching the pattern in requireAuth for api_tokens.last_used_at. - Removed dead import of comparePassword from auth.test.js. 2026-05-27 14:35:59 -04:00			`// Pre-computed bcrypt hash of a value that no real password input will match.`
			`// Used to keep the user-not-found response time uniform with the wrong-password`
			`// path (~180ms at cost 12) so user enumeration via timing isn't possible.`
			`await comparePassword(password, DUMMY_PASSWORD_HASH);`
feat(mam-api): login rate limit + X-Requested-With CSRF header check 2026-05-27 14:58:02 -04:00			`ipBackoff.recordFailure(ip);`
feat(mam-api): POST /auth/login + redirect-loop regression test 2026-05-27 14:28:18 -04:00			`return res.status(401).json({ error: 'invalid credentials' });`
			`}`
			`const user = rows[0];`
			`if (!(await comparePassword(password, user.password_hash))) {`
feat(mam-api): login rate limit + X-Requested-With CSRF header check 2026-05-27 14:58:02 -04:00			`ipBackoff.recordFailure(ip);`
feat(mam-api): POST /auth/login + redirect-loop regression test 2026-05-27 14:28:18 -04:00			`return res.status(401).json({ error: 'invalid credentials' });`
			`}`

			`req.session.user_id = user.id;`
			`req.session.first_seen_at = Date.now();`
			`req.session.last_seen_at = Date.now();`
			// The critical line — wait for the row to land in `sessions` before responding.
			`// Without this, the SPA's next request races the store write, hits 401, and`
			`// the prior bounce-to-login logic produced an infinite loop.`
			`await new Promise((resolve, reject) => req.session.save(err => err ? reject(err) : resolve()));`

fix(mam-api): real dummy bcrypt hash + log last_login_at failures Code-review feedback: - Dummy hash for user-enumeration-defense timing was 63 chars (bcrypt strings are 60 chars). Worked by accident because bcrypt 5.x is lenient about trailing chars; a future tightening would silently regress the timing defense. Replaced with a real pre-computed bcrypt hash. - last_login_at UPDATE now logs errors instead of silently swallowing them, matching the pattern in requireAuth for api_tokens.last_used_at. - Removed dead import of comparePassword from auth.test.js. 2026-05-27 14:35:59 -04:00			pool.query(`UPDATE users SET last_login_at = NOW() WHERE id = $1`, [user.id])
			`.catch(err => console.error('[auth] last_login_at update failed:', err.message));`
feat(mam-api): POST /auth/login + redirect-loop regression test 2026-05-27 14:28:18 -04:00
feat(mam-api): login rate limit + X-Requested-With CSRF header check 2026-05-27 14:58:02 -04:00			`ipBackoff.recordSuccess(ip);`
			`res.json({ user: { id: user.id, username: user.username, display_name: user.display_name } }); } catch (err) { next(err); }`
feat(mam-api): POST /auth/login + redirect-loop regression test 2026-05-27 14:28:18 -04:00			`});`

feat(mam-api): POST /auth/logout 2026-05-27 14:38:05 -04:00			`// POST /api/v1/auth/logout — destroys the session and clears the cookie.`
			`router.post('/logout', (req, res) => {`
			`if (!req.session) return res.status(204).end();`
			`req.session.destroy(err => {`
			`if (err) console.error('[auth] session destroy failed:', err.message);`
			`res.clearCookie('dragonflight.sid', { path: '/' });`
			`res.status(204).end();`
			`});`
			`});`

feat(mam-api): GET /auth/me + POST /auth/password 2026-05-27 14:42:53 -04:00			`// GET /api/v1/auth/me`
			`router.get('/me', requireAuth, (req, res) => {`
			`res.json({ id: req.user.id, username: req.user.username, display_name: req.user.display_name });`
			`});`

			`// POST /api/v1/auth/password { current_password, new_password }`
			`router.post('/password', requireAuth, async (req, res, next) => {`
			`try {`
			`const { current_password, new_password } = req.body \|\| {};`
			`if (!current_password \|\| !new_password) return badRequest(res, 'current_password and new_password required');`
			`if (new_password.length < MIN_PASSWORD_LEN) return badRequest(res, 'new password must be at least ' + MIN_PASSWORD_LEN + ' characters');`

			const { rows } = await pool.query(`SELECT password_hash FROM users WHERE id = $1`, [req.user.id]);
			`if (!rows.length) return res.status(401).json({ error: 'unauthorized' });`
			`if (!(await comparePassword(current_password, rows[0].password_hash))) {`
			`return badRequest(res, 'current password is incorrect');`
			`}`
			`const newHash = await hashPassword(new_password);`
			`await pool.query(`
			`UPDATE users SET password_hash = $1, password_updated_at = NOW() WHERE id = $2`,
			`[newHash, req.user.id]`
			`);`
			`res.status(204).end();`
			`} catch (err) { next(err); }`
			`});`

feat(mam-api): auth router skeleton + setup-required endpoint 2026-05-27 14:21:32 -04:00			`export default router;`
			`export { realUserCount };`