feat(auth): implement password hashing utility

Add Password class with hash and verify methods using SHA3-256 for
secure password handling with salting via environment configuration.

Author: tiesen243

.env.example

@@ -7,6 +7,9 @@
 # The database URL is used to connect to your Neon database (pooler).
 DATABASE_URL="postgres://[USERNAME]:[PASSWORD]@ep-lively-haze-a10zei6o-pooler.ap-southeast-1.aws.neon.tech/neondb?sslmode=require"
 
+# The secret used to hash password
+# generate a new secret using `openssl rand -base64 32`
+AUTH_SECRET=
 # Preconfigured Discord OAuth provider, works out-of-the-box
 # @see https://arcticjs.dev/guides/oauth2
 DISCORD_CLIENT_ID=

packages/auth/src/env.ts

@@ -6,6 +6,7 @@ export const env = createEnv({
   extends: [vercel()],
   server: {
     NODE_ENV: z.enum(['development', 'production']).optional(),
+    AUTH_SECRET: z.string().min(1),
     DISCORD_CLIENT_ID: z.string().min(1),
     DISCORD_CLIENT_SECRET: z.string().min(1),
     GOOGLE_CLIENT_ID: z.string().min(1),

packages/auth/src/utils/auth.ts

@@ -1,8 +1,10 @@
 import type { User } from '@prisma/client'
 import type { OAuth2Tokens } from 'arctic'
+import type { NextRequest } from 'next/server'
 import { cookies } from 'next/headers'
 import { redirect } from 'next/navigation'
-import { generateCodeVerifier, generateState } from 'arctic'
+import { NextResponse } from 'next/server'
+import { generateCodeVerifier, generateState, OAuth2RequestError } from 'arctic'
 import { z } from 'zod'
 
 import { db } from '@yuki/db'
@@ -17,14 +19,12 @@ export interface AuthOptions {
   providers: Providers
 }
 
-type SignInType = 'credentials' | 'discord' | 'google'
-
 class AuthClass {
   private readonly db: typeof db
   private readonly session: Session
   private readonly password: Password
-  private readonly COOKIE_KEY: string
 
+  private readonly COOKIE_KEY: string
   private readonly providers: Providers
 
   constructor(options: AuthOptions) {
@@ -36,79 +36,87 @@ class AuthClass {
     this.password = new Password()
   }
 
-  public async auth(req?: Request): Promise<SessionResult> {
+  public async auth(req?: NextRequest): Promise<SessionResult> {
     let authToken: string | undefined
 
-    if (req) {
-      const cookies = this.parsedCookies(req.headers)
+    if (req)
       authToken =
-        cookies[this.COOKIE_KEY] ??
+        req.cookies.get(this.COOKIE_KEY)?.value ??
         req.headers.get('Authorization')?.replace('Bearer ', '')
-    } else {
-      authToken = (await cookies()).get(this.COOKIE_KEY)?.value
-    }
+    else authToken = (await cookies()).get(this.COOKIE_KEY)?.value
 
     if (!authToken) return { expires: new Date() }
 
     return await this.session.validateSessionToken(authToken)
   }
 
-  public async handlers(req: Request): Promise<Response> {
-    const url = new URL(req.url)
+  public async handlers(req: NextRequest): Promise<Response> {
+    const url = new URL(req.nextUrl)
 
-    let response: Response = new Response('Not found', { status: 404 })
+    let response: NextResponse = NextResponse.json(
+      { error: 'Not found' },
+      { status: 404 },
+    )
 
     switch (req.method) {
       case 'OPTIONS':
-        response = new Response('', { status: 204 })
+        response = NextResponse.json('', { status: 204 })
         break
       case 'GET':
         if (url.pathname === '/api/auth') {
           const session = await this.auth(req)
-          response = new Response(JSON.stringify(session))
+          response = NextResponse.json(session)
         } else if (url.pathname.startsWith('/api/auth/oauth')) {
           const isCallback = url.pathname.endsWith('/callback')
 
           if (!isCallback) {
-            const provider = String(url.pathname.split('/').pop())
+            const provider =
+              this.providers[String(url.pathname.split('/').pop())]
+
+            if (!provider) {
+              response = NextResponse.json(
+                { error: 'Provider not supported' },
+                { status: 404 },
+              )
+              break
+            }
             const state = generateState()
             const codeVerifier = generateCodeVerifier()
-            const authorizationUrl = this.providers[
-              provider
-            ]?.createAuthorizationURL(state, codeVerifier)
-
-            if (!authorizationUrl) {
-              response = new Response('Provider not found', { status: 404 })
-            } else {
-              response = new Response('', { status: 302 })
-              response.headers.set('Location', authorizationUrl.toString())
-              response.headers.set('Set-Cookie', `oauth_state=${state}; Path=/`)
-
-              this.setCookie(response, 'oauth_state', state, { maxAge: 600 })
-              this.setCookie(response, 'code_verifier', codeVerifier, {
-                maxAge: 600,
-              })
-            }
+            const authorizationUrl = provider.createAuthorizationURL(
+              state,
+              codeVerifier,
+            )
+
+            response = NextResponse.redirect(
+              new URL(authorizationUrl, req.nextUrl),
+            )
+            response.cookies.set('code_verifier', codeVerifier)
+            response.cookies.set('oauth_state', state)
           } else {
-            const cookies = this.parsedCookies(req.headers)
+            const provider =
+              this.providers[String(url.pathname.split('/').slice(-2)[0])]
+            if (!provider) {
+              response = NextResponse.json(
+                { error: 'Provider not supported' },
+                { status: 404 },
+              )
+              break
+            }
 
-            const provider = String(url.pathname.split('/').slice(-2)[0])
             const code = url.searchParams.get('code')
             const state = url.searchParams.get('state')
-            const storedState = cookies.oauth_state
-            const codeVerifier = cookies.code_verifier ?? ''
+            const storedState = req.cookies.get('oauth_state')?.value ?? ''
+            const codeVerifier = req.cookies.get('code_verifier')?.value ?? ''
 
             try {
               if (!code || !state || state !== storedState)
                 throw new Error('Invalid state')
 
               const { validateAuthorizationCode, fetchUserUrl, mapUser } =
-                this.providers[provider] ?? {}
-              if (!validateAuthorizationCode || !fetchUserUrl || !mapUser)
-                throw new Error('Provider not found')
+                provider
 
               const verifiedCode = await validateAuthorizationCode(
-                code,
+                'dsadasd',
                 codeVerifier,
               )
 
@@ -117,41 +125,38 @@ class AuthClass {
               const res = await fetch(fetchUserUrl, {
                 headers: { Authorization: `Bearer ${token}` },
               })
-              if (!res.ok)
-                throw new Error(`Failed to fetch user data from ${provider}`)
+              if (!res.ok) throw new Error('Failed to fetch user data')
 
               const user = await this.createUser(
                 mapUser((await res.json()) as never),
               )
               const session = await this.session.createSession(user.id)
 
-              response = new Response('', { status: 302 })
-
-              response.headers.set('Location', '/')
-              this.setCookie(response, this.COOKIE_KEY, session.sessionToken, {
+              response = NextResponse.redirect(new URL('/', req.nextUrl))
+              response.cookies.set(this.COOKIE_KEY, session.sessionToken, {
+                httpOnly: true,
+                path: '/',
+                secure: env.NODE_ENV === 'production',
+                sameSite: 'lax' as const,
                 expires: session.expires,
-                replace: true,
-              })
-
-              const pastDate = new Date(0)
-              this.setCookie(response, 'oauth_state', '', { expires: pastDate })
-              this.setCookie(response, 'code_verifier', '', {
-                expires: pastDate,
               })
+              response.cookies.delete('oauth_state')
+              response.cookies.delete('code_verifier')
             } catch (error) {
-              if (error instanceof Error)
-                response = new Response(
-                  JSON.stringify({ error: error.message }),
-                  {
-                    status: 400,
-                  },
+              if (error instanceof OAuth2RequestError) {
+                response = NextResponse.json(
+                  { error: error.message, description: error.description },
+                  { status: 400 },
+                )
+              } else if (error instanceof Error)
+                response = NextResponse.json(
+                  { error: error.message },
+                  { status: 400 },
                 )
               else
-                response = new Response(
-                  JSON.stringify({ error: 'An error occurred' }),
-                  {
-                    status: 500,
-                  },
+                response = NextResponse.json(
+                  { error: 'An unknown error occurred' },
+                  { status: 400 },
                 )
             }
           }
@@ -160,11 +165,8 @@ class AuthClass {
       case 'POST':
         if (url.pathname === '/api/auth/sign-out') {
           await this.signOut(req)
-          response = new Response('', { status: 302 })
-          response.headers.set('Location', '/')
-          this.setCookie(response, this.COOKIE_KEY, '', {
-            expires: new Date(0),
-          })
+          response = NextResponse.redirect(new URL('/', req.url))
+          response.cookies.delete(this.COOKIE_KEY)
         }
         break
     }
@@ -178,7 +180,7 @@ class AuthClass {
     data?: z.infer<typeof credentialsSchema>,
   ): Promise<
     | { success: false; fieldErrors: Record<string, string[]> }
-    | { success: true; session: { sessionToken: string; expires: Date } }
+    | { success: true; message: string }
     | undefined
   > {
     if (type === 'credentials') {
@@ -198,63 +200,34 @@ class AuthClass {
       const passwordMatch = this.password.verify(password, user.password)
       if (!passwordMatch) throw new Error('Invalid password')
 
-      return {
-        success: true,
-        session: await this.session.createSession(user.id),
-      }
+      const session = await this.session.createSession(user.id)
+      ;(await cookies()).set('auth_token', session.sessionToken, {
+        httpOnly: true,
+        path: '/',
+        secure: env.NODE_ENV === 'production',
+        sameSite: 'lax' as const,
+        expires: session.expires,
+      })
+
+      return { success: true, message: 'Signed in' }
     } else {
       redirect(`/api/auth/oauth/${type}`)
     }
   }
 
-  public async signOut(req?: Request): Promise<void> {
-    let token: string
-
-    if (req) {
-      const cookies = this.parsedCookies(req.headers)
-      token =
-        cookies[this.COOKIE_KEY] ??
-        req.headers.get('Authorization')?.replace('Bearer ', '') ??
-        ''
-    } else {
-      token = (await cookies()).get(this.COOKIE_KEY)?.value ?? ''
-    }
-
+  public async signOut(req?: NextRequest): Promise<void> {
+    const token = await this.getToken(req)
     await this.session.invalidateSessionToken(token)
-    if (!req) (await cookies()).delete(this.COOKIE_KEY)
   }
 
-  private parsedCookies(headers: Headers): Record<string, string> {
-    const cookiesHeader = headers.get('cookie')
-    if (!cookiesHeader) return {}
-
-    return cookiesHeader.split(';').reduce((acc, cookie) => {
-      const [name, value] = cookie.split('=') as [string, string]
-      return { ...acc, [name.trim()]: value }
-    }, {})
-  }
-
-  private setCookie(
-    response: Response,
-    name: string,
-    value: string,
-    options: {
-      expires?: Date
-      maxAge?: number
-      replace?: boolean
-    } = {},
-  ): void {
-    const { expires, maxAge, replace = false } = options
-
-    let cookieValue = `${name}=${value}; HttpOnly; Path=/; SameSite=Lax`
-
-    if (expires) cookieValue += `; Expires=${expires.toUTCString()}`
-    else if (maxAge !== undefined) cookieValue += `; Max-Age=${maxAge}`
-
-    if (env.NODE_ENV === 'production') cookieValue += '; Secure'
-
-    if (replace) response.headers.set('Set-Cookie', cookieValue)
-    else response.headers.append('Set-Cookie', cookieValue)
+  private async getToken(req?: NextRequest): Promise<string> {
+    if (req)
+      return (
+        req.cookies.get(this.COOKIE_KEY)?.value ??
+        req.headers.get('Authorization')?.replace('Bearer ', '') ??
+        ''
+      )
+    return (await cookies()).get(this.COOKIE_KEY)?.value ?? ''
   }
 
   private async createUser(data: {
@@ -298,14 +271,37 @@ class AuthClass {
   }
 
   private setCorsHeaders(res: Response): void {
-    res.headers.set('Content-Type', 'application/json')
     res.headers.set('Access-Control-Allow-Origin', '*')
     res.headers.set('Access-Control-Request-Method', '*')
     res.headers.set('Access-Control-Allow-Methods', 'OPTIONS, GET, POST')
     res.headers.set('Access-Control-Allow-Headers', '*')
   }
 }
 
+export const Auth = (options: AuthOptions) => {
+  const authInstance = new AuthClass(options)
+
+  return {
+    auth: (req?: NextRequest) => authInstance.auth(req),
+    signIn: (type: SignInType, data?: z.infer<typeof credentialsSchema>) =>
+      authInstance.signIn(type, data),
+    signOut: (req?: NextRequest) => authInstance.signOut(req),
+    handlers: (req: NextRequest) => authInstance.handlers(req),
+  }
+}
+
+const credentialsSchema = z.object({
+  email: z.string().email(),
+  password: z
+    .string()
+    .min(8, 'Password must be at least 8 characters')
+    .regex(
+      /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9]).{8,}$/,
+      'Password must contain at least one lowercase letter, one uppercase letter, one number, and one special character',
+    ),
+})
+
+type SignInType = 'credentials' | 'discord' | 'google'
 type Providers = Record<
   string,
   {
@@ -324,26 +320,3 @@ type Providers = Record<
     }
   }
 >
-
-const credentialsSchema = z.object({
-  email: z.string().email(),
-  password: z
-    .string()
-    .min(8, 'Password must be at least 8 characters')
-    .regex(
-      /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9]).{8,}$/,
-      'Password must contain at least one lowercase letter, one uppercase letter, one number, and one special character',
-    ),
-})
-
-export const Auth = (options: AuthOptions) => {
-  const authInstance = new AuthClass(options)
-
-  return {
-    auth: (req?: Request) => authInstance.auth(req),
-    signIn: (type: SignInType, data?: z.infer<typeof credentialsSchema>) =>
-      authInstance.signIn(type, data),
-    signOut: (req?: Request) => authInstance.signOut(req),
-    handlers: (req: Request) => authInstance.handlers(req),
-  }
-}

packages/auth/src/utils/password.ts

@@ -1,14 +1,21 @@
 import { sha3_256 } from '@oslojs/crypto/sha3'
 import { encodeBase32LowerCase } from '@oslojs/encoding'
 
+import { env } from '../env'
+
 export class Password {
   public hash(password: string): string {
-    return encodeBase32LowerCase(sha3_256(new TextEncoder().encode(password)))
+    const saltedPassword = `${password}${env.AUTH_SECRET}`
+    return encodeBase32LowerCase(
+      sha3_256(new TextEncoder().encode(saltedPassword)),
+    )
   }
 
   public verify(password: string, hash: string): boolean {
+    const saltedPassword = `${password}${env.AUTH_SECRET}`
+
     const hashPassword = encodeBase32LowerCase(
-      sha3_256(new TextEncoder().encode(password)),
+      sha3_256(new TextEncoder().encode(saltedPassword)),
     )
     return hashPassword === hash
   }