user authentication through a secret token (NOT AUDITED FOR SECURITY. DO NOT RELY ON THIS CODE.)

it's probably okay, but it's incredibly easy to read localStorage from the frontend and get a hold of the secret would be nice (would it?) to have more proper session tokens I guess but we're not doing that right now I'm not entirely sure if generating the password on the server is legit like this, but it leads to an incredibly frictionless experience and I'd like to keep it. if possible. I don't really see a difference compared to password managers generating passwords for you and showing them in plaintext obviously actual passwords are stored within the manager which requires a master password, but like. do we really need that. the secret isn't shown to the user and it's very long. too bad the browser secure storage API or whatever isn't ready yet
2024-08-23 19:45:07 +02:00 · 2024-08-23 19:45:07 +02:00 · be6a47ae13
commit be6a47ae13
parent 6ce1389d12
10 changed files with 180 additions and 32 deletions
--- a/static/index.js
+++ b/static/index.js
@ -1,5 +1,5 @@
 import { Wall } from "./wall.js";
-import { getUserId, newSession, waitForLogin } from "./session.js";
+import { getLoginSecret, getUserId, newSession, waitForLogin } from "./session.js";
 import { debounce } from "./framework.js";
 import { ReticleCursor } from "./reticle-renderer.js";

@ -59,6 +59,7 @@ function readUrl() {

    let session = await newSession(
        getUserId(),
+        getLoginSecret(),
        urlData.wallId ?? localStorage.getItem("rkgk.mostRecentWallId"),
        {
            brush: brushEditor.code,
--- a/static/session.js
+++ b/static/session.js
@ -17,6 +17,10 @@ export function getUserId() {
    return loginStorage.userId;
 }

+export function getLoginSecret() {
+    return loginStorage.secret;
+}
+
 export function waitForLogin() {
    return loggedInPromise;
 }
@ -54,8 +58,8 @@ export async function registerUser(nickname) {
            };
        }

-        console.log(responseJson);
        loginStorage.userId = responseJson.userId;
+        loginStorage.secret = responseJson.secret;
        console.info("user registered", loginStorage.userId);
        saveLoginStorage();
        resolveLoggedInPromise();
@ -71,9 +75,10 @@ export async function registerUser(nickname) {
 }

 class Session extends EventTarget {
-    constructor(userId) {
+    constructor(userId, secret) {
        super();
        this.userId = userId;
+        this.secret = secret;
    }

    async #recvJson() {
@ -138,6 +143,9 @@ class Session extends EventTarget {
    }

    async joinInner(wallId, userInit) {
+        let secret = this.secret;
+        this.secret = null;
+
        let version = await this.#recvJson();
        console.info("protocol version", version.version);
        // TODO: This should probably verify that the version is compatible.
@ -149,11 +157,13 @@ class Session extends EventTarget {
        if (this.wallId == null) {
            this.#sendJson({
                user: this.userId,
+                secret,
                init,
            });
        } else {
            this.#sendJson({
                user: this.userId,
+                secret,
                wall: wallId,
                init,
            });
@ -259,8 +269,8 @@ class Session extends EventTarget {
    }
 }

-export async function newSession(userId, wallId, userInit) {
-    let session = new Session(userId);
+export async function newSession(userId, secret, wallId, userInit) {
+    let session = new Session(userId, secret);
    await session.join(wallId, userInit);
    return session;
 }