PINコード認証を行う #27

sinproject-iwasaki · sinproject-iwasaki · commit d95f85df86aa · 2022-10-23T18:43:29.000+09:00
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -35,7 +35,6 @@
 	"type": "module",
 	"dependencies": {
 		"@prisma/client": "^4.5.0",
-		"bcrypt": "^5.1.0",
 		"nodemailer": "^6.8.0"
 	}
 }
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
@@ -23,10 +23,9 @@ model User {
   created_at DateTime    @default(now())
   updated_at DateTime    @updatedAt
   role_id    Int
-  username   String      @unique
   email      String      @unique
-  password   String
   role       Role        @relation(fields: [role_id], references: [id])
+  auth_pin   AuthPin[]
   auth_token AuthToken[]
 }
 
@@ -38,3 +37,12 @@ model AuthToken {
   token      String   @unique
   user       User     @relation(fields: [user_id], references: [id])
 }
+
+model AuthPin {
+  id         Int      @id @default(autoincrement())
+  created_at DateTime @default(now())
+  updated_at DateTime @updatedAt
+  user_id    Int      @unique
+  pin_code   String   @unique
+  user       User     @relation(fields: [user_id], references: [id])
+}
diff --git a/src/app.d.ts b/src/app.d.ts
@@ -4,7 +4,7 @@
 declare namespace App {
 	interface Locals {
 		user: {
-			username: string
+			email: string
 			role: string
 		}
 	}
diff --git a/src/hooks.server.ts b/src/hooks.server.ts
@@ -23,7 +23,7 @@ export const handle: Handle = async ({ event, resolve }) => {
 	if (!auth_token) return await resolve(event)
 
 	event.locals.user = {
-		username: auth_token.user.username,
+		email: auth_token.user.email,
 		role: auth_token.user.role.name,
 	}
 
diff --git a/src/routes/+page.svelte b/src/routes/+page.svelte
@@ -19,6 +19,5 @@
 		<button type="submit">Log out</button>
 	</form>
 {:else}
-	<a href="/login">Log in</a>
-	<a href="/register">Register</a>
+	<a href="/login">Log in / Register</a>
 {/if}
diff --git a/src/routes/login/+page.server.ts b/src/routes/login/+page.server.ts
@@ -1,57 +1,6 @@
-import { CookiesManager } from '$lib/cookies_manager'
-import { db } from '$lib/database'
-import { NodemailerManager } from '$lib/nodemailer_manager'
-import type { Actions, PageServerLoad } from '.svelte-kit/types/src/routes/register/$types'
-import { invalid, redirect } from '@sveltejs/kit'
-import bcrypt from 'bcrypt'
+import type { PageServerLoad } from '.svelte-kit/types/src/routes/$types'
+import { redirect } from '@sveltejs/kit'
 
-export const load: PageServerLoad = async ({ locals, url }) => {
-	if (locals.user) {
-		const redirect_url = url.searchParams.get('redirect') || ' /'
-		throw redirect(302, redirect_url)
-	}
-}
-
-async function sendMail(username: string) {
-	const nodemailerManager = new NodemailerManager()
-
-	try {
-		await nodemailerManager.sendMail(
-			'info@sinproject.net',
-			'SvelteKit Authentication',
-			`${username} logged in `
-		)
-	} catch (error) {
-		console.error(error)
-	}
-}
-
-export const actions: Actions = {
-	default: async ({ cookies, request }) => {
-		const data = await request.formData()
-		const username = data.get('username') as string
-		const password = data.get('password') as string
-
-		if (!username || !password) return invalid(404, { missing: true })
-
-		const user = await db.user.findUnique({ where: { username } })
-
-		if (!user) return invalid(400, { credentials: true })
-
-		const password_valid = await bcrypt.compare(password, user.password)
-
-		if (!password_valid) return invalid(400, { credentials: true })
-
-		sendMail(username)
-
-		const auth_token = await db.authToken.upsert({
-			where: { user_id: user.id },
-			update: { token: crypto.randomUUID() },
-			create: { user_id: user.id, token: crypto.randomUUID() },
-		})
-
-		new CookiesManager(cookies).setSessionId(auth_token.token)
-
-		return { success: true }
-	},
+export const load: PageServerLoad = async ({ locals }) => {
+	if (locals.user) throw redirect(302, '/')
 }
diff --git a/src/routes/login/+page.svelte b/src/routes/login/+page.svelte
@@ -1,35 +1,25 @@
 <script lang="ts">
-	import { enhance } from '$app/forms'
+	import { page } from '$app/stores'
 	import { onMount } from 'svelte'
-	import type { ActionData } from './$types'
+	
+	let first_element: HTMLInputElement
 
-	export let form: ActionData
-
-	let username_element: HTMLInputElement
+	const redirect_url = $page.url.searchParams.get('redirect_url') ?? ''
+	const encoded_redirect_url = encodeURIComponent(redirect_url)
 
 	onMount(() => {
 		document.onfocus = (event) => {
 			if (event.target instanceof HTMLInputElement) event.target.select()
 		}
 
-		username_element.select()
+		first_element.select()
 	})
 </script>
 
-<h1>Log in</h1>
-
-<form method="POST" use:enhance>
-	<input
-		type="text"
-		name="username"
-		placeholder="Username"
-		required
-		bind:this={username_element}
-	/>
-	<input type="password" name="password" placeholder="Password" required />
+<h1>Log in / Register</h1>
 
-	{#if form?.missing}<p class="error">Username and password is required.</p>{/if}
-	{#if form?.credentials}<p class="error">You have entered the wrong credentials.</p>{/if}
+<form method="POST" action="/pin_code?/login&redirect_url={encoded_redirect_url}">
+	<input type="email" name="email" placeholder="Email" required bind:this={first_element} />
 
 	<button type="submit">Log in</button>
 </form>
diff --git a/src/routes/main/+page.server.ts b/src/routes/main/+page.server.ts
@@ -4,5 +4,10 @@ import type { PageServerLoad } from "./$types";
 // NOTE: https://github.com/sveltejs/kit/issues/3912
 
 export const load: PageServerLoad = async ({ locals, url }) => {
-	if (!locals.user) throw redirect(302, `/login?redirect=${url.pathname}`)
+	const redirect_url = new URL(url.origin)
+
+	redirect_url.pathname = '/login'
+	redirect_url.searchParams.set('redirect_url', url.pathname)
+
+	if (!locals.user) throw redirect(302, redirect_url.toString())
 }
diff --git a/src/routes/main/+page.svelte b/src/routes/main/+page.svelte
@@ -7,7 +7,7 @@
 </svelte:head>
 
 {#if $page.data.user}
-	<h1>Welcome {$page.data.user.username}</h1>
+	<h1>Welcome {$page.data.user.email}</h1>
 	Role: {$page.data.user.role}
 {:else}
 	<h1>Welcome</h1>
diff --git a/src/routes/pin_code/+page.server.ts b/src/routes/pin_code/+page.server.ts
@@ -0,0 +1,138 @@
+import { CookiesManager } from '$lib/cookies_manager'
+import { db } from '$lib/database'
+import { NodemailerManager as NodeMailerManager } from '$lib/nodemailer_manager'
+import type { PageServerLoad } from '.svelte-kit/types/src/routes/$types'
+import type { User } from '@prisma/client'
+import { invalid, redirect, type Actions } from '@sveltejs/kit'
+
+enum Roles {
+	admin = 'admin',
+	user = 'user',
+}
+
+export const load: PageServerLoad = async ({ locals, url, request }) => {
+	if (locals.user) {
+		const redirect_url = url.searchParams.get('redirect_url') || ' /'
+		throw redirect(302, redirect_url)
+	}
+
+	if (request.method != 'POST') redirect(302, '/')
+}
+
+function createPinCode(length = 6) {
+	const pin_code_chars = '0123456789'
+
+	let pin_code = ''
+
+	while (pin_code.length < length) {
+		pin_code += pin_code_chars[Math.floor(Math.random() * pin_code_chars.length)]
+	}
+
+	return pin_code
+}
+
+async function sendMail(user: User, pin_code: string) {
+	const nodeMailerManager = new NodeMailerManager()
+
+	try {
+		await nodeMailerManager.sendMail(
+			user.email,
+			'SvelteKit Authentication\n',
+			`PIN CODE: ${pin_code}`
+		)
+	} catch (error) {
+		console.error(error)
+	}
+}
+
+async function findUser(email: string, canRegister = true) {
+	const user = await db.user.findUnique({ where: { email } })
+
+	if (user) return user;
+	if (!canRegister) return undefined;
+
+	try {
+		return await db.user.create({
+			data: {
+				role: { connect: { name: Roles.user } },
+				email,
+			},
+		})
+	} catch (error) {
+		console.error(error)
+		return undefined
+	}
+}
+
+async function login(request: Request, canRegister = true) {
+	const data = await request.formData()
+	const email = data.get('email')?.toString() ?? ''
+
+	if (!email) throw redirect(302, '/')
+
+	const user = await findUser(email, canRegister)
+
+	if (!user) return { success: true, email, missing: false, credentials: false }
+
+	const pin_code = createPinCode()
+	console.log('sendmail')
+	sendMail(user, pin_code)
+
+	const user_id = user.id
+
+	await db.authPin.upsert({
+		where: { user_id },
+		update: { pin_code },
+		create: { user_id, pin_code },
+	})
+
+	return { success: true, email, missing: false, credentials: false }
+}
+
+export const actions: Actions = {
+	login: async ({ request }) => {
+		return await login(request)
+	},
+	submit: async ({ cookies, request }) => {
+		const data = await request.formData()
+		const email = data.get('email')?.toString() ?? ''
+		const pin_code = data.get('pin_code')?.toString() ?? ''
+
+		if (!email || !pin_code) return invalid(400, { missing: true, email })
+
+		const limit_date = new Date()
+
+		limit_date.setMinutes(limit_date.getMinutes() - 5)
+
+		const auth_pin = await db.authPin.findFirst({
+			where: {
+				pin_code,
+				updated_at: { gt: limit_date },
+				user: {
+					email,
+				},
+			},
+		})
+
+		if (!auth_pin) return invalid(400, { credentials: true, email })
+
+		const user_id = auth_pin.user_id
+
+		const [auth_token] = await db.$transaction([
+			db.authToken.upsert({
+				where: { user_id },
+				update: { token: crypto.randomUUID() },
+				create: { user_id, token: crypto.randomUUID() },
+			}),
+			db.authPin.delete({
+				where: {
+					id: auth_pin.id,
+				},
+			}),
+		])
+
+		new CookiesManager(cookies).setSessionId(auth_token.token)
+
+		return { success: true, email }
+	},
+}
diff --git a/src/routes/pin_code/+page.svelte b/src/routes/pin_code/+page.svelte
@@ -0,0 +1,34 @@
+<script lang="ts">
+	import { enhance } from '$app/forms'
+	import { onMount } from 'svelte'
+	import type { ActionData } from './$types'
+
+	export let form: ActionData
+
+	let first_element: HTMLInputElement
+
+
+	onMount(() => {
+	if (!form) location.href = '/login'
+	
+		document.onfocus = (event) => {
+			if (event.target instanceof HTMLInputElement) event.target.select()
+		}
+
+		first_element.select()
+	})
+</script>
+
+<h1>Enter pin code</h1>
+
+We’ve sent a 6-character code to {form?.email}. The code expires shortly, so please enter it soon.
+
+<form method="POST" action="?/submit" use:enhance>
+	<input type="hidden" name="email" value={form?.email} />
+	<input type="text" name="pin_code" placeholder="Pin code" required bind:this={first_element} />
+
+	{#if form?.missing}<p class="error">Pin code is required.</p>{/if}
+	{#if form?.credentials}<p class="error">You have entered the wrong credentials.</p>{/if}
+
+	<button type="submit">Submit</button>
+</form>
diff --git a/src/routes/register/+page.server.ts b/src/routes/register/+page.server.ts
diff --git a/src/routes/register/+page.svelte b/src/routes/register/+page.svelte

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,6 @@`
`35`	`35`	`"type": "module",`
`36`	`36`	`"dependencies": {`
`37`	`37`	`"@prisma/client": "^4.5.0",`
`38`		`- "bcrypt": "^5.1.0",`
`39`	`38`	`"nodemailer": "^6.8.0"`
`40`	`39`	`}`
`41`	`40`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@`
`4`	`4`	`declare namespace App {`
`5`	`5`	`interface Locals {`
`6`	`6`	`user: {`
`7`		`- username: string`
	`7`	`+ email: string`
`8`	`8`	`role: string`
`9`	`9`	`}`
`10`	`10`	`}`
Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ export const handle: Handle = async ({ event, resolve }) => {`
`23`	`23`	`if (!auth_token) return await resolve(event)`
`24`	`24`
`25`	`25`	`event.locals.user = {`
`26`		`- username: auth_token.user.username,`
	`26`	`+ email: auth_token.user.email,`
`27`	`27`	`role: auth_token.user.role.name,`
`28`	`28`	`}`
`29`	`29`