From dc55ef6b47cb942dd3b485b60d640067463f6aaf Mon Sep 17 00:00:00 2001
From: Kasper Peulen <kasperpeulen@gmail.com>
Date: Thu, 22 Aug 2024 14:09:32 +0200
Subject: [PATCH] Make the demo actually secure

---
 app/actions.ts                       |  8 ++---
 app/note/edit/[id]/page.tsx          |  2 +-
 components/auth-button.stories.tsx   |  3 +-
 components/auth-button.tsx           | 18 +++++------
 components/logout-button.stories.tsx |  2 +-
 components/logout-button.tsx         |  6 ++--
 components/note-ui.stories.tsx       | 17 +++-------
 components/note-ui.tsx               | 28 ++++++-----------
 lib/session.ts                       | 47 ++++++++++++++++------------
 package.json                         |  1 +
 tsconfig.json                        |  2 +-
 11 files changed, 61 insertions(+), 73 deletions(-)

diff --git a/app/actions.ts b/app/actions.ts
index 8c9ec82..f5751af 100644
--- a/app/actions.ts
+++ b/app/actions.ts
@@ -6,12 +6,8 @@ import { cookies } from 'next/headers'
 import { redirect } from 'next/navigation'
 import { getUserFromSession } from '#lib/session'
 
-export async function saveNote(
-  noteId: number | undefined,
-  title: string,
-  body: string,
-) {
-  const user = getUserFromSession()
+export async function saveNote(noteId: number | undefined, title: string, body: string) {
+  const user = await getUserFromSession()
 
   if (!user) {
     redirect('/')
diff --git a/app/note/edit/[id]/page.tsx b/app/note/edit/[id]/page.tsx
index ac9f01d..e8add20 100644
--- a/app/note/edit/[id]/page.tsx
+++ b/app/note/edit/[id]/page.tsx
@@ -13,7 +13,7 @@ type Props = {
 }
 
 export default async function EditPage({ params }: Props) {
-  const user = getUserFromSession()
+  const user = await getUserFromSession()
 
   const note = await db.note.findUnique({
     where: {
diff --git a/components/auth-button.stories.tsx b/components/auth-button.stories.tsx
index dc34a31..a8926a1 100644
--- a/components/auth-button.stories.tsx
+++ b/components/auth-button.stories.tsx
@@ -7,6 +7,7 @@ const meta = {
   args: {
     noteId: null,
   },
+  parameters: { react: { rsc: true } },
 } satisfies Meta<typeof AuthButton>
 
 export default meta
@@ -15,7 +16,7 @@ type Story = StoryObj<typeof meta>
 
 export const LoggedIn: Story = {
   beforeEach: () => {
-    getUserFromSession.mockReturnValue('storybookjs')
+    getUserFromSession.mockResolvedValue('storybookjs')
   },
   args: { children: 'Add' },
 }
diff --git a/components/auth-button.tsx b/components/auth-button.tsx
index 472dab4..ca87b36 100644
--- a/components/auth-button.tsx
+++ b/components/auth-button.tsx
@@ -9,8 +9,8 @@ type Props = {
   noteId: number | null
 }
 
-export default function AuthButton({ children, noteId }: Props) {
-  const user = getUserFromSession()
+export default async function AuthButton({ children, noteId }: Props) {
+  const user = await getUserFromSession()
   const isDraft = noteId == null
 
   if (user) {
@@ -18,10 +18,9 @@ export default function AuthButton({ children, noteId }: Props) {
       // Use hard link
       <Link href={`/note/edit/${noteId || ''}`} className="link--unstyled">
         <button
-          className={[
-            'edit-button',
-            isDraft ? 'edit-button--solid' : 'edit-button--outline',
-          ].join(' ')}
+          className={['edit-button', isDraft ? 'edit-button--solid' : 'edit-button--outline'].join(
+            ' ',
+          )}
           role="menuitem"
         >
           {children}
@@ -41,10 +40,9 @@ export default function AuthButton({ children, noteId }: Props) {
   return (
     <form action={login}>
       <button
-        className={[
-          'edit-button',
-          isDraft ? 'edit-button--solid' : 'edit-button--outline',
-        ].join(' ')}
+        className={['edit-button', isDraft ? 'edit-button--solid' : 'edit-button--outline'].join(
+          ' ',
+        )}
         role="menuitem"
       >
         Login to Add
diff --git a/components/logout-button.stories.tsx b/components/logout-button.stories.tsx
index 39d15bd..5384ff0 100644
--- a/components/logout-button.stories.tsx
+++ b/components/logout-button.stories.tsx
@@ -5,7 +5,7 @@ import { createUserCookie, userCookieKey } from '#lib/session'
 
 const meta = {
   component: LogoutButton,
-  parameters: { backgrounds: { default: 'dark' } },
+  parameters: { backgrounds: { default: 'dark' }, react: { rsc: true } },
   async beforeEach() {
     cookies().set(userCookieKey, await createUserCookie('storybookjs'))
   },
diff --git a/components/logout-button.tsx b/components/logout-button.tsx
index 7ae33c1..1b5d369 100644
--- a/components/logout-button.tsx
+++ b/components/logout-button.tsx
@@ -1,13 +1,13 @@
 import { logout } from '#app/actions'
 import { getUserFromSession } from '#lib/session'
 
-export default function LogoutButton() {
-  const user = getUserFromSession()
+export default async function LogoutButton() {
+  const user = await getUserFromSession()
 
   return (
     user && (
       <form action={logout}>
-        <button className="logout-button" type="submit" aria-label='logout'>
+        <button className="logout-button" type="submit" aria-label="logout">
           <svg
             xmlns="http://www.w3.org/2000/svg"
             width="24"
diff --git a/components/note-ui.stories.tsx b/components/note-ui.stories.tsx
index 2a95208..0fc9766 100644
--- a/components/note-ui.stories.tsx
+++ b/components/note-ui.stories.tsx
@@ -7,8 +7,9 @@ import { getUserFromSession } from '#lib/session.mock'
 
 const meta = {
   component: NoteUI,
+  parameters: { react: { rsc: true } },
   async beforeEach() {
-    getUserFromSession.mockReturnValue('storybookjs')
+    getUserFromSession.mockResolvedValue('storybookjs')
     saveNote.mockImplementation(async () => {})
     deleteNote.mockImplementation(async () => {})
   },
@@ -34,12 +35,8 @@ export const SaveAndDeleteShouldTriggerActions: Story = {
     note: notes[0]!,
   },
   play: async ({ canvas, step, userEvent }) => {
-    const titleInput = await canvas.findByLabelText(
-      'Enter a title for your note',
-    )
-    const bodyInput = await canvas.findByLabelText(
-      'Enter the body for your note',
-    )
+    const titleInput = await canvas.findByLabelText('Enter a title for your note')
+    const bodyInput = await canvas.findByLabelText('Enter the body for your note')
     await userEvent.clear(titleInput)
     await userEvent.type(titleInput, 'Edited Title')
     await userEvent.clear(bodyInput)
@@ -49,11 +46,7 @@ export const SaveAndDeleteShouldTriggerActions: Story = {
       const saveButton = await canvas.findByRole('menuitem', { name: /done/i })
       await userEvent.click(saveButton)
       await expect(saveNote).toHaveBeenCalledOnce()
-      await expect(saveNote).toHaveBeenCalledWith(
-        1,
-        'Edited Title',
-        'Edited Body',
-      )
+      await expect(saveNote).toHaveBeenCalledWith(1, 'Edited Title', 'Edited Body')
     })
 
     await step('Delete flow', async () => {
diff --git a/components/note-ui.tsx b/components/note-ui.tsx
index 2d23109..2654c46 100644
--- a/components/note-ui.tsx
+++ b/components/note-ui.tsx
@@ -8,24 +8,20 @@ import { type Note } from '@prisma/client'
 
 type Props =
   | {
-    note: Partial<Note>
-    isEditing: true
-  }
+      note: Partial<Note>
+      isEditing: true
+    }
   | {
-    note: Note
-    isEditing: false
-  }
+      note: Note
+      isEditing: false
+    }
 
-export default function NoteUI({ note, isEditing }: Props) {
-  const user = getUserFromSession()
+export default async function NoteUI({ note, isEditing }: Props) {
+  const user = await getUserFromSession()
 
   if (isEditing) {
     return (
-      <NoteEditor
-        noteId={note.id}
-        initialTitle={note.title ?? ''}
-        initialBody={note.body ?? ''}
-      />
+      <NoteEditor noteId={note.id} initialTitle={note.title ?? ''} initialBody={note.body ?? ''} />
     )
   }
 
@@ -53,11 +49,7 @@ export default function NoteUI({ note, isEditing }: Props) {
               height={40}
             />
             &nbsp;
-            <a
-              href={`https://github.com/${createdBy}`}
-              target="_blank"
-              rel="noopener noreferrer"
-            >
+            <a href={`https://github.com/${createdBy}`} target="_blank" rel="noopener noreferrer">
               {createdBy}
             </a>
           </div>
diff --git a/lib/session.ts b/lib/session.ts
index 7abc51e..6887625 100644
--- a/lib/session.ts
+++ b/lib/session.ts
@@ -4,7 +4,7 @@ import { cookies } from 'next/headers'
 export const userCookieKey = '_un'
 export const cookieSep = '^)&_*($'
 
-const password = process.env.SESSION_KEY || 'session-key'
+const password = 'session-key'
 
 const pwUtf8 = encode(password)
 
@@ -13,43 +13,50 @@ function encode(value: string) {
 }
 
 // Encrypt
-export function createEncrypt() {
-  return async function (data: string) {
-    return sign(data, pwUtf8.toString())
-  }
+export async function encrypt(data: string) {
+  return await sign(data, pwUtf8.toString())
 }
 
-// Decrypt
-export function createDecrypt() {
-  return async function decrypt(data: string) {
-    const decrypted = unsign(data, pwUtf8.toString())
-    if (decrypted) return decrypted
-    throw new Error('Invalid signature')
-  }
+export async function decrypt(data: string) {
+  const decrypted = await unsign(data, pwUtf8.toString())
+  if (decrypted) return decrypted
+  throw new Error('Invalid signature')
 }
 
 export function getSession(userCookie = '') {
-  const none = [null, null]
+  const none = [null, null] as const
   const value = decodeURIComponent(userCookie)
   if (!value) return none
   const index = value.indexOf(cookieSep)
   if (index === -1) return none
   const user = value.slice(0, index)
-  const session = value.slice(index + cookieSep.length)
+  const session = value.slice(index + cookieSep.length, value.indexOf(';') + 1)
   return [user, session]
 }
 
-export function getUser(userCookie?: string) {
-  return getSession(userCookie)[0]
+export async function getUser(userCookie?: string) {
+  const [user, encryptedUser] = getSession(userCookie)
+  if (user && encryptedUser) {
+    try {
+      const decryptedUser = await decrypt(encryptedUser)
+      if (decryptedUser === user) {
+        return user
+      }
+      return null
+    } catch (e) {
+      return null
+    }
+  }
+  return user
 }
 
 export async function createUserCookie(token: string) {
-  const encrypt = createEncrypt()
-  return `${token}${cookieSep}${await encrypt(token)}`
+  const encrypted = await encrypt(token)
+  return `${token}${cookieSep}${encrypted}`
 }
 
-export function getUserFromSession() {
+export async function getUserFromSession() {
   const cookieStore = cookies()
   const userCookie = cookieStore.get(userCookieKey)
-  return getUser(userCookie?.value)
+  return await getUser(userCookie?.value)
 }
diff --git a/package.json b/package.json
index 75f10b3..d3baad7 100644
--- a/package.json
+++ b/package.json
@@ -32,6 +32,7 @@
     "dev": "next dev",
     "test": "vitest",
     "lint": "next lint",
+    "typecheck": "tsc",
     "start": "next start",
     "prisma:setup": "dotenv -e .env.local prisma migrate dev && pnpm run generate-dmmf",
     "prisma:seed": "dotenv -e .env.local prisma db seed",
diff --git a/tsconfig.json b/tsconfig.json
index f298d57..9c49d1c 100644
--- a/tsconfig.json
+++ b/tsconfig.json
@@ -12,5 +12,5 @@
     ]
   },
   "include": [".storybook/*", "next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
-  "exclude": ["node_modules"]
+  "exclude": ["node_modules", ".next"]
 }