more issue fixes

AndresL230 · AndresL230 · commit 5d0704f234cf · 2026-04-14T20:30:59.000-04:00
diff --git a/frontend/src/app/api/auth/session/route.ts b/frontend/src/app/api/auth/session/route.ts
@@ -1,7 +1,7 @@
 import { NextRequest, NextResponse } from 'next/server';
+import { signSession, SESSION_MAX_AGE } from '@/lib/sessionToken';
 
 const API_URL = process.env.NEXT_PUBLIC_API_URL ?? '';
-const SESSION_MAX_AGE = 2592000; // 30 days
 
 export async function POST(request: NextRequest) {
   const { userId } = await request.json();
@@ -26,14 +26,9 @@ export async function POST(request: NextRequest) {
     return NextResponse.json({ error: 'Not approved' }, { status: 403 });
   }
 
+  const token = await signSession(userId);
   const response = NextResponse.json({ ok: true });
-  response.cookies.set('sapling_session', userId, {
-    httpOnly: true,
-    sameSite: 'lax',
-    path: '/',
-    maxAge: SESSION_MAX_AGE,
-  });
-  response.cookies.set('sapling_approved', '1', {
+  response.cookies.set('sapling_session', token, {
     httpOnly: true,
     sameSite: 'lax',
     path: '/',
@@ -45,6 +40,5 @@ export async function POST(request: NextRequest) {
 export async function DELETE() {
   const response = NextResponse.json({ ok: true });
   response.cookies.set('sapling_session', '', { httpOnly: true, maxAge: 0, path: '/' });
-  response.cookies.set('sapling_approved', '', { httpOnly: true, maxAge: 0, path: '/' });
   return response;
 }
diff --git a/frontend/src/app/pending/page.tsx b/frontend/src/app/pending/page.tsx
@@ -1,26 +1,14 @@
 'use client';
 
-import { useEffect } from 'react';
 import { useRouter } from 'next/navigation';
 import Image from 'next/image';
 
 export default function PendingPage() {
   const router = useRouter();
 
-  useEffect(() => {
-    const approved = document.cookie
-      .split('; ')
-      .find(row => row.startsWith('sapling_approved='))
-      ?.split('=')[1];
-    if (approved === '1') {
-      router.replace('/dashboard');
-    }
-  }, [router]);
-
-  function handleSignOut() {
+  async function handleSignOut() {
     localStorage.removeItem('sapling_user');
-    document.cookie = 'sapling_approved=; path=/; max-age=0; SameSite=Lax';
-    document.cookie = 'sapling_uid=; path=/; max-age=0; SameSite=Lax';
+    await fetch('/api/auth/session', { method: 'DELETE' });
     router.replace('/signin');
   }
 
diff --git a/frontend/src/app/signin/callback/page.tsx b/frontend/src/app/signin/callback/page.tsx
@@ -7,7 +7,7 @@ import { useUser } from '@/context/UserContext';
 function CallbackInner() {
   const searchParams = useSearchParams();
   const router = useRouter();
-  const { setActiveUser } = useUser();
+  const { setActiveUser, confirmApproved } = useUser();
 
   useEffect(() => {
     const userId = searchParams.get('user_id');
@@ -22,12 +22,19 @@ function CallbackInner() {
     }
 
     if (userId && name) {
-      setActiveUser(userId, name, avatar || '', true);
+      setActiveUser(userId, name, avatar || '');
       fetch('/api/auth/session', {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({ userId }),
-      }).then(() => router.replace('/dashboard'));
+      }).then(res => {
+        if (res.ok) {
+          confirmApproved();
+          router.replace('/dashboard');
+        } else {
+          router.replace('/signin');
+        }
+      });
     } else {
       router.replace('/signin');
     }
diff --git a/frontend/src/context/UserContext.tsx b/frontend/src/context/UserContext.tsx
@@ -17,7 +17,8 @@ interface UserContextValue {
   userReady: boolean;
   isAuthenticated: boolean;
   isApproved: boolean;
-  setActiveUser: (id: string, name: string, avatar?: string, approved?: boolean) => void;
+  setActiveUser: (id: string, name: string, avatar?: string) => void;
+  confirmApproved: () => void;
   signOut: () => void;
 }
 
@@ -30,6 +31,7 @@ const UserContext = createContext<UserContextValue>({
   isAuthenticated: false,
   isApproved: false,
   setActiveUser: () => {},
+  confirmApproved: () => {},
   signOut: () => {},
 });
 
@@ -49,12 +51,11 @@ export function UserProvider({ children }: { children: React.ReactNode }) {
     const saved = localStorage.getItem('sapling_user');
     if (saved) {
       try {
-        const { id, name, avatar, isApproved: savedApproved } = JSON.parse(saved);
+        const { id, name, avatar } = JSON.parse(saved);
         setUserId(id);
         setUserName(name);
         if (avatar) setAvatarUrl(avatar);
         setIsAuthenticated(true);
-        setIsApproved(savedApproved === true);
       } catch {}
     }
     setUserReady(true);
@@ -78,15 +79,16 @@ export function UserProvider({ children }: { children: React.ReactNode }) {
       .catch(() => {});
   }, []);
 
-  const setActiveUser = (id: string, name: string, avatar?: string, approved?: boolean) => {
+  const setActiveUser = (id: string, name: string, avatar?: string) => {
     setUserId(id);
     setUserName(name);
     if (avatar) setAvatarUrl(avatar);
     setIsAuthenticated(true);
-    setIsApproved(approved === true);
-    localStorage.setItem('sapling_user', JSON.stringify({ id, name, avatar: avatar || '', isApproved: approved === true }));
+    localStorage.setItem('sapling_user', JSON.stringify({ id, name, avatar: avatar || '' }));
   };
 
+  const confirmApproved = () => setIsApproved(true);
+
   const signOut = () => {
     setUserId('');
     setUserName('');
@@ -98,7 +100,7 @@ export function UserProvider({ children }: { children: React.ReactNode }) {
   };
 
   const value = useMemo(
-    () => ({ userId, userName, avatarUrl, users, userReady, isAuthenticated, isApproved, setActiveUser, signOut }),
+    () => ({ userId, userName, avatarUrl, users, userReady, isAuthenticated, isApproved, setActiveUser, confirmApproved, signOut }),
     [userId, userName, avatarUrl, users, userReady, isAuthenticated, isApproved]
   );
 
diff --git a/frontend/src/lib/sessionToken.ts b/frontend/src/lib/sessionToken.ts
@@ -0,0 +1,65 @@
+export const SESSION_MAX_AGE = 2592000; // 30 days in seconds
+
+function getSecret(): string {
+  const secret = process.env.SESSION_SECRET;
+  if (!secret) throw new Error('SESSION_SECRET env var is not set');
+  return secret;
+}
+
+function toBase64Url(buf: ArrayBuffer): string {
+  const bytes = new Uint8Array(buf);
+  let binary = '';
+  for (const byte of bytes) binary += String.fromCharCode(byte);
+  return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+
+function fromBase64Url(str: string): Uint8Array {
+  const padded = str.replace(/-/g, '+').replace(/_/g, '/');
+  const padding = '='.repeat((4 - (padded.length % 4)) % 4);
+  const binary = atob(padded + padding);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+  return bytes;
+}
+
+async function importKey(): Promise<CryptoKey> {
+  const raw = new TextEncoder().encode(getSecret());
+  return crypto.subtle.importKey('raw', raw, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign', 'verify']);
+}
+
+export async function signSession(userId: string): Promise<string> {
+  const payload = JSON.stringify({
+    userId,
+    approved: true,
+    exp: Math.floor(Date.now() / 1000) + SESSION_MAX_AGE,
+  });
+  const payloadB64 = toBase64Url(new TextEncoder().encode(payload));
+  const key = await importKey();
+  const sig = await crypto.subtle.sign('HMAC', key, new TextEncoder().encode(payloadB64));
+  return `${payloadB64}.${toBase64Url(sig)}`;
+}
+
+export async function verifySession(
+  token: string,
+): Promise<{ userId: string; approved: boolean } | null> {
+  const dot = token.lastIndexOf('.');
+  if (dot < 0) return null;
+  const payloadB64 = token.slice(0, dot);
+  const sigB64 = token.slice(dot + 1);
+  try {
+    const key = await importKey();
+    const valid = await crypto.subtle.verify(
+      'HMAC',
+      key,
+      fromBase64Url(sigB64),
+      new TextEncoder().encode(payloadB64),
+    );
+    if (!valid) return null;
+    const payload = JSON.parse(new TextDecoder().decode(fromBase64Url(payloadB64)));
+    if (typeof payload.exp !== 'number' || payload.exp < Math.floor(Date.now() / 1000)) return null;
+    if (typeof payload.userId !== 'string') return null;
+    return { userId: payload.userId, approved: payload.approved === true };
+  } catch {
+    return null;
+  }
+}
diff --git a/frontend/src/middleware.ts b/frontend/src/middleware.ts
@@ -1,23 +1,27 @@
 import { NextResponse } from 'next/server'
 import type { NextRequest } from 'next/server'
+import { verifySession } from '@/lib/sessionToken'
 
 const PROTECTED = [
   '/dashboard', '/learn', '/study', '/tree',
   '/flashcards', '/library', '/calendar', '/social'
 ]
 
-export function middleware(request: NextRequest) {
+export async function middleware(request: NextRequest) {
   const { pathname } = request.nextUrl
   const isProtected = PROTECTED.some(p => pathname.startsWith(p))
   if (!isProtected) return NextResponse.next()
 
-  const session = request.cookies.get('sapling_session')?.value
-  const approved = request.cookies.get('sapling_approved')?.value
+  const token = request.cookies.get('sapling_session')?.value
+  if (!token) {
+    return NextResponse.redirect(new URL('/signin', request.url))
+  }
 
+  const session = await verifySession(token)
   if (!session) {
     return NextResponse.redirect(new URL('/signin', request.url))
   }
-  if (approved !== '1') {
+  if (!session.approved) {
     return NextResponse.redirect(new URL('/pending', request.url))
   }
   return NextResponse.next()
