Implement auth procedures with code review fixes

Add complete auth backend (Workstream D):
- Auth middleware for session/API key authentication
- Signup with password or passkey (WebAuthn)
- Login flow with device trust and email confirmation
- Password reset and email verification
- Session management and logout

Utilities created:
- cookies.ts: Cookie helpers and configuration
- crypto.ts: Token generation and hashing
- password.ts: zxcvbn validation, argon2id hashing
- geo.ts: IP/location extraction from headers
- email.ts: Stubbed email sending
- session.ts: Session creation and device trust

Code review improvements applied:
- Use ORPCError instead of Error in procedures
- Add ast-grep rule to enforce ORPCError usage
- Remove error info leakage (generic messages)
- Optimize N+1 query with JOIN in login-password
- Extract signupWithPassword/signupWithPasskey for testability
- Add 15-minute WebAuthn challenge expiry check
- Strengthen CookieOptions type definitions

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/api-server/src/procedures/auth/login-password.ts

@@ -0,0 +1,147 @@
+/**
+ * Login with password procedure
+ * Second step in the login flow - verifies password and completes/confirms login
+ */
+
+import type { APIContext } from "../../context.js";
+import { implement, ORPCError } from "@orpc/server";
+import { contract } from "@reviq/api-contract";
+import { COOKIE_NAMES, getCookie } from "../../utils/cookies.js";
+import { generateSecureToken } from "../../utils/crypto.js";
+import { sendLoginConfirmationEmail } from "../../utils/email.js";
+import { verifyPassword } from "../../utils/password.js";
+import { isDeviceTrusted } from "../../utils/session.js";
+
+const os = implement(contract);
+
+/**
+ * Check if a string is a valid login request ID (numeric)
+ */
+const isValidLoginRequestId = (value: string): boolean => {
+  const num = Number(value);
+  return !Number.isNaN(num) && Number.isInteger(num) && num > 0;
+};
+
+/**
+ * Login with password handler
+ * - Reads login request token from cookie
+ * - If fake token (UUID): returns generic error for anti-enumeration
+ * - If valid login request ID:
+ *   - Validates login request exists and not expired
+ *   - Verifies password against stored hash
+ *   - If device is trusted: marks login request as completed
+ *   - If device is untrusted: generates confirmation token and sends email
+ */
+export const loginPassword = os.auth.loginPassword.handler(
+  async ({ input, context }) => {
+    const ctx = context as APIContext;
+    const { password } = input;
+
+    // Read login request token from cookie
+    const loginRequestToken = getCookie(
+      ctx.reqHeaders,
+      COOKIE_NAMES.LOGIN_REQUEST_TOKEN,
+    );
+
+    // Generic error message for anti-enumeration
+    const INVALID_CREDENTIALS_ERROR = "Invalid email or password";
+
+    // No login request token or invalid format
+    if (!loginRequestToken) {
+      throw new ORPCError("BAD_REQUEST", {
+        message: INVALID_CREDENTIALS_ERROR,
+      });
+    }
+
+    // Check if token is a fake token (UUID) or valid login request ID
+    if (!isValidLoginRequestId(loginRequestToken)) {
+      // Fake token - return generic error for anti-enumeration
+      throw new ORPCError("BAD_REQUEST", {
+        message: INVALID_CREDENTIALS_ERROR,
+      });
+    }
+
+    // Valid login request ID - keep as string (Int8 type)
+    const loginRequestId = loginRequestToken;
+
+    // Fetch login request with user data in single query (optimized JOIN)
+    const result = await ctx.db
+      .selectFrom("login_requests")
+      .innerJoin("users", "users.id", "login_requests.user_id")
+      .select([
+        "login_requests.id",
+        "login_requests.user_id",
+        "login_requests.email",
+        "login_requests.device_fingerprint",
+        "login_requests.expires_at",
+        "login_requests.completed_at",
+        "users.password_hash",
+      ])
+      .where("login_requests.id", "=", loginRequestId)
+      .executeTakeFirst();
+
+    // Login request not found
+    if (!result) {
+      throw new ORPCError("BAD_REQUEST", {
+        message: INVALID_CREDENTIALS_ERROR,
+      });
+    }
+
+    // Check if login request is expired
+    if (new Date() > new Date(result.expires_at)) {
+      throw new ORPCError("BAD_REQUEST", {
+        message:
+          "Login request has expired. Please start the login process again.",
+      });
+    }
+
+    // User has no password set
+    if (!result.password_hash) {
+      throw new ORPCError("BAD_REQUEST", {
+        message: INVALID_CREDENTIALS_ERROR,
+      });
+    }
+
+    // Verify password
+    const passwordValid = await verifyPassword(password, result.password_hash);
+
+    if (!passwordValid) {
+      throw new ORPCError("BAD_REQUEST", {
+        message: INVALID_CREDENTIALS_ERROR,
+      });
+    }
+
+    // Password is valid - check if device is trusted
+    // If no device fingerprint, treat as untrusted
+    const deviceTrusted = result.device_fingerprint
+      ? await isDeviceTrusted(ctx.db, result.user_id, result.device_fingerprint)
+      : false;
+
+    if (deviceTrusted) {
+      // Device is trusted - complete login immediately
+      await ctx.db
+        .updateTable("login_requests")
+        .set({
+          completed_at: new Date(),
+        })
+        .where("id", "=", loginRequestId)
+        .execute();
+    } else {
+      // Device is untrusted - generate confirmation token and send email
+      const confirmationToken = generateSecureToken();
+
+      await ctx.db
+        .updateTable("login_requests")
+        .set({
+          token: confirmationToken,
+        })
+        .where("id", "=", loginRequestId)
+        .execute();
+
+      // Send login confirmation email (stubbed for now)
+      await sendLoginConfirmationEmail(result.email, confirmationToken);
+    }
+
+    // Return void (success)
+  },
+);