Add utils package with Web Crypto password hashing

- Create @reviq/utils package with PBKDF2-SHA256 password hashing compatible with Cloudflare Workers (uses crypto.subtle) - Update api-server and CLI to use new utils package for consistent password hashing format across the codebase - Add pino logging to api-server for better request debugging - Make login request tokens cryptographically secure base58 strings instead of database IDs - Add migration to make login_requests.token non-nullable with unique constraint - Fix RPCLink URL construction for client-side API calls - Add db:codegen script to root package.json Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-09 18:12:33 +08:00
parent cee700f063
commit c1afc39062
25 changed files with 512 additions and 142 deletions
--- a/db/migrations/002_login_request_token_required.sql
+++ b/db/migrations/002_login_request_token_required.sql
@@ -0,0 +1,17 @@
+-- migrate:up
+-- First, delete any existing login requests (they're temporary auth state anyway)
+DELETE FROM login_requests;
+
+-- Make token column required and add unique constraint
+ALTER TABLE login_requests
+  ALTER COLUMN token SET NOT NULL,
+  ADD CONSTRAINT login_requests_token_unique UNIQUE (token);
+
+-- Create index for token lookups
+CREATE INDEX idx_login_requests_token ON login_requests(token);
+
+-- migrate:down
+DROP INDEX IF EXISTS idx_login_requests_token;
+ALTER TABLE login_requests
+  DROP CONSTRAINT IF EXISTS login_requests_token_unique,
+  ALTER COLUMN token DROP NOT NULL;
--- a/db/schema.sql
+++ b/db/schema.sql
@@ -1,4 +1,4 @@
-\restrict Trg340CgUaHnQsqUDFepZ6WnV8O2lwkEMfhS9CGxBAJbWOA8qTnig08shTgrMcE
+\restrict NwR9NcSOK9D25dGgvUNdLvsNphDACAXsvkQ5NSmhpf6sLcFR570yQ96lhgCbCXf

 -- Dumped from database version 17.7
 -- Dumped by pg_dump version 17.7
@@ -114,7 +114,7 @@ CREATE TABLE public.login_requests (
    id bigint NOT NULL,
    user_id integer NOT NULL,
    email text NOT NULL,
-    token text,
+    token text NOT NULL,
    device_fingerprint text,
    ip_address text,
    city text,
@@ -652,6 +652,14 @@ ALTER TABLE ONLY public.login_requests
    ADD CONSTRAINT login_requests_token_key UNIQUE (token);


+--
+-- Name: login_requests login_requests_token_unique; Type: CONSTRAINT; Schema: public; Owner: -
+--
+
+ALTER TABLE ONLY public.login_requests
+    ADD CONSTRAINT login_requests_token_unique UNIQUE (token);
+
+
 --
 -- Name: org_invites org_invites_org_id_email_key; Type: CONSTRAINT; Schema: public; Owner: -
 --
@@ -856,6 +864,13 @@ CREATE INDEX idx_email_verifications_expires ON public.email_verifications USING
 CREATE INDEX idx_login_requests_expires ON public.login_requests USING btree (expires_at);


+--
+-- Name: idx_login_requests_token; Type: INDEX; Schema: public; Owner: -
+--
+
+CREATE INDEX idx_login_requests_token ON public.login_requests USING btree (token);
+
+
 --
 -- Name: idx_login_requests_user; Type: INDEX; Schema: public; Owner: -
 --
@@ -1069,7 +1084,7 @@ ALTER TABLE ONLY public.user_devices
 -- PostgreSQL database dump complete
 --

-\unrestrict Trg340CgUaHnQsqUDFepZ6WnV8O2lwkEMfhS9CGxBAJbWOA8qTnig08shTgrMcE
+\unrestrict NwR9NcSOK9D25dGgvUNdLvsNphDACAXsvkQ5NSmhpf6sLcFR570yQ96lhgCbCXf


 --
@@ -1077,4 +1092,5 @@ ALTER TABLE ONLY public.user_devices
 --

 INSERT INTO public.schema_migrations (version) VALUES
-    ('001');
+    ('001'),
+    ('002');