fabi/Mangalord
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
274cc819ca4f3ba9710daa7de2e59f0a8eefa6af
Mangalord/frontend/src/lib/api/auth.ts
MechaCat02 c7cb689984 feat: settings page exercises the password-change endpoint 
The 0.10.0 backend endpoint had no UI caller — the audit flagged it
as either-ship-a-form-or-remove-the-endpoint dead code. Shipping the
form, plus the bearer-token-keeps-working regression test the audit
asked for to pin the docstring contract.

Backend:
- New test change_password_via_bearer_leaves_bearer_working asserts
  that PATCH /me/password called with Authorization: Bearer wipes
  cookie sessions but leaves the bearer (api_token) intact and usable
  — matches the docstring claim that bot tokens are opt-in to revoke.

Frontend:
- lib/api/auth.ts: new changePassword(input) wrapping PATCH
  /v1/auth/me/password. Vitest covers happy 204, 401 unauthenticated
  (wrong current), 400 invalid_input (weak new) — same envelope
  parsing shape used elsewhere.
- routes/settings/+page.svelte: minimal form with current /
  new / confirm fields, derived passwordsMatch + canSubmit guards
  (submit stays disabled until current is filled, new is ≥8 chars,
  new == confirm). Shows the API's message inline on failure.
  Documents the "other devices signed out, bot tokens stay" UX in a
  short hint.
- routes/+layout.svelte: new "Settings" link in the session-aware
  nav (between username and Logout) for authed users only.
- e2e/settings.spec.ts (5 cases): nav link reaches the form,
  successful change shows confirmation + clears the form, 401
  surfaces inline, password mismatch keeps submit disabled, anonymous
  user gets a sign-in prompt instead of the form.

Lockstep version bump to 0.11.0.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-17 00:16:22 +02:00

95 lines
2.6 KiB
TypeScript
Raw Blame History

import { ApiError, request } from './client';
export type User = {
id: string;
username: string;
created_at: string;
};
export type Credentials = {
username: string;
password: string;
};
type AuthResponse = { user: User };
export async function register(creds: Credentials): Promise<User> {
const r = await request<AuthResponse>('/v1/auth/register', {
method: 'POST',
headers: { 'content-type': 'application/json' },
body: JSON.stringify(creds)
});
return r.user;
}
export async function login(creds: Credentials): Promise<User> {
const r = await request<AuthResponse>('/v1/auth/login', {
method: 'POST',
headers: { 'content-type': 'application/json' },
body: JSON.stringify(creds)
});
return r.user;
}
export async function logout(): Promise<void> {
await request<void>('/v1/auth/logout', { method: 'POST' });
}
export type ChangePassword = {
current_password: string;
new_password: string;
};
/**
* Rotates the password. Backend signs out every other session for this
* user and mints a fresh cookie for the caller (returned as Set-Cookie,
* applied automatically by the browser). Bot tokens are left alone.
*
* Throws ApiError with `status=401, code='unauthenticated'` for wrong
* `current_password`; `status=400, code='invalid_input'` for a weak new
* password.
*/
export async function changePassword(input: ChangePassword): Promise<void> {
await request<void>('/v1/auth/me/password', {
method: 'PATCH',
headers: { 'content-type': 'application/json' },
body: JSON.stringify(input)
});
}
/**
* Returns the current user, or `null` if no valid session.
* Re-throws any non-401 error.
*/
export async function me(): Promise<User | null> {
try {
const r = await request<AuthResponse>('/v1/auth/me');
return r.user;
} catch (e) {
if (e instanceof ApiError && e.status === 401) return null;
throw e;
}
}
export type ApiToken = {
id: string;
user_id: string;
name: string;
created_at: string;
last_used_at: string | null;
};
export type CreatedToken = ApiToken & { bearer: string };
export async function createToken(name: string): Promise<CreatedToken> {
return request<CreatedToken>('/v1/auth/tokens', {
method: 'POST',
headers: { 'content-type': 'application/json' },
body: JSON.stringify({ name })
});
}
export async function deleteToken(id: string): Promise<void> {
await request<void>(`/v1/auth/tokens/${encodeURIComponent(id)}`, { method: 'DELETE' });
}
Reference in New Issue View Git Blame Copy Permalink