Merge pull request #120 from devartifex/fix/auth-persistence-and-notifications

fix: auth persistence via encrypted cookie + notification system hardening

Author: devartifex

infra/main.parameters.json

@@ -7,6 +7,9 @@
     "githubClientId": { "value": "${GITHUB_CLIENT_ID}" },
     "containerAppImage": { "value": "${SERVICE_WEB_IMAGE_NAME}" },
     "resourceGroupName": { "value": "${AZURE_RESOURCE_GROUP}" },
-    "deployerIpAddress": { "value": "${DEPLOYER_IP_ADDRESS}" }
+    "deployerIpAddress": { "value": "${DEPLOYER_IP_ADDRESS}" },
+    "vapidPublicKey": { "value": "${VAPID_PUBLIC_KEY}" },
+    "vapidPrivateKey": { "value": "${VAPID_PRIVATE_KEY}" },
+    "vapidSubject": { "value": "${VAPID_SUBJECT}" }
   }
 }

server.js

@@ -3,10 +3,13 @@ import session from 'express-session';
 import FileStoreFactory from 'session-file-store';
 import { setupWebSocket } from './dist/ws/handler.js';
 import { registerSession, deleteSessionById } from './dist/session-store.js';
+import { unsealAuth, parseCookieValue, AUTH_COOKIE_NAME } from './dist/auth/auth-cookie.js';
 
 const FileStore = FileStoreFactory(session);
 const isDev = process.env.NODE_ENV !== 'production';
 const port = parseInt(process.env.PORT || '3000');
+const sessionSecret = process.env.SESSION_SECRET || 'dev-secret-change-me';
+const tokenMaxAge = parseInt(process.env.TOKEN_MAX_AGE_MS || String(7 * 24 * 60 * 60 * 1000));
 
 // Set ORIGIN for SvelteKit adapter-node CSRF check before importing handler.
 // Without this, adapter-node defaults protocol to 'https', causing origin mismatch on plain HTTP.
@@ -22,7 +25,7 @@ if (!isDev && !process.env.SESSION_SECRET) {
 const sessionStorePath = process.env.SESSION_STORE_PATH || (isDev ? '.sessions' : '/data/sessions');
 const sessionMiddleware = session({
   store: new FileStore({ path: sessionStorePath, ttl: 86400, retries: 0, logFn: () => {} }),
-  secret: process.env.SESSION_SECRET || 'dev-secret-change-me',
+  secret: sessionSecret,
   resave: false,
   saveUninitialized: false,
   rolling: true,
@@ -31,12 +34,30 @@ const sessionMiddleware = session({
     httpOnly: true,
     secure: !isDev,
     sameSite: 'lax',
-    maxAge: parseInt(process.env.TOKEN_MAX_AGE_MS || String(7 * 24 * 60 * 60 * 1000)),
+    maxAge: tokenMaxAge,
   },
 });
 
+/** Restore auth from encrypted cookie when session file is missing (e.g. after EmptyDir wipe). */
+function restoreAuthFromCookie(req) {
+  if (req.session && !req.session.githubToken) {
+    const sealed = parseCookieValue(req.headers.cookie, AUTH_COOKIE_NAME);
+    if (sealed) {
+      const data = unsealAuth(sealed, sessionSecret, tokenMaxAge);
+      if (data) {
+        req.session.githubToken = data.githubToken;
+        req.session.githubUser = data.githubUser;
+        req.session.githubAuthTime = data.githubAuthTime;
+        req.session.save(() => {});
+        console.log(`[AUTH-COOKIE] Restored auth for user=${data.githubUser.login}`);
+      }
+    }
+  }
+}
+
 const server = createServer((req, res) => {
   sessionMiddleware(req, res, () => {
+    restoreAuthFromCookie(req);
     const sessionId = registerSession(req.session);
     req.headers['x-session-id'] = sessionId;
 

src/hooks.server.test.ts

@@ -15,6 +15,9 @@ interface MockEvent {
 	locals: {
 		session?: SessionLike | null;
 	};
+	cookies: {
+		delete: ReturnType<typeof vi.fn>;
+	};
 	getClientAddress: () => string;
 }
 
@@ -56,6 +59,19 @@ vi.mock('$lib/server/auth/guard.js', () => ({
 	revalidateTokenIfStale: mockRevalidateTokenIfStale,
 }));
 
+vi.mock('$lib/server/auth/auth-cookie.js', () => ({
+	unsealAuth: vi.fn(() => null),
+	parseCookieValue: vi.fn(() => undefined),
+	AUTH_COOKIE_NAME: '__copilot_auth',
+}));
+
+vi.mock('$lib/server/config.js', () => ({
+	config: {
+		sessionSecret: 'test-secret',
+		tokenMaxAge: 7 * 24 * 60 * 60 * 1000,
+	},
+}));
+
 const originalNodeEnv = process.env.NODE_ENV;
 const originalBaseUrl = process.env.BASE_URL;
 
@@ -93,6 +109,9 @@ function createEvent({
 		}),
 		url: requestUrl,
 		locals: {},
+		cookies: {
+			delete: vi.fn(),
+		},
 		getClientAddress: () => ip,
 	};
 }

src/hooks.server.ts

@@ -2,6 +2,8 @@ import type { Handle } from '@sveltejs/kit';
 import { sequence } from '@sveltejs/kit/hooks';
 import { getSessionById } from '$lib/server/session-store';
 import { checkAuth, revalidateTokenIfStale } from '$lib/server/auth/guard.js';
+import { unsealAuth, parseCookieValue, AUTH_COOKIE_NAME } from '$lib/server/auth/auth-cookie.js';
+import { config } from '$lib/server/config.js';
 import { initServerSideEffects } from '$lib/server/init.js';
 
 initServerSideEffects();
@@ -13,6 +15,22 @@ const sessionHandle: Handle = async ({ event, resolve }) => {
 	if (sessionId) {
 		const session = getSessionById(sessionId) ?? null;
 		console.log(`[HOOKS] session resolved: hasSession=${!!session} hasToken=${!!session?.githubToken} user=${session?.githubUser?.login ?? 'none'}`);
+
+		// Restore auth from encrypted cookie when session file was lost (e.g. deploy wipe)
+		if (session && !session.githubToken) {
+			const sealed = parseCookieValue(event.request.headers.get('cookie') ?? undefined, AUTH_COOKIE_NAME);
+			if (sealed) {
+				const data = unsealAuth(sealed, config.sessionSecret, config.tokenMaxAge);
+				if (data) {
+					session.githubToken = data.githubToken;
+					session.githubUser = data.githubUser;
+					session.githubAuthTime = data.githubAuthTime;
+					session.save(() => {});
+					console.log(`[HOOKS] Restored auth from cookie for user=${data.githubUser.login}`);
+				}
+			}
+		}
+
 		event.locals.session = session;
 	} else {
 		console.log(`[HOOKS] NO x-session-id header — session will be null`);
@@ -140,6 +158,8 @@ const tokenRevalidation: Handle = async ({ event, resolve }) => {
 
   const result = await revalidateTokenIfStale(session);
   if (!result.valid) {
+    // Token was revoked — clear encrypted auth cookie so it doesn't restore a dead token
+    event.cookies.delete(AUTH_COOKIE_NAME, { path: '/' });
     return new Response(JSON.stringify({ error: 'Token revoked. Please sign in again.' }), {
       status: 401,
       headers: { 'Content-Type': 'application/json' },

src/lib/components/SettingsModal.svelte

@@ -39,6 +39,8 @@
     onFetchAgents: () => void;
     onFetchQuota: () => void;
     onFetchSkills: () => void;
+    notificationsEnabled: boolean;
+    onToggleNotifications: (enabled: boolean) => void;
   }
 
   const {
@@ -68,6 +70,8 @@
     onFetchAgents,
     onFetchQuota,
     onFetchSkills,
+    notificationsEnabled,
+    onToggleNotifications,
   }: Props = $props();
 
   import {
@@ -134,10 +138,39 @@
     }
     if (typeof Notification !== 'undefined' && Notification.permission === 'denied') {
       notificationStatus = 'denied';
+      if (notificationsEnabled) onToggleNotifications(false);
       return;
     }
     const sub = await getPushSubscription();
-    if (sub) { notificationStatus = 'subscribed'; return; }
+    if (sub) {
+      notificationStatus = 'subscribed';
+      if (!notificationsEnabled) onToggleNotifications(true);
+      return;
+    }
+    // Settings say enabled but browser has no subscription — auto-re-subscribe.
+    // First confirm the server has VAPID configured; if not (503), treat push as
+    // unsupported and clear the stored preference so we don't keep retrying.
+    if (notificationsEnabled && typeof Notification !== 'undefined' && Notification.permission === 'granted') {
+      try {
+        const vapidRes = await fetch('/api/push/vapid-key');
+        if (!vapidRes.ok) {
+          onToggleNotifications(false);
+          notificationStatus = 'unsupported';
+          return;
+        }
+      } catch {
+        notificationStatus = 'granted-no-push';
+        return;
+      }
+      notificationBusy = true;
+      try {
+        const newSub = await subscribeToPush();
+        notificationStatus = newSub ? 'subscribed' : 'granted-no-push';
+      } finally {
+        notificationBusy = false;
+      }
+      return;
+    }
     if (typeof Notification !== 'undefined' && Notification.permission === 'granted') {
       notificationStatus = 'granted-no-push';
       return;
@@ -151,8 +184,10 @@
       const sub = await subscribeToPush();
       if (sub) {
         notificationStatus = 'subscribed';
+        onToggleNotifications(true);
       } else if (typeof Notification !== 'undefined' && Notification.permission === 'denied') {
         notificationStatus = 'denied';
+        onToggleNotifications(false);
       }
     } finally {
       notificationBusy = false;
@@ -164,6 +199,7 @@
     try {
       await unsubscribeFromPush();
       notificationStatus = 'prompt';
+      onToggleNotifications(false);
     } finally {
       notificationBusy = false;
     }

src/lib/server/auth/auth-cookie.test.ts

@@ -0,0 +1,156 @@
+// @vitest-environment node
+
+import { describe, expect, it } from 'vitest';
+import { sealAuth, unsealAuth, parseCookieValue, AUTH_COOKIE_NAME, type AuthCookiePayload } from './auth-cookie';
+
+const SECRET = 'test-session-secret-at-least-32-chars-long';
+
+const VALID_PAYLOAD: AuthCookiePayload = {
+  githubToken: 'gho_abc123def456',
+  githubUser: { login: 'octocat', name: 'The Octocat' },
+  githubAuthTime: Date.now(),
+};
+
+describe('auth-cookie', () => {
+  describe('sealAuth / unsealAuth', () => {
+    it('round-trips a valid payload', () => {
+      const sealed = sealAuth(VALID_PAYLOAD, SECRET);
+      const result = unsealAuth(sealed, SECRET);
+
+      expect(result).toEqual(VALID_PAYLOAD);
+    });
+
+    it('produces different ciphertexts for the same payload (random IV)', () => {
+      const a = sealAuth(VALID_PAYLOAD, SECRET);
+      const b = sealAuth(VALID_PAYLOAD, SECRET);
+
+      expect(a).not.toBe(b);
+    });
+
+    it('returns null for a wrong secret', () => {
+      const sealed = sealAuth(VALID_PAYLOAD, SECRET);
+      const result = unsealAuth(sealed, 'wrong-secret-that-is-long-enough');
+
+      expect(result).toBeNull();
+    });
+
+    it('returns null for tampered ciphertext', () => {
+      const sealed = sealAuth(VALID_PAYLOAD, SECRET);
+      // Flip a character in the middle
+      const tampered = sealed.slice(0, 10) + (sealed[10] === 'a' ? 'b' : 'a') + sealed.slice(11);
+      const result = unsealAuth(tampered, SECRET);
+
+      expect(result).toBeNull();
+    });
+
+    it('returns null for truncated data', () => {
+      const sealed = sealAuth(VALID_PAYLOAD, SECRET);
+      const result = unsealAuth(sealed.slice(0, 10), SECRET);
+
+      expect(result).toBeNull();
+    });
+
+    it('returns null for empty string', () => {
+      expect(unsealAuth('', SECRET)).toBeNull();
+    });
+
+    it('returns null for non-base64 garbage', () => {
+      expect(unsealAuth('not-valid-base64!!!', SECRET)).toBeNull();
+    });
+
+    it('returns null when authTime exceeds maxAgeMs', () => {
+      const oldPayload: AuthCookiePayload = {
+        ...VALID_PAYLOAD,
+        githubAuthTime: Date.now() - 8 * 24 * 60 * 60 * 1000, // 8 days ago
+      };
+      const sealed = sealAuth(oldPayload, SECRET);
+      const result = unsealAuth(sealed, SECRET, 7 * 24 * 60 * 60 * 1000); // 7-day max
+
+      expect(result).toBeNull();
+    });
+
+    it('accepts payload when authTime is within maxAgeMs', () => {
+      const recentPayload: AuthCookiePayload = {
+        ...VALID_PAYLOAD,
+        githubAuthTime: Date.now() - 1000, // 1 second ago
+      };
+      const sealed = sealAuth(recentPayload, SECRET);
+      const result = unsealAuth(sealed, SECRET, 7 * 24 * 60 * 60 * 1000);
+
+      expect(result).toEqual(recentPayload);
+    });
+
+    it('accepts payload when maxAgeMs is not provided', () => {
+      const oldPayload: AuthCookiePayload = {
+        ...VALID_PAYLOAD,
+        githubAuthTime: Date.now() - 30 * 24 * 60 * 60 * 1000, // 30 days ago
+      };
+      const sealed = sealAuth(oldPayload, SECRET);
+      const result = unsealAuth(sealed, SECRET);
+
+      expect(result).toEqual(oldPayload);
+    });
+
+    it('returns null for payload missing githubToken', () => {
+      const badPayload = { githubUser: { login: 'octocat', name: 'Octo' }, githubAuthTime: Date.now() };
+      // Manually seal a bad payload by casting
+      const sealed = sealAuth(badPayload as AuthCookiePayload, SECRET);
+      const result = unsealAuth(sealed, SECRET);
+
+      expect(result).toBeNull();
+    });
+
+    it('returns null for payload missing githubUser.login', () => {
+      const badPayload = { githubToken: 'tok', githubUser: { name: 'Octo' }, githubAuthTime: Date.now() };
+      const sealed = sealAuth(badPayload as unknown as AuthCookiePayload, SECRET);
+      const result = unsealAuth(sealed, SECRET);
+
+      expect(result).toBeNull();
+    });
+
+    it('returns null for payload with non-number githubAuthTime', () => {
+      const badPayload = { githubToken: 'tok', githubUser: { login: 'x', name: 'X' }, githubAuthTime: 'not-a-number' };
+      const sealed = sealAuth(badPayload as unknown as AuthCookiePayload, SECRET);
+      const result = unsealAuth(sealed, SECRET);
+
+      expect(result).toBeNull();
+    });
+  });
+
+  describe('parseCookieValue', () => {
+    it('extracts a cookie value from a header string', () => {
+      const header = 'connect.sid=s%3Aabc; __copilot_auth=sealed123; other=val';
+      expect(parseCookieValue(header, '__copilot_auth')).toBe('sealed123');
+    });
+
+    it('returns undefined for a missing cookie', () => {
+      const header = 'connect.sid=s%3Aabc; other=val';
+      expect(parseCookieValue(header, '__copilot_auth')).toBeUndefined();
+    });
+
+    it('returns undefined for undefined header', () => {
+      expect(parseCookieValue(undefined, '__copilot_auth')).toBeUndefined();
+    });
+
+    it('handles cookie value with equals signs', () => {
+      const header = '__copilot_auth=abc=def=ghi';
+      expect(parseCookieValue(header, '__copilot_auth')).toBe('abc=def=ghi');
+    });
+
+    it('handles whitespace around cookie pairs', () => {
+      const header = '  __copilot_auth = value123 ; other=x';
+      expect(parseCookieValue(header, '__copilot_auth')).toBeUndefined(); // space before = means the prefix doesn't match
+    });
+
+    it('returns first match for duplicate cookie names', () => {
+      const header = '__copilot_auth=first; __copilot_auth=second';
+      expect(parseCookieValue(header, '__copilot_auth')).toBe('first');
+    });
+  });
+
+  describe('AUTH_COOKIE_NAME', () => {
+    it('is the expected value', () => {
+      expect(AUTH_COOKIE_NAME).toBe('__copilot_auth');
+    });
+  });
+});