Refactor authentication handling and improve API client security

- Updated OAuth endpoints for Challonge and Discord in platforms configuration. - Implemented session and CSRF cookie initialization in main application entry. - Enhanced Challonge API client to avoid sending sensitive API keys from the browser. - Modified tournament querying to handle new state definitions and improved error handling. - Updated UI components to reflect server-side storage of authentication tokens. - Improved user experience in API Key Manager and Authentication Hub with clearer messaging. - Refactored client credentials management to support asynchronous operations. - Adjusted API client tests to validate new request configurations. - Updated Vite configuration to support session and CSRF handling through proxies.
2026-02-03 12:50:11 -05:00
parent 161b758a1b
commit 700c1cbbbe
39 changed files with 2434 additions and 999 deletions
--- a/code/websites/pokedex.online/server/utils/env-validator.js
+++ b/code/websites/pokedex.online/server/utils/env-validator.js
@@ -73,6 +73,36 @@ const REQUIRED_ENV_VARS = {
        : null
  },

+  // Token encryption key (required for server-side OAuth token storage in production)
+  OAUTH_TOKEN_ENC_KEY: {
+    required: false,
+    description:
+      'Base64-encoded 32-byte key for encrypting OAuth tokens at rest (AES-256-GCM)',
+    validate: (val, env) => {
+      const target = env?.DEPLOYMENT_TARGET;
+      if (target !== 'production') return true;
+      if (!val) {
+        console.error(
+          '❌ OAUTH_TOKEN_ENC_KEY is required in production to encrypt OAuth tokens'
+        );
+        return false;
+      }
+      // Best-effort validation: base64 decode should yield 32 bytes
+      try {
+        const buf = Buffer.from(val, 'base64');
+        return buf.length === 32;
+      } catch {
+        return false;
+      }
+    }
+  },
+
+  // Admin auth
+  ADMIN_PASSWORD: {
+    required: false,
+    description: 'Admin password for /auth/login (recommended for production)'
+  },
+
  // Challonge OAuth (optional)
  CHALLONGE_CLIENT_ID: {
    required: false,
@@ -217,6 +247,10 @@ export function getConfig() {
      secret: process.env.SESSION_SECRET || 'dev-secret-change-in-production'
    },

+    // Admin auth (JWT secret uses session secret for now)
+    secret: process.env.SESSION_SECRET || 'dev-secret-change-in-production',
+    adminPassword: process.env.ADMIN_PASSWORD,
+
    // Discord User Permissions
    discord: {
      adminUsers: process.env.DISCORD_ADMIN_USERS