adnan-radwan
diff --git a/‎standalone/bun.lock‎
Lines changed: 13 additions & 0 deletions b/‎standalone/bun.lock‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎standalone/package.json‎
Lines changed: 2 additions & 1 deletion b/‎standalone/package.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎standalone/src/auth.js‎
Lines changed: 125 additions & 132 deletions b/‎standalone/src/auth.js‎
Lines changed: 125 additions & 132 deletions
diff --git a/‎standalone/src/cap.js‎
Lines changed: 8 additions & 8 deletions b/‎standalone/src/cap.js‎
Lines changed: 8 additions & 8 deletions
@@ -1,6 +1,6 @@
 {
   "name": "cap-standalone",
-  "version": "2.0.13",
+  "version": "2.0.14",
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1",
     "dev": "bun run --watch src/index.js",
@@ -49,6 +49,7 @@
     "@elysiajs/cors": "^1.4.0",
     "@elysiajs/static": "^1.4.4",
     "@elysiajs/swagger": "^1.3.1",
+    "@tursodatabase/database": "^0.2.2",
     "elysia": "^1.4.12",
     "elysia-rate-limit": "4.4.0"
   },
 
@@ -6,147 +6,140 @@ import { ratelimitGenerator } from "./ratelimit.js";
 
 const { ADMIN_KEY } = process.env;
 
-const loginQuery = db.query(`
+const loginQuery = db.prepare(`
   INSERT INTO sessions (token, created, expires)
-  VALUES ($token, $created, $expires)
+  VALUES (?, ?, ?)
 `);
-const getValidTokenQuery = db.query(`
-  SELECT * FROM sessions WHERE token = $token AND expires > $now LIMIT 1
+const getValidTokenQuery = db.prepare(`
+  SELECT * FROM sessions WHERE token = ? AND expires > ? LIMIT 1
 `);
 
 if (!ADMIN_KEY) throw new Error("auth: Admin key missing. Please add one");
 if (ADMIN_KEY.length < 30)
-	throw new Error(
-		"auth: Admin key too short. Please use one that's at least 30 characters",
-	);
+  throw new Error(
+    "auth: Admin key too short. Please use one that's at least 30 characters"
+  );
 
 export const auth = new Elysia({
-	prefix: "/auth",
+  prefix: "/auth",
 })
-	.use(
-		rateLimit({
-			duration: 30_000,
-			max: 20_000,
-			scoping: "scoped",
-			generator: ratelimitGenerator,
-		}),
-	)
-	.post("/login", async ({ body, set, cookie }) => {
-		const { admin_key } = body;
-
-		const a = Buffer.from(admin_key, "utf8");
-		const b = Buffer.from(ADMIN_KEY, "utf8");
-
-		if (!a || !b || a.length !== b.length) {
-			set.status = 401;
-			return { success: false };
-		}
-
-		if (!timingSafeEqual(a, b)) {
-			set.status = 401;
-			return { success: false };
-		}
-
-		if (admin_key !== ADMIN_KEY) {
-			// as a last check, in case an attacker somehow bypasses
-			// timingSafeEqual, we're checking AGAIN to see if the tokens
-			// are right.
-
-			// yes, this is vulnerable to timing attacks, but those are
-			// hard to execute and literally just accepting an invalid token
-			// is worse.
-
-			set.status = 401;
-			return { success: false };
-		}
-
-		const session_token = randomBytes(30).toString("hex");
-		const expires = Date.now() + 30 * 24 * 60 * 60 * 1000; // 30 days
-		const created = Date.now();
-
-		const hashedToken = await Bun.password.hash(session_token);
-
-		loginQuery.run({
-			$token: hashedToken,
-			$created: created,
-			$expires: expires,
-		});
-
-		cookie.cap_authed.set({
-			value: "yes",
-			expires: new Date(expires),
-		});
-
-		return { success: true, session_token, hashed_token: hashedToken, expires };
-	});
+  .use(
+    rateLimit({
+      duration: 30_000,
+      max: 20_000,
+      scoping: "scoped",
+      generator: ratelimitGenerator,
+    })
+  )
+  .post("/login", async ({ body, set, cookie }) => {
+    const { admin_key } = body;
+
+    const a = Buffer.from(admin_key, "utf8");
+    const b = Buffer.from(ADMIN_KEY, "utf8");
+
+    if (!a || !b || a.length !== b.length) {
+      set.status = 401;
+      return { success: false };
+    }
+
+    if (!timingSafeEqual(a, b)) {
+      set.status = 401;
+      return { success: false };
+    }
+
+    if (admin_key !== ADMIN_KEY) {
+      // as a last check, in case an attacker somehow bypasses
+      // timingSafeEqual, we're checking AGAIN to see if the tokens
+      // are right.
+
+      // yes, this is vulnerable to timing attacks, but those are
+      // hard to execute and literally just accepting an invalid token
+      // is worse.
+
+      set.status = 401;
+      return { success: false };
+    }
+
+    const session_token = randomBytes(30).toString("hex");
+    const expires = Date.now() + 30 * 24 * 60 * 60 * 1000; // 30 days
+    const created = Date.now();
+
+    const hashedToken = await Bun.password.hash(session_token);
+
+    loginQuery.run(hashedToken, created, expires);
+
+    cookie.cap_authed.set({
+      value: "yes",
+      expires: new Date(expires),
+    });
+
+    return { success: true, session_token, hashed_token: hashedToken, expires };
+  });
 
 export const authBeforeHandle = async ({ set, headers }) => {
-	const { authorization } = headers;
-
-	set.headers["X-Content-Type-Options"] = "nosniff";
-	set.headers["X-Frame-Options"] = "DENY";
-	set.headers["X-XSS-Protection"] = "1; mode=block";
-
-	if (authorization?.startsWith("Bot ")) {
-		const botToken = authorization.replace("Bot ", "").trim();
-		const [id, token] = botToken.split("_");
-
-		if (!id || !token) {
-			set.status = 401;
-			return { success: false, error: "Unauthorized. Invalid bot token." };
-		}
-
-		const apiKey = db.query(`SELECT * FROM api_keys WHERE id = $id`).get({
-			$id: id,
-		});
-
-		if (!apiKey) {
-			set.status = 401;
-			return {
-				success: false,
-				error: "Unauthorized. Deleted or non-existent bot token.",
-			};
-		}
-
-		if (!(await Bun.password.verify(token, apiKey.tokenHash))) {
-			set.status = 401;
-			return { success: false, error: "Unauthorized. Invalid bot token." };
-		}
-
-		return;
-	}
-
-	if (!authorization || !authorization.startsWith("Bearer ")) {
-		set.status = 401;
-		return {
-			success: false,
-			error:
-				"Unauthorized. An API key or session token is required to use this endpoint.",
-		};
-	}
-
-	const { token, hash } = JSON.parse(
-		atob(authorization.replace("Bearer ", "").trim()),
-	);
-
-	const validToken = getValidTokenQuery.get({
-		$token: hash,
-		$now: Date.now(),
-	});
-
-	if (!validToken) {
-		set.status = 401;
-		return {
-			success: false,
-			error: "Unauthorized. An invalid session token was used.",
-		};
-	}
-
-	if (!(await Bun.password.verify(token, validToken.token))) {
-		set.status = 401;
-		return {
-			success: false,
-			error: "Unauthorized. An invalid session token was used.",
-		};
-	}
+  const { authorization } = headers;
+
+  set.headers["X-Content-Type-Options"] = "nosniff";
+  set.headers["X-Frame-Options"] = "DENY";
+  set.headers["X-XSS-Protection"] = "1; mode=block";
+
+  if (authorization?.startsWith("Bot ")) {
+    const botToken = authorization.replace("Bot ", "").trim();
+    const [id, token] = botToken.split("_");
+
+    if (!id || !token) {
+      set.status = 401;
+      return { success: false, error: "Unauthorized. Invalid bot token." };
+    }
+
+    const apiKey = await db
+      .prepare(`SELECT * FROM api_keys WHERE id = ?`)
+      .get(id);
+
+    if (!apiKey || !apiKey.tokenHash) {
+      set.status = 401;
+      return {
+        success: false,
+        error: "Unauthorized. Deleted or non-existent bot token.",
+      };
+    }
+
+    if (!(await Bun.password.verify(token, apiKey.tokenHash))) {
+      set.status = 401;
+      return { success: false, error: "Unauthorized. Invalid bot token." };
+    }
+
+    return;
+  }
+
+  if (!authorization || !authorization.startsWith("Bearer ")) {
+    set.status = 401;
+    return {
+      success: false,
+      error:
+        "Unauthorized. An API key or session token is required to use this endpoint.",
+    };
+  }
+
+  const { token, hash } = JSON.parse(
+    atob(authorization.replace("Bearer ", "").trim())
+  );
+
+  const validToken = await getValidTokenQuery.get(hash, Date.now());
+
+  if (!validToken) {
+    set.status = 401;
+    return {
+      success: false,
+      error: "Unauthorized. An invalid session token was used.",
+    };
+  }
+
+  if (!(await Bun.password.verify(token, validToken.token))) {
+    set.status = 401;
+    return {
+      success: false,
+      error: "Unauthorized. An invalid session token was used.",
+    };
+  }
 };
@@ -6,27 +6,27 @@ import { rateLimit } from "elysia-rate-limit";
 import { db } from "./db.js";
 import { ratelimitGenerator } from "./ratelimit.js";
 
-const getSitekeyConfigQuery = db.query(
+const getSitekeyConfigQuery = db.prepare(
 	`SELECT (config) FROM keys WHERE siteKey = ?`,
 );
 
-const insertChallengeQuery = db.query(`
+const insertChallengeQuery = db.prepare(`
   INSERT INTO challenges (siteKey, token, data, expires)
   VALUES (?, ?, ?, ?)
 `);
-const getChallengeQuery = db.query(`
+const getChallengeQuery = db.prepare(`
   SELECT * FROM challenges WHERE siteKey = ? AND token = ?
 `);
-const deleteChallengeQuery = db.query(`
+const deleteChallengeQuery = db.prepare(`
   DELETE FROM challenges WHERE siteKey = ? AND token = ?
 `);
 
-const insertTokenQuery = db.query(`
+const insertTokenQuery = db.prepare(`
   INSERT INTO tokens (siteKey, token, expires)
   VALUES (?, ?, ?)
 `);
 
-const upsertSolutionQuery = db.query(`
+const upsertSolutionQuery = db.prepare(`
   INSERT INTO solutions (siteKey, bucket, count)
   VALUES (?, ?, 1)
   ON CONFLICT (siteKey, bucket)
@@ -56,7 +56,7 @@ export const capServer = new Elysia({
 		const cap = new Cap({
 			noFSState: true,
 		});
-		const _keyConfig = getSitekeyConfigQuery.get(params.siteKey);
+		const _keyConfig = await getSitekeyConfigQuery.get(params.siteKey);
 
 		if (!_keyConfig) {
 			set.status = 404;
@@ -81,7 +81,7 @@ export const capServer = new Elysia({
 		return challenge;
 	})
 	.post("/:siteKey/redeem", async ({ body, set, params }) => {
-		const challenge = getChallengeQuery.get(params.siteKey, body.token);
+		const challenge = await getChallengeQuery.get(params.siteKey, body.token);
 
 		try {
 			deleteChallengeQuery.run(params.siteKey, body.token);