Add CSRF token support

.gitignore

@@ -1,3 +1,5 @@
 *.db
 tmp.*
 *.log
+.env
+p.vim

.rubocop.yml

@@ -16,6 +16,15 @@ Style/TrailingCommaInArrayLiteral:
 Style/FrozenStringLiteralComment:
   Enabled: false
 
+Style/GlobalVars:
+  Enabled: false
+
+Style/MutableConstant:
+  Enabled: false
+
+Style/StringLiteralsInInterpolation:
+  Enabled: false
+
 Layout/SpaceAroundOperators:
   Enabled: false
 
@@ -28,6 +37,15 @@ Metrics/MethodLength:
 Metrics/ClassLength:
   Enabled: false
 
+Metrics/BlockLength:
+  Enabled: false
+
+Layout/FirstHashElementIndentation:
+  Enabled: false
+
+Layout/FirstArrayElementIndentation:
+  Enabled: false
+
 Layout/EmptyLineAfterGuardClause:
   Enabled: false
 

Gemfile

@@ -1,13 +1,11 @@
 source "https://rubygems.org"
 
-gem "sinatra"
-
-gem "xxhash"
-
-gem "sequel"
-
-gem "json"
-
 gem "base64"
-
+gem "erb"
+gem "json"
+gem "net-http"
+gem "sequel"
+gem "sinatra"
+gem "uri"
+gem "xxhash"
 gem "zlib"

Gemfile.lock

@@ -3,9 +3,13 @@ GEM
   specs:
     base64 (0.3.0)
     bigdecimal (3.2.2)
+    erb (5.0.1)
+    json (2.12.2)
     logger (1.7.0)
     mustermann (3.0.3)
       ruby2_keywords (~> 0.0.1)
+    net-http (0.6.0)
+      uri
     rack (3.1.16)
     rack-protection (4.1.1)
       base64 (>= 0.1.0)
@@ -25,16 +29,24 @@ GEM
       rack-session (>= 2.0.0, < 3)
       tilt (~> 2.0)
     tilt (2.6.0)
+    uri (1.0.3)
     xxhash (0.6.0)
+    zlib (3.2.1)
 
 PLATFORMS
   ruby
   x86_64-linux
 
 DEPENDENCIES
+  base64
+  erb
+  json
+  net-http
   sequel
   sinatra
+  uri
   xxhash
+  zlib
 
 BUNDLED WITH
    2.6.9

index.erb

@@ -0,0 +1,102 @@
+<!doctype html>
+<html>
+  <head>
+    <title>InfinSweeper</title>
+    <link rel="icon" type="image/png" href="src/assets/img/logo_sm.png" />
+    <meta
+      name="viewport"
+      content="initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no"
+      />
+    <meta name="signed_in" content="<%= @signed_in %>">
+    <meta name="csrf" content="<%= @csrf_token %>">
+    <link rel="preconnect" href="https://fonts.googleapis.com" />
+    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
+    <link
+      href="https://fonts.googleapis.com/css2?family=WDXL+Lubrifont+JP+N&display=swap"
+      rel="stylesheet"
+    />
+    <link rel="stylesheet" href="src/assets/style.css" />
+    <script type="module" src="src/js/accounts.js"></script>
+    <script type="module" src="src/js/game.js"></script>
+  </head>
+  <body>
+    <div class="header">
+      <a href="/">
+        <img
+          src="src/assets/img/logo_lg.png"
+          alt="InfinSweeper"
+          class="logo pixelart"
+        />
+      </a>
+      <div class="header-right">
+        <button class="account-button" id="logout-button">LOGOUT</button>
+        <button class="account-button" id="login-button">LOGIN</button>
+        <button class="account-button" id="signup-button">SIGN UP</button>
+      </div>
+    </div>
+    <span id="message"><%= @message %></span>
+    <canvas id="main-canvas"></canvas>
+    <div class="popup" id="popup">
+      <span class="close" id="close">&times;</span>
+      <div class="popup-tab" id="login">
+        <form id="login-form" class="form">
+          <label for="username">USERNAME</label>
+          <input type="text" name="username" placeholder="Username" required />
+          <label for="pass">PASSWORD</label>
+          <input type="password" name="pass" placeholder="Password" required />
+          <button type="submit">LOGIN</button>
+          <span class="link" id="forgot-link">Forgot password?</span>
+          <span class="info" id="login-info"></span>
+        </form>
+      </div>
+      <div class="popup-tab" id="signup">
+        <form id="signup-form" class="form">
+          <label for="username">USERNAME</label>
+          <input type="text" name="username" placeholder="Username" required />
+          <label for="email">EMAIL</label>
+          <input
+            type="email"
+            name="email"
+            placeholder="Email"
+            required
+            autocapitalize="off"
+          />
+          <label for="pass">PASSWORD</label>
+          <input type="password" name="pass" placeholder="Password" required />
+          <button type="submit">SIGN UP</button>
+          <span class="info" id="signup-info"></span>
+        </form>
+      </div>
+      <div class="popup-tab" id="settings">
+        <!-- TODO: settings -->
+      </div>
+      <div class="popup-tab" id="forgot-pass">
+        <form id="forgot-form" class="form">
+          <input
+            type="email"
+            name="email"
+            placeholder="Email"
+            required
+            autocapitalize="off"
+            autocomplete="off"
+          />
+          <button type="submit">SUBMIT</button>
+          <span class="info" id="forgot-info"></span>
+        </form>
+      </div>
+      <div class="popup-tab" id="reset-pass">
+        <form id="reset-form" class="form">
+          <input type="password" name="pass" placeholder="Password" required />
+          <input
+            type="password"
+            name="pass_confirm"
+            placeholder="Confirm Password"
+            required
+          />
+          <button type="submit">SUBMIT</button>
+          <span class="info" id="reset-info"></span>
+        </form>
+      </div>
+    </div>
+  </body>
+</html>

index.html

@@ -1,16 +0,0 @@
-<!doctype html>
-<html>
-  <head>
-    <title>Infinsweeper</title>
-    <link rel="icon" type="image/png" href="src/assets/img/logo_sm.png" />
-    <meta
-      name="viewport"
-      content="initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no"
-    />
-    <link rel="stylesheet" href="src/assets/style.css" />
-  </head>
-  <body>
-    <canvas id="main-canvas"></canvas>
-    <script type="module" src="src/js/index.js"></script>
-  </body>
-</html>

logman.rb

@@ -0,0 +1,11 @@
+# module for logging
+module Logman
+  def self.log(log)
+    file, line = caller(1, 1)[0].split(":")
+    File.write("log/main.log", "[#{Time.now}] {#{file}:#{line}} #{log}\n", mode: "a") if ENV_HASH["ENV"] == "dev"
+  end
+
+  def self.imp(log)
+    File.write("log/imp.log", "[#{Time.now}] #{log}\n", mode: "a") if ENV_HASH["ENV"] == "dev"
+  end
+end

mailer.rb

@@ -0,0 +1,31 @@
+# Mailer module
+module Mail
+  def send(to, subject, body)
+    from_email = "infinsweeper@syedm.dev"
+    from_name = "InfinSweeper"
+    to = Array(to).map { |addr| { email_address: { address: addr, name: "" } } }
+
+    payload = {
+      from: {
+        address: from_email,
+        name: from_name,
+      },
+      to: to,
+      subject: subject,
+      htmlbody: body,
+    }
+
+    uri = URI("https://api.zeptomail.com/v1.1/email")
+    req = Net::HTTP::Post.new(uri)
+    req["Authorization"] = "Zoho-enczapikey  #{ENV_HASH["ZOHO_PASS"]}"
+    req["Content-Type"] = "application/json"
+    req.body = payload.to_json
+
+    http = Net::HTTP.new(uri.host, uri.port)
+    http.use_ssl = true
+    response = http.request(req)
+
+    return if response.is_a?(Net::HTTPSuccess)
+    Logman.imp "[ZeptoMail ERROR] #{response.body}"
+  end
+end

main.rb

@@ -1,128 +1,139 @@
-require "sinatra"
+require "base64"
+require "erb"
 require "json"
-
-require_relative "players"
-require_relative "session"
+require "net/http"
+require "sequel"
+require "sinatra"
+require "uri"
+require "xxhash"
+require "zlib"
 
 ALPHANUM = [*"0".."9", *"A".."Z", *"a".."z", "-", "_"].freeze
 
+env_data = File.exist?(".env") ? File.read(".env") : ""
+ENV_HASH = {}
+
+env_data.each_line do |line|
+  next unless (match = line.match(/^([A-Z_][A-Z0-9_]*)=(.*)$/))
+  ENV_HASH[match[1]] = match[2]
+end
+
+load "logman.rb"
+# Logman.log ENV_HASH.inspect
+
 db_file = File.expand_path("infinsweeper.db")
 DB = Sequel.connect("sqlite:///#{db_file}", single_threaded: false)
 DB.run("PRAGMA foreign_keys = ON;")
+$active_users = DB[:SignedInUsers].all.map { |x| [x[:code], x[:player]] }.to_h
 
-signed_in_users = DB[:SignedInUsers].all.map { |x| [x[:code], x[:player]] }.to_h
-
-Thread.new do
-  loop do
-    now = Time.now
-    fifteen_days_ago = now - (60 * 60 * 24 * 15)
-    six_days_ago = now - (60 * 60 * 24 * 6)
-    old_sessions = (DB[:SignedInUsers].where { created_at < fifteen_days_ago }.all +
-                    DB[:SignedInUsers].where { last_used_at < six_days_ago }.all).uniq { |s| s[:code] }
-    old_sessions.each do |session|
-      begin
-        DB[:SignedInUsers].where(code: session[:code]).delete
-      rescue StandardError => e
-        File.write("log/main.log",
-                   "[#{Time.now}] Thread DB error: #{e.message} on #{session[:code]} for #{session[:player]}\n",
-                   mode: "a")
-      end
-      signed_in_users.delete(session[:code])
-      puts "Auto-logged out: #{session[:player]} (expired session)"
-    end
-  rescue StandardError => e
-    File.write("log/main.log", "[#{Time.now}] Thread error: #{e.message}\n", mode: "a")
-  ensure
-    sleep 60 * 60 * 24
-  end
-end
+load "mailer.rb"
+load "players.rb"
+load "session.rb"
 
 set :public_folder, "public"
 
 get "/" do
-  send_file "index.html"
+  session = Sessions.new request, response
+  @message = session.message || ""
+  session.message = ""
+  @signed_in = session.signed_in?.nil? ? false : true
+  @csrf_token = Array.new(32) { ALPHANUM.sample }.join
+  session["csrf_token"] = @csrf_token
+  ERB.new(File.read("index.erb")).result(binding)
 end
 
 get "/debug" do
-  return get_session_all(request, response).inspect
+  content_type :json
+  (Sessions.new request, response).all.to_json
 end
 
-post "/new_player" do
+post "/signup" do
+  session = Sessions.new request, response
+  uid = session["user"]
+  session.logout unless uid.nil? || $active_users[uid].nil?
   data = JSON.parse(request.body.read)
+  unless session.csrf_auth?
+    status 401
+    return { "message" => "Unauthorized (invalid CSRF token)!" }.to_json
+  end
+  session["csrf_token"] = Array.new(32) { ALPHANUM.sample }.join
   if data["email"].nil? || data["pass"].nil? || data["username"].nil?
     status 400
-    return { "message" => "Bad request made!" }.to_json
-  end
-  player = Players.mk_player(data["username"], data["email"], data["pass"])
-  case player
-  when "Successfully registered!"
-    code = Array.new(24) { ALPHANUM.sample }.join
-    set_session(request, response, "user", code, code)
-    signed_in_users[code] = data["email"]
-    begin
-      DB["insert into SignedInUsers (code, player) values (?, ?)", code, data["email"]].insert
-    rescue Sequel::Error => e
-      File.write("log/main.log", "DB Error: #{e.message}\n", mode: "a")
-      status 500
-      return { "message" => "Internal server error when signing you in!" }.to_json
+    return { "message" => "Bad request made!", "csrf_token" => session["csrf_token"] }.to_json
   end
+  signup_status = Players.mk_player(data["username"], data["email"], data["pass"])
+  if signup_status[0] == 200
+    login_status = session.login(data["username"], data["pass"])
+    if login_status[0] == 200
       status 200
+      return { "message" => login_status[1], "success" => "true", "csrf_token" => session["csrf_token"] }.to_json
     else
-    status 400
+      status login_status[0]
+      return { "message" => login_status[1], "csrf_token" => session["csrf_token"] }.to_json
     end
-  return { "message" => player }.to_json
+  end
+  status signup_status[0]
+  return { "message" => signup_status[1], "csrf_token" => session["csrf_token"] }.to_json
 end
 
 get "/verify/:code" do
-  if Players.verify(params[:code])
-    status 200
-    return { "message" => "Verified successfully!" }.to_json
-  else
-    status 400
-    return { "message" => "Couldn't verify!" }
-  end
+  session = Sessions.new request, response
+  session.message = Players.verify(params[:code]) ? "Verified successfully!" : "Verification failed!"
+  redirect "/"
 end
 
 post "/login" do
   data = JSON.parse(request.body.read)
-  player = Players.authorized?(data["email"], data["pass"])
-  if player
-    code = Array.new(24) { ALPHANUM.sample }.join
-    set_session(request, response, "user", code, code)
-    signed_in_users[code] = data["email"]
-    begin
-      DB["insert into SignedInUsers (code, player) values (?, ?)", code, data["email"]].insert
-    rescue Sequel::Error => e
-      File.write("log/main.log", "DB Error: #{e.message}\n", mode: "a")
-      status 500
-      return { "message" => "Internal server error when signing you in!" }.to_json
+  session = Sessions.new request, response
+  uid = session["user"]
+  Logman.log(request.env["HTTP_X_CSRF_TOKEN"].to_s + " " + session["csrf_token"].to_s)
+  unless session.csrf_auth?
+    status 401
+    return { "message" => "Unauthorized (invalid CSRF token)!" }.to_json
   end
-    status 200
-    return { "message" => "Remember to verify your email!" }.to_json unless Players.verified?(data["email"])
-    return { "message" => "Signed in successfully!" }.to_json
-  else
+  session["csrf_token"] = Array.new(32) { ALPHANUM.sample }.join
+  if $active_users[uid] && !session.logout
+    status 500
+    return {
+             "message" => "Internal server error when signing the existing session out!",
+             "csrf_token" => session["csrf_token"],
+           }.to_json
+  end
+  if data["username"].nil? || data["pass"].nil?
     status 400
-    return { "message" => "Couldn't sign you in!" }.to_json
+    return { "message" => "Bad request made!", "csrf_token" => session["csrf_token"] }.to_json
+  end
+  login_status = session.login(data["username"], data["pass"])
+  if login_status[0] == 200
+    status 200
+    return { "message" => login_status[1], "success" => "true", "csrf_token" => session["csrf_token"] }.to_json
+  else
+    status login_status[0]
+    return { "message" => login_status[1], "csrf_token" => session["csrf_token"] }.to_json
   end
 end
 
 post "/logout" do
-  uid = get_session(request, response, "user")
-  if signed_in_users[uid].nil?
+  session = Sessions.new request, response
+  uid = session["user"]
+  if $active_users[uid].nil?
     status 400
-    return { "message" => "Not signed in!" }.to_json
+    return { "message" => "Not logged in!" }.to_json
   end
-  signed_in_users.delete(uid)
-  rm_session(request, response, "user")
-  begin
-    DB["delete from SignedInUsers where code = ?", uid].delete
-  rescue Sequel::Error => e
-    File.write("log/main.log", "DB Error: #{e.message}\n", mode: "a")
+  unless session.logout
     status 500
-    return { "message" => "Internal server error when signing you out!" }.to_json
+    return { "message" => "Internal server error when logging you out!" }.to_json
   end
   status 200
-  return { "message" => "Signed out successfully!" }.to_json
+  return { "message" => "Logged out successfully!", "success" => "true" }.to_json
+end
+
+get "/logout" do
+  session = Sessions.new request, response
+  uid = session["user"]
+  session.logout unless $active_users[uid].nil?
+  session.message = "Logged out successfully!"
+  redirect "/"
 end
 
 post "/forgot_password" do
@@ -131,9 +142,32 @@ post "/forgot_password" do
     status 400
     return { "message" => "Bad request made (Email not provided)!" }.to_json
   end
-  Players.pass_req(data["email"])
+  if Players.pass_req(data["email"])
     status 200
     return { "message" => "Email sent successfully!" }.to_json
+  else
+    status 400
+    return { "message" => "Couldn't send email!" }.to_json
+  end
+end
+
+post "/pass_reset?" do
+  data = JSON.parse(request.body.read)
+  if data["code"].nil?
+    status 400
+    return { "message" => "Bad request made!" }.to_json
+  end
+  if Players.pass_reset?(data["code"])
+    status 200
+    return { "message" => "Password reset link exists!" }.to_json
+  else
+    status 400
+    return { "message" => "Code doesn't exist!" }.to_json
+  end
+end
+
+get "/reset_password/:code" do
+  redirect "/?reset_code=#{params[:code]}"
 end
 
 post "/reset_password/:code" do
@@ -152,14 +186,13 @@ post "/reset_password/:code" do
 end
 
 delete "/rm_player" do
-  uid = get_session(request, response, "user")
-  if uid.nil? || signed_in_users[uid].nil?
+  session = Sessions.new request, response
+  uid = session["user"]
+  if uid.nil? || $active_users[uid].nil?
     status 400
     return { "message" => "Not signed in!" }.to_json
   end
-  if Players.rm_player(signed_in_users[uid])
-    signed_in_users.delete(uid)
-    rm_session(request, response, "user")
+  if session.logout && Players.rm_player($active_users[uid])
     status 200
     return { "message" => "Sorry to see you go.." }.to_json
   else
@@ -167,3 +200,7 @@ delete "/rm_player" do
     return { "message" => "Couldn't delete!" }.to_json
   end
 end
+
+get "*" do
+  redirect "/"
+end

players.rb

@@ -1,50 +1,42 @@
-require "xxhash"
-require "sequel"
-require "json"
-
-ALPHANUM = [*"0".."9", *"A".."Z", *"a".."z", "-", "_"].freeze
-
 # DataBase handler module
 module Players
-  db_file = File.expand_path("infinsweeper.db")
-  DB = Sequel.connect("sqlite:///#{db_file}", single_threaded: false)
-  DB.run("PRAGMA foreign_keys = ON;")
-
   def self.list
     DB["select * from Players"].all
   end
 
-  def self.rm_player(email)
-    DB["delete from Players where email = ?", email].delete != 0
+  def self.rm_player(username)
+    DB["delete from Players where username = ?", username].delete != 0
   end
 
   def self.mk_player(username, email, pass)
-    raise ArgumentError, "Email format is wrong!" unless email.match?(/\A[\w+\-.]+@[a-z\d\-.]+\.[a-z]+\z/)
+    # rubocop:disable Layout/LineLength
+    raise ArgumentError, "Email format is wrong!" unless
+      email.match?(%r[(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])])
+    # rubocop:enable Layout/LineLength
     raise ArgumentError, "Username must be at least 4 characters long and of valid format." unless
       username.match?(/\A[a-zA-Z][a-zA-Z0-9_.-]+\z/) && username.length >= 4
     raise ArgumentError, "Password must be at least 8 characters and of valid format." unless
       pass.match?(/\A[a-zA-Z0-9_.!?@#$%^&*()+=-]+\z/) && pass.length >= 8
 
-    digest = XXhash.xxh32(pass, 1234)
-
-    code = Array.new(24) { ALPHANUM.sample }.join
+    digest = XXhash.xxh32(pass, ENV_HASH["SALT"])
+    code = ENV_HASH["ENV"] == "prod" ? Array.new(24) { ALPHANUM.sample }.join : "!"
 
     DB[
-      "insert into Players (email, digest, username, activation_code) values (?, ?, ?, ?)",
-      email, digest, username, code
+      "insert into Players (username, digest, email, activation_code) values (?, ?, ?, ?)",
+      username, digest, email, code
     ].insert
 
-    send_email(:new, email, username, code)
+    send_email(:new, email, username, code) if ENV_HASH["ENV"] == "prod"
 
-    "Successfully registered!"
+    [200, "Successfully signed up!"]
   rescue ArgumentError => e
-    e.message
+    [400, e.message]
   rescue Sequel::UniqueConstraintViolation
-    "Account already exists with this email or username!"
+    [400, "Account already exists with this email or username!"]
   end
 
   def self.verify(code)
-    DB["update Players set activation_code = ? where code = ?", "!", code].update != 0
+    DB["update Players set activation_code = ? where activation_code = ?", "!", code].update != 0
   end
 
   def self.unverified
@@ -52,45 +44,59 @@ module Players
   end
 
   def self.pass_req(email)
-    return unless self[email]
+    return false unless by_email(email)
 
     code = Array.new(24) { ALPHANUM.sample }.join
     DB["update Players set new_pass_code = ? where email = ?", code, email].update
 
-    send_email(:pass_req, email, code)
+    Logman.log "Pass req: #{email} & #{code}"
+
+    true
+
+    # send_email(:pass_req, email, code)
   end
 
   def self.pass_reset(new_pass, code)
-    digest = XXhash.xxh32(new_pass, 1234)
-    DB["update Players set digest = ? where new_pass_code = ?", digest, code].update != 0
+    digest = XXhash.xxh32(new_pass, ENV_HASH["SALT"])
+    DB["update Players set digest = ?, new_pass_code = ? where new_pass_code = ?", digest, "", code].update != 0
   end
 
-  def self.[](email)
+  def self.pass_reset?(code)
+    DB["select * from Players where new_pass_code = ?", code].first
+  end
+
+  def self.[](username)
+    DB["select * from Players where username = ?", username].first
+  end
+
+  def self.by_email(email)
     DB["select * from Players where email = ?", email].first
   end
 
-  def self.[]=(email, data)
-    DB["update Players set data = ? where email = ?", data, email].update
+  def self.[]=(username, data)
+    DB["update Players set data = ? where username = ?", data, username].update
   end
 
-  def self.authorized?(email, pass)
-    digest = XXhash.xxh32(pass, 1234)
-    player = self[email]
+  def self.authorized?(username, pass)
+    digest = XXhash.xxh32(pass, ENV_HASH["SALT"])
+    Logman.log "Authorized: #{username} & #{digest}"
+    player = self[username]
     player && player[:digest].to_i == digest.to_i ? player : false
   end
 
-  def self.verified?(email)
-    player = self[email]
-    player && player[:code] == "!"
+  def self.verified?(username)
+    player = self[username]
+    Logman.log "Verified: #{player.inspect}\n"
+    player && player[:activation_code] == "!"
   end
 
   Thread.new do
     loop do
       unverified.each do |player|
-        rm_player(player[:email]) if player[:created_at] + 24 * 60 * 60 < Time.now
+        rm_player(player[:username]) if player[:created_at] + 24 * 60 * 60 < Time.now
       end
     rescue StandardError => e
-      File.write("log/main.log", "Thread error: #{e.message}\n", mode: "a")
+      Logman.log "Thread error: #{e.message}"
     ensure
       sleep 60 * 60
     end

public/src/assets/style.css

@@ -1,4 +1,220 @@
+@import url("https://fonts.googleapis.com/css2?family=WDXL+Lubrifont+JP+N&display=swap");
+
 body {
   margin: 0;
   overflow: hidden;
 }
+
+.header {
+  width: 100%;
+  height: 90px;
+  background-color: #1b262c;
+  border-bottom: 3px solid #90bdd9;
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  font-family: "WDXL Lubrifont JP N", sans-serif;
+}
+
+#message {
+  color: white;
+  position: absolute;
+  background-color: #1b262c;
+  width: calc(100vw - 10px);
+  padding: 5px;
+  display: block;
+  text-align: center;
+  font-size: 21px;
+  font-family: "WDXL Lubrifont JP N", sans-serif;
+  opacity: 1;
+  transition: opacity 0.5s ease-in-out;
+}
+
+#message.hide {
+  opacity: 0;
+}
+
+#message::after {
+  content: "X";
+  color: white;
+  position: absolute;
+  right: 10px;
+  cursor: pointer;
+}
+
+#message:hover::after {
+  color: #90bdd9;
+}
+
+#message:empty {
+  display: none;
+}
+
+#message:empty:after {
+  display: none;
+}
+
+button {
+  font-family: "WDXL Lubrifont JP N", sans-serif;
+  font-size: 18px;
+}
+
+input {
+  outline: none;
+  font-family: "WDXL Lubrifont JP N", sans-serif;
+  font-size: 18px;
+  background-color: white;
+  color: #1b262c;
+  border: none;
+}
+
+.link {
+  color: #90bdd9;
+  text-decoration: none;
+  cursor: pointer;
+  font-family: "WDXL Lubrifont JP N", sans-serif;
+}
+
+.link:hover {
+  color: #adcee3;
+  text-decoration: underline;
+}
+
+.logo {
+  height: 50px;
+  position: relative;
+  top: 7px;
+}
+
+.popup {
+  position: fixed;
+  top: 50%;
+  left: 50%;
+  transform: translate(-50%, -50%);
+  width: 400px;
+  padding-top: 20px;
+  background-color: #1b262c70;
+  backdrop-filter: blur(8px);
+  display: none;
+  border-radius: 30px;
+  justify-content: center;
+  align-items: center;
+  z-index: 9999;
+}
+
+.close {
+  position: absolute;
+  top: 5px;
+  right: 15px;
+  font-size: 24px;
+  cursor: pointer;
+  font-size: 29px;
+  color: white;
+}
+
+.close:hover {
+  color: #fa908c;
+}
+
+.popup.active {
+  display: flex;
+}
+
+.popup-tab {
+  display: none;
+  width: calc(100% - 60px);
+  height: calc(100% - 60px);
+  padding: 20px 30px;
+  border-radius: 8px;
+  padding: 30px;
+}
+
+.info {
+  margin-bottom: 10px;
+  color: white;
+  font-weight: bold;
+  opacity: none;
+  font-family: "WDXL Lubrifont JP N", sans-serif;
+}
+
+.info:empty::before {
+  content: "\00a0";
+  visibility: hidden;
+  display: inline-block;
+}
+
+.info.active {
+  opacity: 1;
+}
+
+.form {
+  display: flex;
+  gap: 10px;
+  flex-direction: column;
+  justify-content: center;
+  align-items: center;
+  height: 80%;
+}
+
+.form input {
+  padding: 10px;
+  width: 80%;
+  border: 1px solid #ccc;
+  border-radius: 12px;
+}
+
+.form label {
+  font-size: 16px;
+  font-family: "WDXL Lubrifont JP N", sans-serif;
+  color: white;
+}
+
+.form button {
+  margin-top: 10px;
+  padding: 10px;
+  background-color: #3498db;
+  color: white;
+  border: none;
+  width: 25%;
+  border-radius: 12px;
+  cursor: pointer;
+}
+
+.form button:hover {
+  background-color: #2980b9;
+}
+
+.popup-tab.active {
+  display: block;
+}
+
+.header-right {
+  margin-right: 20px;
+  display: flex;
+  white-space: nowrap;
+  gap: 10px;
+}
+
+.account-button {
+  background: none;
+  border: none;
+  cursor: pointer;
+  color: #90bdd9;
+  font-size: 23px;
+  font-family: "WDXL Lubrifont JP N", sans-serif;
+}
+
+.account-button:hover {
+  color: #adcee3;
+  text-decoration: underline;
+}
+
+.pixelart {
+  image-rendering: pixelated;
+  image-rendering: crisp-edges;
+  margin: 0 20px;
+}
+
+#main-canvas {
+  height: calc(100vh - 90px);
+}

public/src/js/accounts.js

@@ -0,0 +1,165 @@
+const csrfMeta = document.querySelector('meta[name="csrf"]');
+var csrf = csrfMeta?.content;
+window.onload = async () => {
+  const popup = document.getElementById("popup");
+  const loginSection = document.getElementById("login");
+  const signupSection = document.getElementById("signup");
+  const forgotPassSection = document.getElementById("forgot-pass");
+  const resetPassSection = document.getElementById("reset-pass");
+
+  const loginForm = document.getElementById("login-form");
+  const signupForm = document.getElementById("signup-form");
+  const forgotForm = document.getElementById("forgot-form");
+  const resetForm = document.getElementById("reset-form");
+
+  const loginInfo = document.getElementById("login-info");
+  const signupInfo = document.getElementById("signup-info");
+  const forgotInfo = document.getElementById("forgot-info");
+  const resetInfo = document.getElementById("reset-info");
+
+  const loginButton = document.getElementById("login-button");
+  const signupButton = document.getElementById("signup-button");
+  const logoutButton = document.getElementById("logout-button");
+  const forgotButton = document.getElementById("forgot-link");
+  const closeButton = document.getElementById("close");
+
+  const message = document.getElementById("message");
+  message.onclick = () => message.classList.add("hide");
+
+  const signedInMeta = document.querySelector('meta[name="signed_in"]');
+  const isSignedIn = signedInMeta?.content === "true";
+  if (isSignedIn) {
+    loginButton.style.display = "none";
+    signupButton.style.display = "none";
+  } else {
+    logoutButton.style.display = "none";
+  }
+
+  const showPopup = (section) => {
+    popup.classList.add("active");
+    loginSection.classList.remove("active");
+    signupSection.classList.remove("active");
+    forgotPassSection.classList.remove("active");
+    resetPassSection.classList.remove("active");
+    if (section) section.classList.add("active");
+  };
+
+  const hidePopup = () => {
+    popup.classList.remove("active");
+    loginSection.classList.remove("active");
+    signupSection.classList.remove("active");
+    forgotPassSection.classList.remove("active");
+    resetPassSection.classList.remove("active");
+  };
+
+  loginButton?.addEventListener("click", () => showPopup(loginSection));
+  signupButton?.addEventListener("click", () => showPopup(signupSection));
+  logoutButton?.addEventListener("click", async () => {
+    const res = await fetch("/logout", { method: "POST" });
+    const data = await res.json();
+    message.innerText = data.message;
+    message.classList.remove("hide");
+    if (data.success == "true") {
+      loginButton.style.display = "block";
+      signupButton.style.display = "block";
+      logoutButton.style.display = "none";
+    }
+  });
+  forgotButton?.addEventListener("click", () => showPopup(forgotPassSection));
+  closeButton?.addEventListener("click", hidePopup);
+
+  loginForm?.addEventListener("submit", async (e) => {
+    e.preventDefault();
+    const { username, pass } = loginForm;
+    const res = await fetch("/login", {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "X-CSRF-Token": csrf },
+      body: JSON.stringify({ username: username.value, pass: pass.value }),
+    });
+    const data = await res.json();
+    loginInfo.innerText = data.message;
+    csrf = data.csrf_token;
+    if (data.success == "true") {
+      loginButton.style.display = "none";
+      signupButton.style.display = "none";
+      logoutButton.style.display = "block";
+      message.innerText = data.message;
+      message.classList.remove("hide");
+      hidePopup();
+    }
+  });
+
+  signupForm?.addEventListener("submit", async (e) => {
+    e.preventDefault();
+    const { username, email, pass } = signupForm;
+    const res = await fetch("/signup", {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "X-CSRF-Token": csrf },
+      body: JSON.stringify({
+        username: username.value,
+        email: email.value,
+        pass: pass.value,
+      }),
+    });
+    const data = await res.json();
+    signupInfo.innerText = data.message;
+    csrf = data.csrf_token;
+    if (data.success == "true") {
+      loginButton.style.display = "none";
+      signupButton.style.display = "none";
+      logoutButton.style.display = "block";
+      message.innerText = data.message;
+      message.classList.remove("hide");
+      hidePopup();
+    }
+  });
+
+  forgotForm?.addEventListener("submit", async (e) => {
+    e.preventDefault();
+    const email = forgotForm.email.value;
+    const res = await fetch("/forgot_password", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ email }),
+    });
+    const data = await res.json();
+    forgotInfo.innerHTML = data.message;
+  });
+
+  // Handle reset code in URL
+  const params = new URLSearchParams(window.location.search);
+  const resetCode = params.get("reset_code");
+
+  if (resetCode) {
+    const res = await fetch("/pass_reset?", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ code: resetCode }),
+    });
+
+    if (res.status === 200) {
+      showPopup(resetPassSection);
+
+      resetForm?.addEventListener("submit", async (e) => {
+        e.preventDefault();
+        const pass = resetForm.pass.value;
+        const passConfirm = resetForm.pass_confirm.value;
+
+        if (pass !== passConfirm) {
+          resetInfo.innerText = "Passwords do not match";
+          return;
+        }
+
+        const res = await fetch(`/reset_password/${resetCode}`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ pass }),
+        });
+        const data = await res.json();
+        resetInfo.innerText = data.message;
+      });
+    } else {
+      window.location.href = "/";
+    }
+  }
+};

public/src/js/game_renderer.js

@@ -39,7 +39,7 @@ export default class GameRenderer {
     /** @type {HTMLCanvasElement} */
     this.canvas = document.getElementById(CANVAS_ID);
     this.canvas.width = window.innerWidth;
-    this.canvas.height = window.innerHeight;
+    this.canvas.height = window.innerHeight - 90;
     /** @type {CanvasRenderingContext2D} */
     this.ctx = this.canvas.getContext("2d");
     this.ctx.imageSmoothingEnabled = false;

public/src/js/ui_renderer.js

@@ -83,7 +83,7 @@ export default class UIRenderer extends GameRenderer {
    */
   resize() {
     this.canvas.width = window.innerWidth;
-    this.canvas.height = window.innerHeight;
+    this.canvas.height = window.innerHeight - 90;
     this.ctx.imageSmoothingEnabled = false;
   }
   /**

schema.sql

@@ -1,6 +1,6 @@
 CREATE TABLE IF NOT EXISTS Players (
-  email TEXT PRIMARY KEY,
-  username TEXT UNIQUE,
+  username TEXT PRIMARY KEY,
+  email TEXT UNIQUE,
   digest BLOB,
   data BLOB,
   activation_code TEXT,
@@ -13,5 +13,5 @@ CREATE TABLE IF NOT EXISTS SignedInUsers (
   player TEXT,
   created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
   last_used_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
-  FOREIGN KEY (player) REFERENCES Players (email) ON DELETE CASCADE
+  FOREIGN KEY (player) REFERENCES Players (username) ON DELETE CASCADE
 );

session.rb

@@ -1,62 +1,152 @@
-require "base64"
-require "zlib"
-require "json"
+# class Sessions
+class Sessions
+  def initialize(request, response)
+    @request = request
+    @response = response
+  end
 
-def set_session(request, response, key, val, uid = nil)
-  session = request.cookies["session"]
+  def signed_in?
+    $active_users[self["user"]]
+  end
+
+  def logout
+    uid = self["user"]
+    $active_users.delete(uid)
+    delete("user")
+    DB["delete from SignedInUsers where code = ?", uid].delete
+    true
+  rescue Sequel::Error => e
+    Logman.log "DB Error: #{e.message}"
+    false
+  end
+
+  def login(username, pass)
+    Logman.log "Logging in: #{username} & #{pass} #{ENV_HASH["SALT"]}"
+    player = Players.authorized?(username, pass)
+    if player
+      code = Array.new(24) { ALPHANUM.sample }.join
+      self["user"] = code
+      $active_users[code] = username
+      begin
+        DB["insert into SignedInUsers (code, player) values (?, ?)", code, username].insert
+      rescue Sequel::Error => e
+        Logman.log "DB Error: #{e.message}"
+        return [500, "Internal server error when signing you in!"]
+      end
+      return [200, "Remember to verify your email!"] unless Players.verified?(username)
+      [200, "Signed in successfully!"]
+    else
+      [200, "Couldn't sign you in (Username or password incorrect)!"]
+    end
+  end
+
+  # TODO: Use .all here
+  def []=(key, val)
+    session = @request.cookies["session"]
     session = session.nil? ? "{}" : Zlib::Inflate.inflate(Base64.decode64(session))
     session = JSON.parse(session)
     session[key] = val
+    Logman.log "Updated: #{key} to #{val}"
     compressed = Zlib::Deflate.deflate(JSON.generate(session))
     encoded = Base64.encode64(compressed)
-  response.set_cookie("session",
+    @response.set_cookie("session",
                          value: encoded,
                          path: "/",
-                      expires: Time.now + 360 * 24 * 60 * 60)
-  begin
+                         expires: Time.now + 360 * 24 * 60 * 60,
+                         httponly: true,
+                         secure: ENV_HASH["ENV"] == "prod",
+                         samesite: :strict)
+    uid = session["user"]
     DB["UPDATE SignedInUsers SET last_used_at = CURRENT_TIMESTAMP WHERE code = ?", uid].update if uid
-  rescue Sequel::Error => e
-    File.write("log/main.log", "DB Error: #{e.message} when updating last_used_at for #{uid}\n", mode: "a")
-  end
   rescue JSON::ParserError, Zlib::Error
-  response.delete_cookie("session")
+    @response.delete_cookie("session")
+  rescue Sequel::Error => e
+    Logman.log "DB Error: #{e.message} when updating last_used_at for #{uid}"
   end
 
-def get_session(request, response, key, uid = nil)
-  session = request.cookies["session"]
+  def [](key)
+    session = @request.cookies["session"]
     session = session.nil? ? "{}" : Zlib::Inflate.inflate(Base64.decode64(session))
     session = JSON.parse(session)
     begin
+      uid = session["user"]
       DB["UPDATE SignedInUsers SET last_used_at = CURRENT_TIMESTAMP WHERE code = ?", uid].update if uid
     rescue Sequel::Error => e
-    File.write("log/main.log", "DB Error: #{e.message} when updating last_used_at for #{uid}\n", mode: "a")
+      Logman.log "DB Error: #{e.message} when updating last_used_at for #{uid}"
     end
     session[key]
   rescue JSON::ParserError, Zlib::Error
-  response.delete_cookie("session")
+    @response.delete_cookie("session")
     ""
   end
 
-def get_session_all(request, response)
-  session = request.cookies["session"]
+  def message=(val)
+    @response.set_cookie("message",
+                         value: val,
+                         path: "/",
+                         expires: Time.now + 360 * 24 * 60 * 60,
+                         secure: ENV_HASH["ENV"] == "prod",
+                         samesite: :strict)
+  end
+
+  def message
+    @request.cookies["message"]
+  end
+
+  def csrf_auth?
+    @request.env["HTTP_X_CSRF_TOKEN"] == self["csrf_token"]
+  end
+
+  def all
+    session = @request.cookies["session"]
     session = session.nil? ? "{}" : Zlib::Inflate.inflate(Base64.decode64(session))
     JSON.parse(session)
   rescue JSON::ParserError, Zlib::Error
-  response.delete_cookie("session")
-  ""
+    @response.delete_cookie("session")
+    {}
   end
 
-def rm_session(request, response, key)
-  session = request.cookies["session"]
+  def delete(key)
+    session = @request.cookies["session"]
     session = session.nil? ? "{}" : Zlib::Inflate.inflate(Base64.decode64(session))
     session = JSON.parse(session)
     session.delete(key)
+    Logman.log "Deleted: #{key}"
+    Logman.log session.inspect
     compressed = Zlib::Deflate.deflate(JSON.generate(session))
     encoded = Base64.encode64(compressed)
-  response.set_cookie("session",
+    @response.set_cookie("session",
                          value: encoded,
                          path: "/",
-                      expires: Time.now + 360 * 24 * 60 * 60)
+                         expires: Time.now + 360 * 24 * 60 * 60,
+                         httponly: true,
+                         secure: ENV_HASH["ENV"] == "prod",
+                         samesite: :strict)
   rescue JSON::ParserError, Zlib::Error
-  response.delete_cookie("session")
+    @response.delete_cookie("session")
+  end
+
+  Thread.new do
+    loop do
+      now = Time.now
+      fifteen_days_ago = now - (60 * 60 * 24 * 15)
+      six_days_ago = now - (60 * 60 * 24 * 6)
+      old_sessions = (DB[:SignedInUsers].where { created_at < fifteen_days_ago }.all +
+                      DB[:SignedInUsers].where { last_used_at < six_days_ago }.all).uniq { |s| s[:code] }
+      old_sessions.each do |session|
+        begin
+          DB[:SignedInUsers].where(code: session[:code]).delete
+        rescue StandardError => e
+          Logman.log "Thread DB error: #{e.message} on #{session[:code]} for #{session[:player]}"
+        end
+        $active_users.delete(session[:code])
+        puts "Auto-logged out: #{session[:player]} (expired session)"
+      end
+    rescue StandardError => e
+      Logman.log "Thread error: #{e.message}"
+    ensure
+      sleep 60 * 60 * 24
+      Logman.log "Thread sleeping"
+    end
+  end
 end