Conversation
Ports lucia v2's scrypt-based hash/verify and random string generation so existing password hashes stay valid without a data migration, ahead of removing the lucia dependency itself. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Reimplements lucia v2's session create/validate/invalidate semantics (24h active + 14d idle window, idle-triggered renewal without id rotation, idempotent delete) directly against Prisma, continuing the lucia dependency removal alongside the password hashing utilities. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Adds createAuthRequest as a lucia-free replacement for auth.handleRequest(event), backed by the new session service (validateSession) and session cookie constants. Wires it into hooks.server.ts and retypes app.d.ts's Locals.auth accordingly. The lucia import in auth.ts is still present pending full removal. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
…sion/credentials Replaces lucia's createUser/createSession/useKey/invalidateSession calls in the login, signup, and logout routes with the new credentials service (registerUser/authenticateUser) and session service (createSession/invalidateSession) added in prior commits. Drops @lucia-auth/adapter-prisma and lucia from package.json/lockfile, removes the lucia auth() export, and cleans up now-stale lucia references in schema.prisma, database.ts, app.d.ts, and auth.md. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Updates stale "Lucia" wording in e2e comments, drops the removed @lucia-auth/adapter-prisma package from vite's test.deps.exclude, and aligns seed.ts's key id casing with credentials.ts's buildKeyId (toLowerCase, not toLocaleLowerCase). Adds the lucia removal plan doc. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
validateSession's renewal update could race with a concurrent logout deleting the same row between findUnique and update, surfacing an unhandled P2025 as a 500. Treat that case as an expired/gone session instead. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
…nd remaining tasks Checks off all Phase 1-5 tasks and appends the mandatory refactor-cycle notes: novel lessons (lucia v2 idle renewal doesn't reissue the cookie, vendored-source verification via npm pack, brace-expansion pitfall in grep --include, rules doc duplication) and remaining low-priority tasks (cookie sliding expiry, timing-safe username enumeration, a doc typo). Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Promotes a novel lesson from the remove-lucia-v2 refactor cycle (docs/dev-notes/2026-07-05/remove-lucia-v2/plan.md): grep --include with brace expansion silently matches nothing, and repo-wide sweeps must cover root files, e2e/, and config, not just src/prisma/.claude. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Migration is complete and its novel lessons already folded into .claude/rules/coding-style.md (08bbc3f). Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
📝 WalkthroughWalkthroughLucia依存を削除し、セッション管理、パスワードハッシュ、資格情報認証を自前実装へ移行しました。認証ルート、サーバーフック、型定義、シード処理、関連ドキュメントと設定も更新されています。 Changes自前認証基盤
Estimated code review effort: 4 (Complex) | ~60 minutes Sequence Diagram(s)sequenceDiagram
participant LoginRoute
participant Credentials
participant Session
participant AuthRequest
LoginRoute->>Credentials: authenticateUser(username, password)
Credentials-->>LoginRoute: userId または null
LoginRoute->>Session: createSession(userId)
Session-->>LoginRoute: SessionCookieData
LoginRoute->>AuthRequest: setSession(session)
Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 6
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
src/routes/(auth)/signup/+page.server.ts (1)
40-56: 🗄️ Data Integrity & Integration | 🟠 Major | 🏗️ Heavy liftユーザー登録と初期セッション発行を一貫した結果にしてください。
registerUser成功後にcreateSessionが失敗すると、ユーザーと資格情報だけが永続化されます。画面上は登録失敗になりますが、再試行は「使用済みユーザー名」となります。同一トランザクションで登録とセッションを作成するか、登録成功後のセッション障害を「登録成功・ログイン失敗」として扱ってください。
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/routes/`(auth)/signup/+page.server.ts around lines 40 - 56, Update the signup flow around registerUser and createSession so a successful user registration cannot be reported as a generic registration failure when session creation fails. Use a single transaction for registration and session creation, or explicitly handle post-registration session failures as registration success with login failure, preserving the duplicate-username handling for registerUser returning null.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@prisma/seed.ts`:
- Around line 132-137: Rename the local variable hashed_password to
hashedPassword in the seed flow, including its declaration and references in
keyFactory.create. Preserve the database field name hashed_password unchanged.
In `@src/features/auth/services/credentials.ts`:
- Around line 43-51: Update the credential verification flow in
src/features/auth/services/credentials.ts lines 43-51 so missing keys or null
hashed_password values still call verifyPassword with a fixed dummy hash before
returning null. Update the corresponding expectations in
src/features/auth/services/credentials.test.ts lines 128-144 to assert that the
dummy hash is verified instead of expecting no verification.
In `@src/lib/server/auth.test.ts`:
- Around line 74-99: Add a test in the validate session tests covering an
idle-extension response from validateSession(). Configure the mock to return the
existing session ID with a later idlePeriodExpiresAt, call auth.validate(), and
verify event.cookies.set updates the same SESSION_COOKIE_NAME and session ID
with the refreshed expires value and existing cookie attributes.
In `@src/lib/server/session.test.ts`:
- Around line 127-150: Update the idle-session tests around validateSession to
assert that the returned authentication result includes the refreshed
idlePeriodExpiresAt after extending the session. Verify the expected expiration
value alongside the existing database update assertions, while preserving the
current same-ID and boundary-case behavior.
In `@src/lib/server/session.ts`:
- Around line 54-64:
アイドル延長時の新しい有効期限をセッション検証結果からCookie設定まで渡してください。src/lib/server/session.ts:54-64 の
validateSession() は更新後の idle_expires を返し、src/lib/server/auth.ts:51-55 の
validate() は成功時にその期限を使って cookies.set
を再実行してください。src/lib/server/session.test.ts:127-150
では延長期限の返却を、src/lib/server/auth.test.ts:74-99 では延長後 expires での cookies.set
を検証してください。
- Around line 49-52: Update validateSession in src/lib/server/session.ts to
delete the expired session record when now exceeds session.idle_expires before
returning null, using the existing session storage mechanism. Update
src/lib/server/session.test.ts lines 171-180 to assert that expired-session
validation removes the session instead of preserving it.
---
Outside diff comments:
In `@src/routes/`(auth)/signup/+page.server.ts:
- Around line 40-56: Update the signup flow around registerUser and
createSession so a successful user registration cannot be reported as a generic
registration failure when session creation fails. Use a single transaction for
registration and session creation, or explicitly handle post-registration
session failures as registration success with login failure, preserving the
duplicate-username handling for registerUser returning null.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: b07aade6-2b09-445d-841f-b1baa44c6180
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml,!pnpm-lock.yaml
📒 Files selected for processing (28)
.claude/rules/auth.md.claude/rules/coding-style.mdCONTRIBUTING.mde2e/problems_cache.spec.tspackage.jsonprisma/schema.prismaprisma/seed.tssrc/app.d.tssrc/features/account/services/atcoder_verification.test.tssrc/features/auth/services/credentials.test.tssrc/features/auth/services/credentials.tssrc/hooks.server.tssrc/lib/server/auth.test.tssrc/lib/server/auth.tssrc/lib/server/database.tssrc/lib/server/password.test.tssrc/lib/server/password.tssrc/lib/server/random.test.tssrc/lib/server/random.tssrc/lib/server/session.test.tssrc/lib/server/session.tssrc/routes/(auth)/login/+page.server.tssrc/routes/(auth)/logout/+page.server.tssrc/routes/(auth)/signup/+page.server.tssrc/routes/+layout.server.tssrc/routes/+page.server.tssrc/routes/+page.sveltevite.config.ts
💤 Files with no reviewable changes (5)
- src/routes/+page.svelte
- package.json
- src/routes/+layout.server.ts
- src/routes/+page.server.ts
- src/lib/server/database.ts
close #3855
Summary by CodeRabbit