Allow login with plaintext passcodes and auto-rehash to bcrypt

[TheOneWhoBurns]

Summary by CodeRabbit

• Chores
  • Implemented automatic passcode security upgrade during login. The system now detects and rehashes insecure passcodes in the background after successful authentication across all login endpoints, ensuring improved data protection without disrupting the user login experience.

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

A plaintext passcode rehashing feature is introduced to automatically upgrade plaintext credentials to hashed versions during authentication. A new rehashIfPlaintext() function detects and hashes plaintext passcodes, and it is integrated into four authentication routes to execute post-verification.

Changes

Cohort / File(s)	Summary
Core Hashing Logic src/lib/server/auth.ts	Added rehashIfPlaintext() function to detect plaintext passcodes and hash them with database updates. Extended verifyPasscode() to recognize plaintext matches and log warnings. Added imports for operators and guides schemas.
Route Integrations src/routes/api/admin/login/+server.ts, src/routes/api/guides/verify/+server.ts, src/routes/api/operators/verify/+server.ts, src/routes/api/shifts/start/+server.ts	Imported rehashIfPlaintext and invoked it after successful authentication/verification with non-blocking error handling to trigger passcode rehashing.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Route as Route Handler
    participant Auth as Auth Module
    participant DB as Database

    Client->>Route: Send credentials
    Route->>Auth: verifyPasscode(stored, provided)
    Auth->>Auth: Check if plaintext match
    Auth-->>Route: Return true (match found)
    Route->>Route: Clear rate limit
    Route->>Auth: rehashIfPlaintext(table, id, passcode)
    Auth->>Auth: Hash plaintext passcode
    Auth->>DB: Update operators/guides table
    DB-->>Auth: Confirmation
    Auth-->>Route: Complete
    Route-->>Client: Authentication success

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Hash passcodes with bcrypt #21: Introduced bcrypt-based async hashing and plaintext fallback in verifyPasscode, which the current PR extends by adding automatic rehashing of plaintext passcodes.
• Security hardening: auth, rate limiting, input validation, and transactions #28: Modified verifyPasscode rejection logic for unhashed plaintext; this PR directly depends on and complements that verification flow with the rehashing capability.
• Move rate limiting to PostgreSQL, HMAC-sign operator cookie #37: Changed passcode hashing and verification logic; this PR builds upon those helpers by adding plaintext detection and the new rehashIfPlaintext export for automatic migration.

Poem

🐰 Hops through the passcode, no longer plain,
From plaintext shadows to crypto's domain!
Each login rehashes, no second refrain,
Security's garden grows greener again. 🌱

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch claude/fix-login-session-issue-gs3nR

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}