feat(login): accept account code / name / email / phone (William punch list #2)#142
Open
codegeek718 wants to merge 1 commit into
Open
feat(login): accept account code / name / email / phone (William punch list #2)#142codegeek718 wants to merge 1 commit into
codegeek718 wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
the signin form now accepts any of: account code (QID or short), username, full name, email, or phone. cgmembers PHP owns the matching rules via the new
/cgpay-lookupendpoint; this PR wires the SvelteKit side to it.What's in this PR
web/src/routes/api/login/+server.tsphpLookup(identifier)helper (POSTs to/cgpay-lookup), replaces the SQLWHERE LOWER(name) = LOWER(?)lookup with a uid returned from PHP -> thenSELECT ... WHERE uid = ?for the password hash. Accepts newidentifierbody field, still reads legacynamefor backwards compat. Error message changed from "Invalid username or password" to "Invalid account ID or password".web/src/routes/login/+page.sveltenamestate toidentifier, updates the form label to Account ID and placeholder toaccount code, name, email, or phone. Posts{ identifier, password }to the API.Timing safety
The dummy-hash pattern is preserved:
checkPasswordalways runs, either against the real user'spass(when the lookup finds them) or againstDUMMY_HASH(when it doesn't). Response time stays constant regardless of whether the identifier matches.Companion PR
cgmembers-frame #37 - the PHP
/cgpay-lookupendpoint.