security checkpoint

Author: ankushKun

frontend/src/bundle.js

@@ -83,7 +83,7 @@
             this.container = container;
             this.config = config;
             this.iframe = null;
-            this.csrfToken = this.generateCsrfToken();
+            this.csrfToken = null;  // Will be set by server in init()
             this.state = {
                 loading: true,
                 error: null,
@@ -141,6 +141,9 @@
                 // Store the signed origin token - will be passed to iframe and used in API calls
                 this.originToken = initData.token;
 
+                // Store the CSRF token from server (cryptographically signed, origin-specific)
+                this.csrfToken = initData.csrfToken || this.generateCsrfToken(); // Fallback for older servers
+
             } catch (e) {
                 console.error('[CommentKit] Failed to initialize:', e);
                 this.state.error = 'Failed to connect to CommentKit. Please try again later.';
@@ -1601,7 +1604,7 @@
                         </div>
                         <div class="ck-form-group">
                             <label for="ck-email">Email (optional)</label>
-                            <input type="email" id="ck-email" name="email" placeholder="your@email.com">
+                            <input type="email" id="ck-email" name="email" placeholder="your@email.com" pattern="[^\\s@]+@[^\\s@]+\\.[^\\s@]+" title="Please enter a valid email address (e.g., user@example.com)">
                         </div>
                     </div>
                     <div class="ck-form-group">
@@ -1620,7 +1623,7 @@
                 <form id="ck-login-form">
                     <div class="ck-form-group">
                         <label for="ck-login-email">Email address</label>
-                        <input type="email" id="ck-login-email" name="email" required placeholder="your@email.com">
+                        <input type="email" id="ck-login-email" name="email" required placeholder="your@email.com" pattern="[^\\s@]+@[^\\s@]+\\.[^\\s@]+" title="Please enter a valid email address (e.g., user@example.com)">
                     </div>
                     <p style="font-size: 0.85rem; color: #6b7280; margin-bottom: 12px;">
                         We'll send you a magic link to sign in. No password needed.
@@ -1729,7 +1732,7 @@
                                 </div>
                                 <div class="ck-form-group">
                                     <label>Email (optional)</label>
-                                    <input type="email" name="email" placeholder="your@email.com">
+                                    <input type="email" name="email" placeholder="your@email.com" pattern="[^\\s@]+@[^\\s@]+\\.[^\\s@]+" title="Please enter a valid email address (e.g., user@example.com)">
                                 </div>
                             </div>
                             <div class="ck-form-group">
@@ -1752,15 +1755,24 @@
             if (form) {
                 form.addEventListener('submit', (e) => {
                     e.preventDefault();
+
+                    // Use native HTML5 form validation
+                    if (!form.checkValidity()) {
+                        form.reportValidity();
+                        return;
+                    }
+
                     const formData = new FormData(form);
+                    const email = formData.get('email');
+
                     const commentData = {
                         content: formData.get('content'),
                         parent_id: null, // Top-level comments have no parent
                     };
                     // Include guest fields only if not authenticated
                     if (!this.state.user) {
                         commentData.author_name = formData.get('name');
-                        commentData.author_email = formData.get('email');
+                        commentData.author_email = email || undefined;
                     }
                     // Set scroll anchor to first visible comment
                     this.scrollAnchor = this.findFirstVisibleComment();
@@ -1868,12 +1880,21 @@
             if (loginForm) {
                 loginForm.addEventListener('submit', (e) => {
                     e.preventDefault();
+
+                    // Use native HTML5 form validation
+                    if (!loginForm.checkValidity()) {
+                        loginForm.reportValidity();
+                        return;
+                    }
+
                     const formData = new FormData(loginForm);
+                    const email = formData.get('email');
+
                     this.state.authLoading = true;
                     this.render();
                     this.sendToIframe({
                         action: 'login',
-                        email: formData.get('email'),
+                        email: email,
                         redirectUrl: window.location.href,  // Redirect back to this page after auth
                     });
                 });
@@ -2034,15 +2055,24 @@
             if (form) {
                 form.addEventListener('submit', (e) => {
                     e.preventDefault();
+
+                    // Use native HTML5 form validation
+                    if (!form.checkValidity()) {
+                        form.reportValidity();
+                        return;
+                    }
+
                     const formData = new FormData(form);
+                    const email = formData.get('email');
+
                     const commentData = {
                         content: formData.get('content'),
                         parent_id: parentId,
                     };
                     // Include guest fields only if not authenticated
                     if (!this.state.user) {
                         commentData.author_name = formData.get('name');
-                        commentData.author_email = formData.get('email');
+                        commentData.author_email = email || undefined;
                     }
                     // Set scroll anchor to the parent comment being replied to
                     this.scrollAnchor = parentId;
@@ -2284,12 +2314,21 @@
             if (loginForm) {
                 loginForm.addEventListener('submit', (e) => {
                     e.preventDefault();
+
+                    // Use native HTML5 form validation
+                    if (!loginForm.checkValidity()) {
+                        loginForm.reportValidity();
+                        return;
+                    }
+
                     const formData = new FormData(loginForm);
+                    const email = formData.get('email');
+
                     this.state.authLoading = true;
                     this.updateModalBody();
                     this.sendToIframe({
                         action: 'login',
-                        email: formData.get('email'),
+                        email: email,
                         redirectUrl: window.location.href,
                     });
                 });
@@ -2353,12 +2392,21 @@
                 if (loginForm) {
                     loginForm.addEventListener('submit', (e) => {
                         e.preventDefault();
+
+                        // Use native HTML5 form validation
+                        if (!loginForm.checkValidity()) {
+                            loginForm.reportValidity();
+                            return;
+                        }
+
                         const formData = new FormData(loginForm);
+                        const email = formData.get('email');
+
                         this.state.authLoading = true;
                         this.updateModalBody();
                         this.sendToIframe({
                             action: 'login',
-                            email: formData.get('email'),
+                            email: email,
                             redirectUrl: window.location.href,
                         });
                     });
@@ -2379,7 +2427,7 @@
                 <form id="ck-modal-login-form">
                     <div class="ck-form-group">
                         <label for="ck-modal-email">Email address</label>
-                        <input type="email" id="ck-modal-email" name="email" required placeholder="your@email.com" autocomplete="email">
+                        <input type="email" id="ck-modal-email" name="email" required placeholder="your@email.com" autocomplete="email" pattern="[^\\s@]+@[^\\s@]+\\.[^\\s@]+" title="Please enter a valid email address (e.g., user@example.com)">
                     </div>
                     <p style="font-size: 0.875rem; color: #6b7280; margin: 0 0 28px 0; line-height: 1.6;">
                         We'll send you a magic link to sign in. No password needed.

frontend/src/lib/api.ts

@@ -26,14 +26,12 @@ async function request<T>(
     path: string,
     options: RequestInit = {}
 ): Promise<ApiResponse<T>> {
-    const token = localStorage.getItem('auth_token');
-
     try {
         const res = await fetch(`${API_BASE}${path}`, {
             ...options,
+            credentials: 'include', // Include HttpOnly cookies for authentication
             headers: {
                 'Content-Type': 'application/json',
-                ...(token ? { Authorization: `Bearer ${token}` } : {}),
                 ...options.headers,
             },
         });

frontend/src/lib/auth-context.tsx

@@ -21,16 +21,11 @@ export function AuthProvider({ children }: { children: ReactNode }) {
     const bootstrapRef = useRef<BootstrapData | null>(null);
 
     const checkAuth = async () => {
-        const token = localStorage.getItem('auth_token');
-        if (!token) {
-            setLoading(false);
-            return;
-        }
-
+        // No need to check localStorage - server will read HttpOnly cookie
         // Request with bootstrap=true to get user + dashboard data in single call
         const { data, error } = await auth.me({ bootstrap: true });
         if (error) {
-            localStorage.removeItem('auth_token');
+            // User not authenticated (no valid cookie)
             setUser(null);
         } else if (data) {
             // Store bootstrap data for consumption
@@ -51,10 +46,10 @@ export function AuthProvider({ children }: { children: ReactNode }) {
         const redirectUrl = params.get('redirect');
 
         if (token) {
-            // Verify and store token
+            // Verify token - server will set HttpOnly cookie in response
             auth.verify(token).then(({ data, error }) => {
                 if (data && !error) {
-                    localStorage.setItem('auth_token', data.token);
+                    // No need to store token - server sets HttpOnly cookie
                     setUser(data.user);
 
                     // Redirect to the original page if specified
@@ -82,8 +77,8 @@ export function AuthProvider({ children }: { children: ReactNode }) {
     };
 
     const logout = async () => {
+        // Server will clear HttpOnly cookie
         await auth.logout();
-        localStorage.removeItem('auth_token');
         setUser(null);
         bootstrapRef.current = null;
     };

frontend/src/widget.html

@@ -111,7 +111,28 @@
 
                 // Check for HTTP errors even with JSON response
                 if (!response.ok) {
-                    throw new Error(data.error || data.message || `Request failed: ${response.status}`);
+                    // Handle error message properly - it might be an object (from Zod validation)
+                    let errorMessage = `Request failed: ${response.status}`;
+
+                    if (data.error) {
+                        if (typeof data.error === 'string') {
+                            errorMessage = data.error;
+                        } else if (typeof data.error === 'object') {
+                            // Zod validation errors or other structured errors
+                            if (data.error.issues && Array.isArray(data.error.issues)) {
+                                // Zod error format
+                                errorMessage = data.error.issues.map(issue => issue.message).join(', ');
+                            } else if (data.error.message) {
+                                errorMessage = data.error.message;
+                            } else {
+                                errorMessage = JSON.stringify(data.error);
+                            }
+                        }
+                    } else if (data.message && typeof data.message === 'string') {
+                        errorMessage = data.message;
+                    }
+
+                    throw new Error(errorMessage);
                 }
 
                 return data;
@@ -217,10 +238,22 @@
                                     email: message.email
                                 }, CONFIG.parentOrigin);
                             } catch (e) {
+                                // Ensure error message is always a string
+                                let errorMessage = 'Failed to send login email';
+                                if (e && typeof e === 'object') {
+                                    if (e.message && typeof e.message === 'string') {
+                                        errorMessage = e.message;
+                                    } else if (e.message && typeof e.message === 'object') {
+                                        errorMessage = JSON.stringify(e.message);
+                                    }
+                                } else if (typeof e === 'string') {
+                                    errorMessage = e;
+                                }
+
                                 window.parent.postMessage({
                                     type: 'commentkit',
                                     action: 'error',
-                                    message: e.message || 'Failed to send login email'
+                                    message: errorMessage
                                 }, CONFIG.parentOrigin);
                             }
                             break;
@@ -235,10 +268,18 @@
                                     sendAuthState();
                                 }
                             } catch (e) {
+                                // Ensure error message is always a string
+                                let errorMessage = 'Invalid or expired login link';
+                                if (e && typeof e === 'object' && e.message && typeof e.message === 'string') {
+                                    errorMessage = e.message;
+                                } else if (typeof e === 'string') {
+                                    errorMessage = e;
+                                }
+
                                 window.parent.postMessage({
                                     type: 'commentkit',
                                     action: 'error',
-                                    message: e.message || 'Invalid or expired login link'
+                                    message: errorMessage
                                 }, CONFIG.parentOrigin);
                             }
                             break;
@@ -303,10 +344,19 @@
                     }
                 } catch (error) {
                     console.error('[CommentKit Bridge] Error:', error);
+
+                    // Ensure error message is always a string
+                    let errorMessage = 'An error occurred';
+                    if (error && typeof error === 'object' && error.message && typeof error.message === 'string') {
+                        errorMessage = error.message;
+                    } else if (typeof error === 'string') {
+                        errorMessage = error;
+                    }
+
                     window.parent.postMessage({
                         type: 'commentkit',
                         action: 'error',
-                        message: error.message || 'An error occurred'
+                        message: errorMessage
                     }, CONFIG.parentOrigin);
                 }
             });