Hash session passphrases with scrypt before DB storage

[Copilot]

Session passphrases were stored in plaintext, exposing all credentials in a DB breach. All passphrase comparisons used !==, vulnerable to timing attacks.

Changes

• lib/auth.ts (new): Passphrase hashing and verification utilities

  • hashPassphrase: scrypt (N=65536, r=8, p=1) with a random 16-byte salt, returns salt:hash hex string
  • verifyPassphrase: constant-time comparison via crypto.timingSafeEqual, validates component lengths before comparing

• app/api/sessions/route.ts: Hash passphrase before DB insert

• Verification endpoints — swap !== for verifyPassphrase():

  • app/api/sessions/[id]/rounds/route.ts
  • app/api/sessions/[id]/rounds/[roundId]/end/route.ts
  • app/api/sessions/[id]/shocks/route.ts

// Before
await sql`INSERT INTO sessions (id, passphrase, ...) VALUES (${id}, ${passphrase}, ...)`;
if (session[0].passphrase !== passphrase) return 401;

// After
const passphraseHash = await hashPassphrase(passphrase);
await sql`INSERT INTO sessions (id, passphrase, ...) VALUES (${id}, ${passphraseHash}, ...)`;
if (!(await verifyPassphrase(passphrase, session[0].passphrase))) return 401;

Uses only Node.js built-in crypto — no new dependencies.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
live-game	Error		Mar 10, 2026 5:42am