Added password change and recovery

Author: wolpert

build.gradle.kts

@@ -24,7 +24,7 @@ application {
 }
 
 dependencies {
-    implementation("com.codeheadsystems:hofmann-dropwizard:1.3.0")
+    implementation("com.codeheadsystems:hofmann-dropwizard:1.3.1")
     implementation("io.dropwizard:dropwizard-core:5.0.1")
     implementation("io.dropwizard:dropwizard-auth:5.0.1")
     implementation("io.dropwizard:dropwizard-assets:5.0.1")

frontend/package-lock.json

@@ -8,7 +8,7 @@
     "build": "tsc --noEmit && vite build"
   },
   "dependencies": {
-    "@codeheadsystems/hofmann-typescript": "latest"
+    "@codeheadsystems/hofmann-typescript": "1.3.1"
   },
   "devDependencies": {
     "typescript": "^5.4.0",

frontend/package.json

@@ -5,26 +5,43 @@ type OnLoginSuccess = (token: string, username: string) => void;
 export function initAuthView(onLoginSuccess: OnLoginSuccess): void {
   const tabLogin    = document.getElementById('tab-login')!    as HTMLButtonElement;
   const tabRegister = document.getElementById('tab-register')! as HTMLButtonElement;
+  const tabRecover  = document.getElementById('tab-recover')!  as HTMLButtonElement;
   const form        = document.getElementById('auth-form')!    as HTMLFormElement;
+  const recoveryForm = document.getElementById('recovery-form')! as HTMLFormElement;
   const submitBtn   = document.getElementById('auth-submit')!  as HTMLButtonElement;
   const messageEl   = document.getElementById('auth-message')!;
 
   let mode: 'login' | 'register' = 'login';
 
+  function setActiveTab(tab: HTMLButtonElement) {
+    tabLogin.classList.remove('active');
+    tabRegister.classList.remove('active');
+    tabRecover.classList.remove('active');
+    tab.classList.add('active');
+    clearMessage();
+  }
+
   tabLogin.addEventListener('click', () => {
     mode = 'login';
-    tabLogin.classList.add('active');
-    tabRegister.classList.remove('active');
+    setActiveTab(tabLogin);
+    form.classList.remove('hidden');
+    recoveryForm.classList.add('hidden');
     submitBtn.textContent = 'Log In';
-    clearMessage();
   });
 
   tabRegister.addEventListener('click', () => {
     mode = 'register';
-    tabRegister.classList.add('active');
-    tabLogin.classList.remove('active');
+    setActiveTab(tabRegister);
+    form.classList.remove('hidden');
+    recoveryForm.classList.add('hidden');
     submitBtn.textContent = 'Register';
-    clearMessage();
+  });
+
+  tabRecover.addEventListener('click', () => {
+    setActiveTab(tabRecover);
+    form.classList.add('hidden');
+    recoveryForm.classList.remove('hidden');
+    resetRecoveryForm();
   });
 
   form.addEventListener('submit', async (e) => {
@@ -38,8 +55,6 @@ export function initAuthView(onLoginSuccess: OnLoginSuccess): void {
     submitBtn.textContent = mode === 'login' ? 'Logging in...' : 'Registering...';
 
     try {
-      // OpaqueHttpClient.create() fetches /api/opaque/config and configures
-      // the cipher suite and KSF parameters automatically.
       const client = await OpaqueHttpClient.create('/api');
 
       if (mode === 'register') {
@@ -58,6 +73,57 @@ export function initAuthView(onLoginSuccess: OnLoginSuccess): void {
     }
   });
 
+  // ── Recovery flow ──────────────────────────────────────────────────────────
+
+  let recoveryStep: 'start' | 'verify' = 'start';
+
+  function resetRecoveryForm() {
+    recoveryStep = 'start';
+    const codeField = document.getElementById('recovery-code-field')!;
+    const pwField = document.getElementById('recovery-password-field')!;
+    const submitBtn = document.getElementById('recovery-submit')! as HTMLButtonElement;
+    codeField.classList.add('hidden');
+    pwField.classList.add('hidden');
+    submitBtn.textContent = 'Send Recovery Code';
+    (document.getElementById('recovery-username') as HTMLInputElement).value = '';
+    (document.getElementById('recovery-code') as HTMLInputElement).value = '';
+    (document.getElementById('recovery-password') as HTMLInputElement).value = '';
+  }
+
+  recoveryForm.addEventListener('submit', async (e) => {
+    e.preventDefault();
+    clearMessage();
+
+    const username = (document.getElementById('recovery-username') as HTMLInputElement).value.trim();
+    const recoverSubmitBtn = document.getElementById('recovery-submit')! as HTMLButtonElement;
+    recoverSubmitBtn.disabled = true;
+
+    try {
+      const client = await OpaqueHttpClient.create('/api');
+
+      if (recoveryStep === 'start') {
+        await client.recoveryStart(username);
+        showMessage('Recovery code sent! Check the server console log for the code.', 'success');
+        recoveryStep = 'verify';
+        document.getElementById('recovery-code-field')!.classList.remove('hidden');
+        document.getElementById('recovery-password-field')!.classList.remove('hidden');
+        recoverSubmitBtn.textContent = 'Verify & Set New Password';
+        (document.getElementById('recovery-username') as HTMLInputElement).readOnly = true;
+      } else {
+        const code = (document.getElementById('recovery-code') as HTMLInputElement).value.trim();
+        const newPassword = (document.getElementById('recovery-password') as HTMLInputElement).value;
+        await client.recoverAndReRegister(username, code, newPassword);
+        showMessage('Account recovered! You can now log in with your new password.', 'success');
+        resetRecoveryForm();
+        tabLogin.click();
+      }
+    } catch (err: unknown) {
+      showMessage(err instanceof Error ? err.message : String(err), 'error');
+    } finally {
+      recoverSubmitBtn.disabled = false;
+    }
+  });
+
   function showMessage(msg: string, type: 'error' | 'success'): void {
     messageEl.textContent = msg;
     messageEl.className = `message ${type}`;

frontend/src/auth.ts

@@ -319,6 +319,7 @@ <h1>Notes</h1>
       <div class="tabs">
         <button id="tab-login" class="tab active">Log In</button>
         <button id="tab-register" class="tab">Register</button>
+        <button id="tab-recover" class="tab">Recover</button>
       </div>
       <div id="auth-message"></div>
       <form id="auth-form">
@@ -332,6 +333,22 @@ <h1>Notes</h1>
         </div>
         <button type="submit" id="auth-submit" class="btn-primary">Log In</button>
       </form>
+      <!-- Recovery form (hidden by default) -->
+      <form id="recovery-form" class="hidden">
+        <div class="field">
+          <label for="recovery-username">Username</label>
+          <input type="text" id="recovery-username" placeholder="you@example.com" required />
+        </div>
+        <div id="recovery-code-field" class="field hidden">
+          <label for="recovery-code">Recovery Code</label>
+          <input type="text" id="recovery-code" placeholder="6-digit code from server log" />
+        </div>
+        <div id="recovery-password-field" class="field hidden">
+          <label for="recovery-password">New Password</label>
+          <input type="password" id="recovery-password" />
+        </div>
+        <button type="submit" id="recovery-submit" class="btn-primary">Send Recovery Code</button>
+      </form>
     </div>
   </div>
 
@@ -345,6 +362,14 @@ <h1>Notes</h1>
       </div>
     </header>
     <main>
+      <section class="create-section">
+        <div class="section-label">Change Password</div>
+        <form id="change-password-form">
+          <input type="password" id="new-password" placeholder="New password" required style="margin-bottom: 10px" />
+          <div id="change-password-message" class="message hidden"></div>
+          <button type="submit" class="btn-primary">Change Password</button>
+        </form>
+      </section>
       <section class="create-section">
         <div class="section-label">New Note</div>
         <form id="create-form">

frontend/src/index.html

@@ -1,3 +1,5 @@
+import { OpaqueHttpClient } from '@codeheadsystems/hofmann-typescript';
+
 interface NoteResponse {
   id:        string;
   title:     string;
@@ -6,6 +8,8 @@ interface NoteResponse {
 }
 
 export function initNotesView(token: string, username: string, onLogout: () => void): void {
+  let currentToken = token;
+
   const loggedInUser = document.getElementById('logged-in-user')!;
   const logoutBtn    = document.getElementById('logout-btn')!    as HTMLButtonElement;
   const createForm   = document.getElementById('create-form')!   as HTMLFormElement;
@@ -20,6 +24,39 @@ export function initNotesView(token: string, username: string, onLogout: () => v
     onLogout();
   });
 
+  // ── Change Password ────────────────────────────────────────────────────────
+
+  const changePasswordForm = document.getElementById('change-password-form')! as HTMLFormElement;
+  const changePasswordMsg  = document.getElementById('change-password-message')!;
+
+  changePasswordForm.addEventListener('submit', async (e) => {
+    e.preventDefault();
+    changePasswordMsg.classList.add('hidden');
+
+    const newPasswordInput = document.getElementById('new-password') as HTMLInputElement;
+    const newPassword = newPasswordInput.value;
+    const submitBtn = changePasswordForm.querySelector('button[type="submit"]') as HTMLButtonElement;
+    submitBtn.disabled = true;
+    submitBtn.textContent = 'Changing...';
+
+    try {
+      const client = await OpaqueHttpClient.create('/api');
+      await client.changePassword(username, newPassword, currentToken);
+      // Re-authenticate with the new password to get a fresh token
+      const newToken = await client.authenticate(username, newPassword);
+      currentToken = newToken;
+      newPasswordInput.value = '';
+      changePasswordMsg.textContent = 'Password changed successfully!';
+      changePasswordMsg.className = 'message success';
+    } catch (err) {
+      changePasswordMsg.textContent = err instanceof Error ? err.message : String(err);
+      changePasswordMsg.className = 'message error';
+    } finally {
+      submitBtn.disabled = false;
+      submitBtn.textContent = 'Change Password';
+    }
+  });
+
   createForm.addEventListener('submit', async (e) => {
     e.preventDefault();
     createError.classList.add('hidden');
@@ -50,7 +87,7 @@ export function initNotesView(token: string, username: string, onLogout: () => v
 
   async function apiGet<T>(path: string): Promise<T> {
     const r = await fetch(path, {
-      headers: { 'Authorization': `Bearer ${token}` },
+      headers: { 'Authorization': `Bearer ${currentToken}` },
     });
     if (!r.ok) throw new Error(`${r.status} ${r.statusText}`);
     return r.json() as Promise<T>;
@@ -61,7 +98,7 @@ export function initNotesView(token: string, username: string, onLogout: () => v
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',
-        'Authorization': `Bearer ${token}`,
+        'Authorization': `Bearer ${currentToken}`,
       },
       body: JSON.stringify(body),
     });
@@ -72,7 +109,7 @@ export function initNotesView(token: string, username: string, onLogout: () => v
   async function apiDelete(path: string): Promise<void> {
     const r = await fetch(path, {
       method: 'DELETE',
-      headers: { 'Authorization': `Bearer ${token}` },
+      headers: { 'Authorization': `Bearer ${currentToken}` },
     });
     if (!r.ok) throw new Error(`${r.status} ${r.statusText}`);
   }

frontend/src/notes.ts

@@ -4,6 +4,7 @@
 import com.codeheadsystems.hofmann.example.dagger.AppComponent;
 import com.codeheadsystems.hofmann.example.dagger.AppModule;
 import com.codeheadsystems.hofmann.example.dagger.DaggerAppComponent;
+import com.codeheadsystems.hofmann.example.recovery.DemoRecoveryChallenger;
 import com.codeheadsystems.hofmann.example.store.MutableCredentialStoreHolder;
 import com.codeheadsystems.hofmann.example.store.SqlCredentialStore;
 import com.codeheadsystems.hofmann.server.store.InMemorySessionStore;
@@ -37,7 +38,8 @@ public void initialize(Bootstrap<ExampleConfiguration> bootstrap) {
     bootstrap.addBundle(new AssetsBundle("/frontend/", "/", "index.html", "frontend"));
     // Use the credential holder so the bundle wires up before the database is available,
     // but all actual credential access happens during request processing (after run()).
-    bootstrap.addBundle(new HofmannBundle<>(credentialStoreHolder, new InMemorySessionStore(), null));
+    bootstrap.addBundle(new HofmannBundle<>(credentialStoreHolder, new InMemorySessionStore(), null)
+        .withRecovery(new DemoRecoveryChallenger()));
   }
 
   @Override

src/main/java/com/codeheadsystems/hofmann/example/ExampleApplication.java

@@ -0,0 +1,43 @@
+package com.codeheadsystems.hofmann.example.recovery;
+
+import com.codeheadsystems.hofmann.server.recovery.RecoveryChallenger;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.SecureRandom;
+import java.util.concurrent.ConcurrentHashMap;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Demo recovery challenger that generates 6-digit codes and logs them to the console.
+ * In a real application, you would send these via email, SMS, or another out-of-band channel.
+ */
+public class DemoRecoveryChallenger implements RecoveryChallenger {
+
+  private static final Logger log = LoggerFactory.getLogger(DemoRecoveryChallenger.class);
+
+  private final SecureRandom random = new SecureRandom();
+  private final ConcurrentHashMap<String, String> pendingChallenges = new ConcurrentHashMap<>();
+
+  @Override
+  public void sendChallenge(byte[] credentialIdentifier) {
+    String code = String.format("%06d", random.nextInt(1_000_000));
+    String credId = new String(credentialIdentifier, StandardCharsets.UTF_8);
+    pendingChallenges.put(credId, code);
+    log.info("╔══════════════════════════════════════════╗");
+    log.info("║  RECOVERY CODE for {}: {}  ║", credId, code);
+    log.info("╚══════════════════════════════════════════╝");
+  }
+
+  @Override
+  public boolean verifyResponse(byte[] credentialIdentifier, String challengeResponse) {
+    String credId = new String(credentialIdentifier, StandardCharsets.UTF_8);
+    String expected = pendingChallenges.remove(credId);
+    if (expected == null) {
+      return false;
+    }
+    return MessageDigest.isEqual(
+        expected.getBytes(StandardCharsets.UTF_8),
+        challengeResponse.getBytes(StandardCharsets.UTF_8));
+  }
+}