feat(auth): rename session cookie to nanodrop_session

Flips SESSION_COOKIE_NAME from 'token' to 'nanodrop_session' per the family per-app naming convention (<app>_session). fastify-jwt's cookieName in server.ts is now sourced from the constant so a future rename only needs to touch constants.ts. Hard-cut migration with no dual-cookie shim: the existing 'token' cookie has no Max-Age so it dies on browser close anyway, and this is a single-user deployment per CLAUDE.md. Users re-log in once after deploy. Test files updated mechanically: cookies: { token } → cookies: { nanodrop_session: token } (variable name 'token' kept locally), clearCookie regex updated, login response now also asserts Max-Age=2592000 from the family TTL.
2026-05-09 10:12:25 -07:00
parent 86870db726
commit 623a3374cf
7 changed files with 31 additions and 30 deletions
--- a/src/constants.ts
+++ b/src/constants.ts
@@ -4,7 +4,5 @@
 export const SESSION_TTL_DAYS = 30;
 export const SESSION_TTL_SECONDS = SESSION_TTL_DAYS * 24 * 60 * 60;
 export const SESSION_RENEW_THRESHOLD_SECONDS = 60 * 60;
-// Phase 1: keep cookie name as 'token' so existing tests stay green.
+export const SESSION_COOKIE_NAME = 'nanodrop_session';
 // Phase 2 flips this to 'nanodrop_session'.
 export const SESSION_COOKIE_NAME = 'token';
 export const LOGOUT_PATHS = new Set<string>(['/logout', '/api/v1/auth/logout']);
--- a/src/server.ts
+++ b/src/server.ts
@@ -9,6 +9,7 @@ import { join } from 'path';
 import { fileURLToPath } from 'url';
 import type Database from 'better-sqlite3';
 import type { Config } from './config.ts';
 import { SESSION_COOKIE_NAME } from './constants.ts';
 import { createLogger } from './middleware/logging.ts';
 import { createLockoutService } from './services/lockout.ts';
 import { authApiRoutes } from './routes/api/v1/auth.ts';
@@ -30,7 +31,7 @@ export function createServer({ config, db }: ServerDeps) {
  app.register(fastifyCookie);
  app.register(fastifyJwt, {
    secret: config.jwtSecret,
-    cookie: { cookieName: 'token', signed: false },
+    cookie: { cookieName: SESSION_COOKIE_NAME, signed: false },
  });
  app.register(fastifyFormbody);
  app.register(fastifyMultipart, { limits: { fileSize: config.maxFileSize } });
--- a/tests/helpers/setup.ts
+++ b/tests/helpers/setup.ts
@@ -3,6 +3,7 @@ import { tmpdir } from 'os';
 import { join } from 'path';
 import { initDb } from '../../src/db/schema.ts';
 import { createServer } from '../../src/server.ts';
 import { SESSION_COOKIE_NAME } from '../../src/constants.ts';
 import type { Config } from '../../src/config.ts';
 import type Database from 'better-sqlite3';
 import type { FastifyInstance } from 'fastify';
@@ -15,7 +16,7 @@ export async function loginAs(app: FastifyInstance, username: string, password:
    body: JSON.stringify({ username, password }),
  });
  const cookie = res.headers['set-cookie'] as string;
-  return cookie.split(';')[0].replace('token=', '');
+  return cookie.split(';')[0].replace(`${SESSION_COOKIE_NAME}=`, '');
 }
 interface MultipartFile {
--- a/tests/integration/auth-api.test.ts
+++ b/tests/integration/auth-api.test.ts
@@ -26,7 +26,8 @@ describe('POST /api/v1/auth/login', () => {
    });
    expect(res.statusCode).toBe(200);
    expect(res.json()).toEqual({ ok: true });
-    expect(res.headers['set-cookie']).toMatch(/token=/);
+    expect(res.headers['set-cookie']).toMatch(/nanodrop_session=/);
    expect(res.headers['set-cookie']).toMatch(/Max-Age=2592000/);
  });
  it('returns 401 on wrong password', async () => {
@@ -76,7 +77,7 @@ describe('POST /api/v1/auth/logout', () => {
      body: JSON.stringify({ username: 'alice', password: 'secret' }),
    });
    const cookie = res.headers['set-cookie'] as string;
-    token = cookie.split(';')[0].replace('token=', '');
+    token = cookie.split(';')[0].replace('nanodrop_session=', '');
  });
  afterEach(async () => {
@@ -88,10 +89,10 @@ describe('POST /api/v1/auth/logout', () => {
    const res = await ctx.app.inject({
      method: 'POST',
      url: '/api/v1/auth/logout',
-      cookies: { token },
+      cookies: { nanodrop_session: token },
    });
    expect(res.statusCode).toBe(200);
-    expect(res.headers['set-cookie']).toMatch(/token=;/);
+    expect(res.headers['set-cookie']).toMatch(/nanodrop_session=;/);
  });
  it('returns 401 without cookie', async () => {
--- a/tests/integration/auth-rate-limit.test.ts
+++ b/tests/integration/auth-rate-limit.test.ts
@@ -56,14 +56,14 @@ describe('per-IP rate limit on login routes', () => {
      body: JSON.stringify({ username: 'alice', password: 'correct-pw' }),
    });
    expect(loginRes.statusCode).toBe(200);
-    const cookie = (loginRes.headers['set-cookie'] as string).split(';')[0].replace('token=', '');
+    const cookie = (loginRes.headers['set-cookie'] as string).split(';')[0].replace('nanodrop_session=', '');
    // Now hit /upload (GET) repeatedly past the login-route limit threshold
    for (let i = 0; i < 6; i++) {
      const r = await ctx.app.inject({
        method: 'GET',
        url: '/upload',
-        cookies: { token: cookie },
+        cookies: { nanodrop_session: cookie },
      });
      expect(r.statusCode).toBe(200);
    }
--- a/tests/integration/files-api.test.ts
+++ b/tests/integration/files-api.test.ts
@@ -23,7 +23,7 @@ describe('GET /api/v1/files', () => {
    const res = await ctx.app.inject({
      method: 'GET',
      url: '/api/v1/files',
-      cookies: { token },
+      cookies: { nanodrop_session: token },
    });
    expect(res.statusCode).toBe(200);
    expect(res.json().files).toEqual([]);
@@ -55,7 +55,7 @@ describe('POST /api/v1/files', () => {
    const res = await ctx.app.inject({
      method: 'POST',
      url: '/api/v1/files',
-      cookies: { token },
+      cookies: { nanodrop_session: token },
      ...buildMultipart({ file: { filename: 'test.txt', contentType: 'text/plain', data: Buffer.from('hello') } }),
    });
    expect(res.statusCode).toBe(201);
@@ -84,7 +84,7 @@ describe('DELETE /api/v1/files/:id', () => {
    const uploadRes = await ctx.app.inject({
      method: 'POST',
      url: '/api/v1/files',
-      cookies: { token },
+      cookies: { nanodrop_session: token },
      ...buildMultipart({ file: { filename: 'f.txt', contentType: 'text/plain', data: Buffer.from('data') } }),
    });
    fileId = uploadRes.json().file.id;
@@ -99,7 +99,7 @@ describe('DELETE /api/v1/files/:id', () => {
    const res = await ctx.app.inject({
      method: 'DELETE',
      url: `/api/v1/files/${fileId}`,
-      cookies: { token },
+      cookies: { nanodrop_session: token },
    });
    expect(res.statusCode).toBe(200);
  });
@@ -108,7 +108,7 @@ describe('DELETE /api/v1/files/:id', () => {
    const res = await ctx.app.inject({
      method: 'DELETE',
      url: '/api/v1/files/doesnotexist',
-      cookies: { token },
+      cookies: { nanodrop_session: token },
    });
    expect(res.statusCode).toBe(404);
  });
--- a/tests/integration/pages.test.ts
+++ b/tests/integration/pages.test.ts
@@ -25,7 +25,7 @@ describe('GET /', () => {
  it('redirects to /upload when authenticated', async () => {
    const token = await loginAs(ctx.app, 'alice', 'secret');
-    const res = await ctx.app.inject({ method: 'GET', url: '/', cookies: { token } });
+    const res = await ctx.app.inject({ method: 'GET', url: '/', cookies: { nanodrop_session: token } });
    expect(res.statusCode).toBe(302);
    expect(res.headers['location']).toBe('/upload');
  });
@@ -46,7 +46,7 @@ describe('POST /login (page)', () => {
    });
    expect(res.statusCode).toBe(302);
    expect(res.headers['location']).toBe('/upload');
-    expect(res.headers['set-cookie']).toMatch(/token=/);
+    expect(res.headers['set-cookie']).toMatch(/nanodrop_session=/);
  });
  it('shows login page with error on invalid credentials', async () => {
@@ -72,7 +72,7 @@ describe('GET /upload + POST /upload', () => {
  afterEach(async () => { await ctx.app.close(); ctx.cleanup(); });
  it('shows upload form', async () => {
-    const res = await ctx.app.inject({ method: 'GET', url: '/upload', cookies: { token } });
+    const res = await ctx.app.inject({ method: 'GET', url: '/upload', cookies: { nanodrop_session: token } });
    expect(res.statusCode).toBe(200);
    expect(res.body).toContain('Upload');
  });
@@ -87,7 +87,7 @@ describe('GET /upload + POST /upload', () => {
    const res = await ctx.app.inject({
      method: 'POST',
      url: '/upload',
-      cookies: { token },
+      cookies: { nanodrop_session: token },
      ...buildMultipart({ file: { filename: 'doc.txt', contentType: 'text/plain', data: Buffer.from('content') } }),
    });
    expect(res.statusCode).toBe(200);
@@ -106,7 +106,7 @@ describe('GET /f/:id and GET /f/:id/raw', () => {
    const uploadRes = await ctx.app.inject({
      method: 'POST',
      url: '/upload',
-      cookies: { token },
+      cookies: { nanodrop_session: token },
      ...buildMultipart({ file: { filename: 'hello.txt', contentType: 'text/plain', data: Buffer.from('hello!') } }),
    });
    // Extract file id from response body
@@ -188,7 +188,7 @@ describe('GET /f/:id — image inline', () => {
    const uploadRes = await ctx.app.inject({
      method: 'POST',
      url: '/upload',
-      cookies: { token },
+      cookies: { nanodrop_session: token },
      ...buildMultipart({ file: { filename: 'photo.png', contentType: 'image/png', data: Buffer.from('fakepng') } }),
    });
    const match = uploadRes.body.match(/\/f\/([^/"]+)/);
@@ -213,14 +213,14 @@ describe('GET /files — copy link', () => {
    await ctx.app.inject({
      method: 'POST',
      url: '/upload',
-      cookies: { token },
+      cookies: { nanodrop_session: token },
      ...buildMultipart({ file: { filename: 'test.txt', contentType: 'text/plain', data: Buffer.from('hi') } }),
    });
  });
  afterEach(async () => { await ctx.app.close(); ctx.cleanup(); });
  it('shows Copy link button for each file', async () => {
-    const res = await ctx.app.inject({ method: 'GET', url: '/files', cookies: { token } });
+    const res = await ctx.app.inject({ method: 'GET', url: '/files', cookies: { nanodrop_session: token } });
    expect(res.statusCode).toBe(200);
    expect(res.body).toContain('Copy link');
    expect(res.body).toContain('class="table-wrap"');
@@ -245,7 +245,7 @@ describe('GET /f/:id — owner-aware header', () => {
    const uploadRes = await ctx.app.inject({
      method: 'POST',
      url: '/upload',
-      cookies: { token: aliceToken },
+      cookies: { nanodrop_session: aliceToken },
      ...buildMultipart({ file: { filename: 'owned.txt', contentType: 'text/plain', data: Buffer.from('data') } }),
    });
    const match = uploadRes.body.match(/\/f\/([^/"]+)/);
@@ -254,19 +254,19 @@ describe('GET /f/:id — owner-aware header', () => {
  afterEach(async () => { await ctx.app.close(); ctx.cleanup(); });
  it('shows nav when owner views their file', async () => {
-    const res = await ctx.app.inject({ method: 'GET', url: `/f/${fileId}`, cookies: { token: aliceToken } });
+    const res = await ctx.app.inject({ method: 'GET', url: `/f/${fileId}`, cookies: { nanodrop_session: aliceToken } });
    expect(res.statusCode).toBe(200);
    expect(res.body).toContain('My Files');
  });
  it('shows delete button when owner views', async () => {
-    const res = await ctx.app.inject({ method: 'GET', url: `/f/${fileId}`, cookies: { token: aliceToken } });
+    const res = await ctx.app.inject({ method: 'GET', url: `/f/${fileId}`, cookies: { nanodrop_session: aliceToken } });
    expect(res.statusCode).toBe(200);
    expect(res.body).toContain('delete');
  });
  it('no header when non-owner views', async () => {
-    const res = await ctx.app.inject({ method: 'GET', url: `/f/${fileId}`, cookies: { token: bobToken } });
+    const res = await ctx.app.inject({ method: 'GET', url: `/f/${fileId}`, cookies: { nanodrop_session: bobToken } });
    expect(res.statusCode).toBe(200);
    expect(res.body).not.toContain('<header');
  });
@@ -289,7 +289,7 @@ describe('POST /files/:id/delete', () => {
    const uploadRes = await ctx.app.inject({
      method: 'POST',
      url: '/upload',
-      cookies: { token },
+      cookies: { nanodrop_session: token },
      ...buildMultipart({ file: { filename: 'del.txt', contentType: 'text/plain', data: Buffer.from('bye') } }),
    });
    const match = uploadRes.body.match(/\/f\/([^/"]+)/);
@@ -301,7 +301,7 @@ describe('POST /files/:id/delete', () => {
    const res = await ctx.app.inject({
      method: 'POST',
      url: `/files/${fileId}/delete`,
-      cookies: { token },
+      cookies: { nanodrop_session: token },
    });
    expect(res.statusCode).toBe(302);
    expect(res.headers['location']).toBe('/files');