session management, improved

client/chat.js

@@ -10,10 +10,12 @@ function rand() {
 }
 
 async function auth() {
+  let session = rand();
   const sig = await openpgp.sign({
-    message: new openpgp.CleartextMessage("vybe_auth " + rand(), ""),
+    message: new openpgp.CleartextMessage("vybe_auth " + session, ""),
     signingKeys: window.keys.priv,
   });
+  window.session = session;
   window.socket.emit("authenticate", { name: window.name, message: sig });
 }
 
@@ -122,6 +124,15 @@ window.onload = () => {
   });
   window.socket.on("authenticate", (msg) => {
     if (msg.success) swap();
+    let emitter = window.socket.emit;
+    window.socket.emit = (type, data) => {
+      if (data)
+        return emitter.call(window.socket, type, {
+          ...data,
+          __session: window.session,
+        });
+      else return emitter.call(window.socket, type);
+    };
   });
   window.socket.on("list_threads", (msg) => {
     document.getElementById("threadlist").innerHTML = "";

src/authwrap.js

@@ -1,15 +1,18 @@
 const db = require("../db");
 
 const authwrap = (fn) => async (msg, respond, socket) => {
-  if (!socket.userid) {
+  if (!msg.__session) {
     return respond({
       success: false,
       message: "Not authenticated",
     });
   }
-  const result = await db.query("select * from users where id = ?", [
+  const result = await db.query(
-    socket.userid,
+    `select users.* from users join authentications
-  ]);
+    on authentications.user = users.id
+    where authentications.salt = ?`,
+    [msg.__session]
+  );
   if (result.rows.length === 0) {
     return respond({
       success: false,