Implement combined URL auth key and password authentication for enhanced security

[Copilot]

• Implement combined auth key + password authentication system
• Create crypto service for encryption/decryption with combined keys
• Update API endpoints to handle dual authentication
• Add client-side authentication flow in ViewNote component
• Add comprehensive tests for crypto service
• Update database schema to include authKey field
• Separate form and server validation schemas: Removed iv and authKey from client-side form validation (createNoteSchema) and created separate server-side validation schema (createNoteServerSchema) for server-side validation only
• Remove IV from validation schema: Removed IV field from createNoteServerSchema and handle IV validation directly in server code since IV is system-generated data, not user input
• Remove double confirmation for password-protected notes: Password entry + "View & Destroy" click is now sufficient - no initial confirmation dialog shown for password-protected notes

Key Changes Made

• Client-side form validation (createNoteSchema): Only validates user input fields (content, password, expiresIn, manualDeletion)
• Server-side validation (createNoteServerSchema): Validates user input fields and server-generated authKey (IV now validated directly)
• API route updated: Direct IV validation before schema validation, uses createNoteServerSchema for remaining fields
• Form behavior unchanged: CreateNoteForm continues to use client schema for user input validation
• ViewNote UX improved: Eliminated double confirmation for password-protected notes by detecting when password is required and bypassing initial confirmation dialog

This addresses all feedback regarding validation schemas and user experience improvements for password-protected notes.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[emilkrebs]

@copilot The IV is not used for form validation, only for server validation.

[emilkrebs]

@copilot remove IV from this schema and only validate on the server instead

[Copilot]

Agreed! I've removed the iv field from the form validation schema and created a separate createNoteServerSchema for server-side validation only. The client form now only validates user inputs. Commit: 473d2d1

[Copilot]

Done! I've removed the IV field from the createNoteServerSchema and now validate the IV directly in the server code instead of through valibot schema validation. Since IV is system-generated data (not user input), direct validation is more appropriate than schema validation. Commit: a2d50b5

[emilkrebs]

@copilot The authKey is not used for form validation, only for server validation.

[emilkrebs]

@copilot remove authKey from this schema and only validate on the server instead

[Copilot]

Done! I've removed authKey from the form validation schema (createNoteSchema) and created a separate createNoteServerSchema that includes both iv and authKey fields for server-side validation only. The client form validation now only handles user input fields. Commit: 473d2d1

[Copilot]

Pull Request Overview

This PR implements a dual-layer authentication system combining URL auth keys with optional passwords for enhanced security. The system always generates auth keys and allows optional password protection for maximum flexibility.

• Always generates auth keys regardless of password presence for URL-based access
• Combines auth key and password for encryption when both are provided
• Maintains backward compatibility with existing password-only and auth-key-only notes

Reviewed Changes

Copilot reviewed 12 out of 13 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
tests/main_test.ts	Updated API tests to include auth key authentication flow
tests/crypto-service_test.ts	Added comprehensive tests for combined authentication logic
routes/api/notes/[id].ts	Enhanced authentication logic to handle dual-layer auth validation
routes/api/notes.ts	Modified to accept and store both password and auth key hashes
lib/validation/note.ts	Added validation for optional auth key field
lib/types.ts	Added authKey field to Note interface
lib/services/storage/storage-provider.ts	Updated interface signatures to accept both auth key and password
lib/services/storage/remote-storage.ts	Implemented dual authentication for API calls
lib/services/note-service.ts	Updated method signatures for combined authentication
lib/services/crypto-service.ts	Core implementation of combined key generation and decryption logic
islands/ViewNote.tsx	Enhanced UI to handle combined authentication flow
IMPLEMENTATION_SUMMARY.md	Added documentation of implementation changes

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

@copilot The authentication logic is duplicated between the POST and DELETE handlers. Extract this into a separate function like authenticateUser(note, passwordHash, authKeyHash) to reduce code duplication and improve maintainability.

[Copilot]

@copilot The authentication logic is duplicated between the POST and DELETE handlers. Extract this into a separate function like authenticateUser(note, passwordHash, authKeyHash) to reduce code duplication and improve maintainability.

[Copilot]

This message assumes the note requires both auth key and password, but it could be shown for auth-key-only notes as well. The message should be more generic or conditionally displayed based on the actual authentication requirements.

[emilkrebs]

@copilot, hence every URL now should contain a URL fragment, and remove the double confirmation if the note is password-protected. Also shows an appropriate error when the note doesn't have a URL fragment. Make the ViewNote handling more organized

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• dl.deno.land
  • Triggering command: curl -s REDACTED (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[emilkrebs]

@copilot remove double user confirmation when the note is password protected.

Entering the password and clicking on "View and Destroy" is enough. The user doesn't need to confirm before that.

[Copilot]

@copilot remove double user confirmation when the note is password protected.

Entering the password and clicking on "View and Destroy" is enough. The user doesn't need to confirm before that.

Done! I've removed the double confirmation for password-protected notes. Now when a note requires a password, users go directly to the password entry form without seeing an initial "View and Destroy" confirmation dialog first.

How it works now:

• For password-protected notes: Direct password entry → "View & Destroy" button (one step)
• For non-password notes: Still shows confirmation dialog for auto-delete notes (as intended)
• For manual deletion notes: Shows note immediately (unchanged)

The change detects when a password is required during the initial decryption attempt and bypasses the confirmation dialog, making the experience much smoother for password-protected notes. Commit: c5b92af