feat: support for passwords

dbirman · dbirman · commit 3d3e655bb404 · 2026-05-04T21:13:44.000-07:00
diff --git a/web/src/__tests__/contributions-view.test.js b/web/src/__tests__/contributions-view.test.js
@@ -504,4 +504,49 @@ describe('createContributionsView — projectName auto-load', () => {
     await Promise.resolve();
     expect(global.fetch).not.toHaveBeenCalled();
   });
+
+  it('fetches history when a draft with a project name is restored (no full reload)', async () => {
+    const draftRows = [{ name: 'Alice Smith', isFirst: false, ...Object.fromEntries(
+      ['Conceptualization','Methodology','Software','Validation','Formal analysis',
+       'Investigation','Resources','Data curation','Writing \u2013 original draft',
+       'Writing \u2013 review & editing','Visualization','Supervision',
+       'Project Administration','Funding Acquisition'].map(c => [c, 'None'])
+    ) }];
+    sessionStorage.setItem('contributions:draft', JSON.stringify({
+      rows: draftRows,
+      projectName: 'my-project',
+      assetNames: '',
+      projectLocked: false,
+      projectPassword: '',
+      authorSources: {},
+      authorOrcids: {},
+      authorAffIds: {},
+      affiliations: [],
+      loadedAssetNames: [],
+      sections: [],
+      creditDescriptions: {},
+      creditLinkedSections: {},
+      selectedAuthor: null,
+      doi: '',
+    }));
+
+    // history=true fetch should be called; full project GET should not
+    global.fetch = vi.fn().mockResolvedValue({
+      ok: true,
+      status: 200,
+      json: async () => [],
+    });
+
+    createContributionsView({ projectName: 'my-project' });
+    await Promise.resolve();
+
+    expect(global.fetch).toHaveBeenCalledWith(
+      expect.stringContaining('history=true'),
+    );
+    // Should NOT re-fetch the full project data
+    const fullProjectCalls = global.fetch.mock.calls.filter(
+      ([url]) => !url.includes('history=true'),
+    );
+    expect(fullProjectCalls).toHaveLength(0);
+  });
 });
diff --git a/web/src/contributions/preview.js b/web/src/contributions/preview.js
@@ -544,7 +544,9 @@ export function createPreview(container, authors) {
   function detectDarkMode() {
     const html = document.documentElement;
     if (html.getAttribute('data-theme') === 'dark') return true;
+    if (html.getAttribute('data-theme') === 'light') return false;
     if (html.classList.contains('dark')) return true;
+    if (html.classList.contains('light')) return false;
     return window.matchMedia('(prefers-color-scheme: dark)').matches;
   }
 
diff --git a/web/src/contributions/view.js b/web/src/contributions/view.js
@@ -581,6 +581,8 @@ export function createContributionsView(options = {}) {
 
   let projectLocked = false;
   let projectPassword = '';
+  /** True when the server-side model has a password set (loaded via GET). */
+  let serverLocked = false;
 
   /** @type {HTMLElement|null} Currently-selected history bubble. */
   let selectedHistoryBubble = null;
@@ -840,7 +842,7 @@ export function createContributionsView(options = {}) {
         projectLocked,
         projectPassword,
         rows, authorSources, authorOrcids, authorAffIds, affiliations, loadedAssetNames,
-        sections, creditDescriptions, creditLinkedSections, selectedAuthor, doi,
+        sections, creditDescriptions, creditLinkedSections, selectedAuthor, doi, serverLocked,
       }));
     } catch (_) {}
   }
@@ -1668,6 +1670,22 @@ export function createContributionsView(options = {}) {
       syncUrl();
       endpointStatus.textContent = `\u2713 Loaded \u201c${project}\u201d \u2014 ${loadedRows.length} contributor(s).`;
       endpointStatus.className = 'contributions-endpoint-status status-success';
+
+      // Apply server-side locked state
+      serverLocked = data.locked === true;
+      if (serverLocked) {
+        projectLocked = true;
+        projectLockedCheckbox.checked = true;
+        projectLockedCheckbox.disabled = true;
+        pwPasswordRow.style.display = '';
+        projectPasswordInput.placeholder = 'Password required to save';
+        projectPassword = '';
+        projectPasswordInput.value = '';
+      } else {
+        projectLockedCheckbox.disabled = false;
+        projectPasswordInput.placeholder = 'Set a password';
+      }
+
       // Collapse assets section \u2014 irrelevant when working with a loaded project
       assetsOpen = false;
       assetsBody.style.display = 'none';
@@ -1683,6 +1701,21 @@ export function createContributionsView(options = {}) {
     }
   }
 
+  /**
+   * Hash a plaintext password with SHA-256 and return a hex string.
+   * Passwords are never sent in plaintext over the wire.
+   *
+   * @param {string} password
+   * @returns {Promise<string>}
+   */
+  async function hashPassword(password) {
+    const encoded = new TextEncoder().encode(password);
+    const hashBuffer = await crypto.subtle.digest('SHA-256', encoded);
+    return Array.from(new Uint8Array(hashBuffer))
+      .map(b => b.toString(16).padStart(2, '0'))
+      .join('');
+  }
+
   async function saveToServer() {
     const project = projectNameInput.value.trim();
     if (!project) {
@@ -1696,7 +1729,11 @@ export function createContributionsView(options = {}) {
     endpointStatus.className = 'contributions-endpoint-status status-loading';
     try {
       const payload = toEndpointPayload(rows, project, { authorOrcids, authorAffIds, affiliations, sections, creditDescriptions, creditLinkedSections, assets: loadedAssetNames, doi });
-      const url = `${CONTRIBUTIONS_API_BASE}/contributions/post?project=${encodeURIComponent(project)}`;
+      let url = `${CONTRIBUTIONS_API_BASE}/contributions/post?project=${encodeURIComponent(project)}`;
+      if (projectPassword) {
+        const hashed = await hashPassword(projectPassword);
+        url += `&password=${encodeURIComponent(hashed)}`;
+      }
       const res = await fetch(url, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
@@ -1728,7 +1765,11 @@ export function createContributionsView(options = {}) {
   function updateProjectButtons() {
     const hasProject = projectNameInput.value.trim().length > 0;
     getBtn.disabled = !hasProject;
-    postBtn.disabled = !hasProject || rows.length === 0;
+    const hasRows = rows.length > 0;
+    // When server has a password, require the user to enter one before saving
+    const passwordRequired = serverLocked;
+    const hasPassword = projectPasswordInput.value.trim().length > 0;
+    postBtn.disabled = !hasProject || !hasRows || (passwordRequired && !hasPassword);
   }
 
   // -------------------------------------------------------------------------
@@ -1776,6 +1817,7 @@ export function createContributionsView(options = {}) {
   });
   projectPasswordInput.addEventListener('input', () => {
     projectPassword = projectPasswordInput.value;
+    updateProjectButtons();
     saveDraft();
   });
 
@@ -1846,14 +1888,24 @@ export function createContributionsView(options = {}) {
     const raw = sessionStorage.getItem(DRAFT_KEY);
     if (raw) {
       const draft = JSON.parse(raw);
-      if (draft.rows?.length > 0) {
+      // If the URL specifies a project that differs from the draft, discard the
+      // draft and treat the URL as ground truth.
+      const draftProject = (draft.projectName || '').trim();
+      if (projectName && draftProject && projectName !== draftProject) {
+        sessionStorage.removeItem(DRAFT_KEY);
+      } else if (draft.rows?.length > 0) {
         assetInput.value = draft.assetNames || '';
         projectNameInput.value = draft.projectName || '';
         if (draft.projectLocked) {
           projectLocked = true;
           projectLockedCheckbox.checked = true;
           pwPasswordRow.style.display = '';
         }
+        if (draft.serverLocked) {
+          serverLocked = true;
+          projectLockedCheckbox.disabled = true;
+          projectPasswordInput.placeholder = 'Password required to save';
+        }
         if (draft.projectPassword) {
           projectPassword = draft.projectPassword;
           projectPasswordInput.value = draft.projectPassword;
@@ -1887,6 +1939,11 @@ export function createContributionsView(options = {}) {
 
   if (projectName && !draftRestored) {
     Promise.resolve().then(loadFromServer);
+  } else if (draftRestored) {
+    const draftProject = projectNameInput.value.trim();
+    if (draftProject) {
+      Promise.resolve().then(() => fetchHistory(draftProject));
+    }
   }
 
   updateProjectButtons();

Original file line number	Diff line number	Diff line change
`@@ -544,7 +544,9 @@ export function createPreview(container, authors) {`
`544`	`544`	`function detectDarkMode() {`
`545`	`545`	`const html = document.documentElement;`
`546`	`546`	`if (html.getAttribute('data-theme') === 'dark') return true;`
	`547`	`+ if (html.getAttribute('data-theme') === 'light') return false;`
`547`	`548`	`if (html.classList.contains('dark')) return true;`
	`549`	`+ if (html.classList.contains('light')) return false;`
`548`	`550`	`return window.matchMedia('(prefers-color-scheme: dark)').matches;`
`549`	`551`	`}`
`550`	`552`