Security Updates

static/js/config.js

@@ -1,5 +1,6 @@
 const USERNAME_KEY = 'scrumPoker.username';
 const PRESETS_KEY = 'scrumPoker.deckPresets.v1';
+const ROOM_SESSION_KEY_PREFIX = 'scrumPoker.roomSession.';
 
 const SCALE_PRESETS = {
     fibonacci: ['0', '1', '2', '3', '5', '8', '13', '21', '?'],
@@ -502,6 +503,7 @@ roomConfigForm.addEventListener('submit', async (event) => {
         allowSpectators: Boolean(formData.get('allowSpectators')),
         anonymousVoting: Boolean(formData.get('anonymousVoting')),
         autoReset: Boolean(formData.get('autoReset')),
+        allowVoteChange: Boolean(formData.get('allowVoteChange')),
         revealMode: (formData.get('revealMode') || 'manual').toString(),
         votingTimeoutSec: Number(formData.get('votingTimeoutSec') || 0),
         password: (formData.get('password') || '').toString(),
@@ -522,7 +524,12 @@ roomConfigForm.addEventListener('submit', async (event) => {
             return;
         }
 
-        const target = `/room/${encodeURIComponent(data.roomId)}?participantId=${encodeURIComponent(data.creatorParticipantId)}&adminToken=${encodeURIComponent(data.adminToken)}&username=${encodeURIComponent(payload.creatorUsername)}`;
+        localStorage.setItem(`${ROOM_SESSION_KEY_PREFIX}${data.roomId}`, JSON.stringify({
+            participantId: data.creatorParticipantId,
+            sessionToken: data.creatorSessionToken,
+        }));
+
+        const target = `/room/${encodeURIComponent(data.roomId)}?adminToken=${encodeURIComponent(data.adminToken)}&username=${encodeURIComponent(payload.creatorUsername)}`;
         window.location.assign(target);
     } catch (_err) {
         statusLine.textContent = 'Network error while creating room.';

static/js/room.js

@@ -1,4 +1,5 @@
 const USERNAME_KEY = 'scrumPoker.username';
+const ROOM_SESSION_KEY_PREFIX = 'scrumPoker.roomSession.';
 
 const roomID = document.body.dataset.roomId;
 const params = new URLSearchParams(window.location.search);
@@ -32,6 +33,7 @@ const joinPasswordInput = document.getElementById('join-password');
 const joinAdminTokenInput = document.getElementById('join-admin-token');
 const joinError = document.getElementById('join-error');
 let participantID = params.get('participantId') || '';
+let sessionToken = params.get('sessionToken') || '';
 let adminToken = params.get('adminToken') || '';
 const prefillUsername = params.get('username') || '';
 let eventSource = null;
@@ -43,6 +45,45 @@ const savedUsername = localStorage.getItem(USERNAME_KEY) || '';
 joinUsernameInput.value = prefillUsername || savedUsername;
 joinAdminTokenInput.value = adminToken;
 
+function roomSessionStorageKey() {
+    return `${ROOM_SESSION_KEY_PREFIX}${roomID}`;
+}
+
+function persistRoomSession() {
+    if (!participantID || !sessionToken) {
+        localStorage.removeItem(roomSessionStorageKey());
+        return;
+    }
+
+    localStorage.setItem(roomSessionStorageKey(), JSON.stringify({
+        participantId: participantID,
+        sessionToken,
+    }));
+}
+
+function loadRoomSessionFromStorage() {
+    try {
+        const raw = localStorage.getItem(roomSessionStorageKey());
+        if (!raw) {
+            return;
+        }
+        const parsed = JSON.parse(raw);
+        if (!participantID && typeof parsed.participantId === 'string') {
+            participantID = parsed.participantId;
+        }
+        if (!sessionToken && typeof parsed.sessionToken === 'string') {
+            sessionToken = parsed.sessionToken;
+        }
+    } catch (_err) {
+        localStorage.removeItem(roomSessionStorageKey());
+    }
+}
+
+if (!participantID || !sessionToken) {
+    loadRoomSessionFromStorage();
+}
+persistRoomSession();
+
 if (!window.CardUI || typeof window.CardUI.appendFace !== 'function') {
     throw new Error('CardUI is not loaded. Ensure /static/js/cards.js is included before room.js.');
 }
@@ -62,12 +103,8 @@ function setJoinError(message) {
 function updateURL() {
     const next = new URL(window.location.href);
     next.searchParams.delete('username');
-
-    if (participantID) {
-        next.searchParams.set('participantId', participantID);
-    } else {
-        next.searchParams.delete('participantId');
-    }
+    next.searchParams.delete('participantId');
+    next.searchParams.delete('sessionToken');
 
     if (adminToken) {
         next.searchParams.set('adminToken', adminToken);
@@ -90,11 +127,15 @@ function setRoomMessage(message) {
 }
 
 async function joinRoom({ username, role, password, participantIdOverride }) {
+    const activeParticipantID = participantIdOverride || participantID;
+    const rejoinParticipantID = activeParticipantID && sessionToken ? activeParticipantID : '';
+
     const response = await fetch(`/api/rooms/${encodeURIComponent(roomID)}/join`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({
-            participantId: participantIdOverride || participantID,
+            participantId: rejoinParticipantID,
+            sessionToken,
             username,
             role,
             password,
@@ -108,7 +149,9 @@ async function joinRoom({ username, role, password, participantIdOverride }) {
     }
 
     participantID = data.participantId;
+    sessionToken = data.sessionToken;
     localStorage.setItem(USERNAME_KEY, data.username);
+    persistRoomSession();
     updateURL();
     setJoinError('');
     return data;
@@ -235,9 +278,9 @@ function renderSummary(state) {
     summaryRecommended.textContent = recommended === null ? 'Recommended: -' : `Recommended: ${recommended}`;
 }
 
-function renderCards(cards, participants, isRevealed) {
+function renderCards(cards, participants, isRevealed, allowVoteChange) {
     const self = participants.find((participant) => participant.id === participantID && participant.connected);
-    const canVote = self && self.role === 'participant';
+    const canVote = self && self.role === 'participant' && (allowVoteChange || !self.hasVoted);
     const selfVote = self ? self.voteValue : '';
 
     votingBoard.innerHTML = '';
@@ -319,7 +362,8 @@ function renderState(state) {
     roundStateLabel.textContent = state.revealed ? 'Cards revealed' : 'Cards hidden';
 
     renderParticipants(state.participants, state.revealed);
-    renderCards(state.cards, state.participants, state.revealed);
+    const allowVoteChange = state.allowVoteChange !== false;
+    renderCards(state.cards, state.participants, state.revealed, allowVoteChange);
     renderSummary(state);
 
     const self = state.participants.find((participant) => participant.id === participantID && participant.connected);
@@ -361,7 +405,7 @@ function connectSSE() {
         eventSource.close();
     }
 
-    eventSource = new EventSource(`/api/rooms/${encodeURIComponent(roomID)}/events?participantId=${encodeURIComponent(participantID)}`);
+    eventSource = new EventSource(`/api/rooms/${encodeURIComponent(roomID)}/events?participantId=${encodeURIComponent(participantID)}&sessionToken=${encodeURIComponent(sessionToken)}`);
     eventSource.addEventListener('state', (event) => {
         try {
             const payload = JSON.parse(event.data);
@@ -379,7 +423,7 @@ function connectSSE() {
 }
 
 async function castVote(card) {
-    if (!participantID) {
+    if (!participantID || !sessionToken) {
         return;
     }
 
@@ -387,7 +431,7 @@ async function castVote(card) {
         const response = await fetch(`/api/rooms/${encodeURIComponent(roomID)}/vote`, {
             method: 'POST',
             headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify({ participantId: participantID, card }),
+            body: JSON.stringify({ participantId: participantID, sessionToken, card }),
         });
 
         if (!response.ok) {
@@ -400,7 +444,7 @@ async function castVote(card) {
 }
 
 async function adminAction(action) {
-    if (!participantID) {
+    if (!participantID || !sessionToken) {
         return;
     }
 
@@ -408,7 +452,7 @@ async function adminAction(action) {
         const response = await fetch(`/api/rooms/${encodeURIComponent(roomID)}/${action}`, {
             method: 'POST',
             headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify({ participantId: participantID }),
+            body: JSON.stringify({ participantId: participantID, sessionToken }),
         });
 
         if (!response.ok) {
@@ -421,7 +465,7 @@ async function adminAction(action) {
 }
 
 async function changeName() {
-    if (!participantID) {
+    if (!participantID || !sessionToken) {
         return;
     }
 
@@ -486,21 +530,18 @@ joinForm.addEventListener('submit', async (event) => {
     adminToken = joinAdminTokenInput.value.trim();
 
     try {
-        const result = await joinRoom({
+        await joinRoom({
             username,
             role: joinRoleInput.value,
             password: joinPasswordInput.value,
             participantIdOverride: participantID,
         });
-        if (result.isAdmin) {
-            const adminRoomURL = `/room/${encodeURIComponent(roomID)}?participantId=${encodeURIComponent(participantID)}&adminToken=${encodeURIComponent(adminToken)}`;
-            window.location.assign(adminRoomURL);
-            return;
-        }
         connectSSE();
     } catch (err) {
-        if (participantID) {
+        if (participantID || sessionToken) {
             participantID = '';
+            sessionToken = '';
+            persistRoomSession();
             updateURL();
         }
         setJoinError(err.message);
@@ -508,7 +549,7 @@ joinForm.addEventListener('submit', async (event) => {
 });
 
 async function tryAutoJoinExistingParticipant() {
-    if (!participantID) {
+    if (!participantID || !sessionToken) {
         return;
     }
 
@@ -524,16 +565,18 @@ async function tryAutoJoinExistingParticipant() {
         connectSSE();
     } catch (_err) {
         participantID = '';
+        sessionToken = '';
+        persistRoomSession();
         updateURL();
     }
 }
 
 window.addEventListener('pagehide', () => {
-    if (!participantID) {
+    if (!participantID || !sessionToken) {
         return;
     }
 
-    const payload = JSON.stringify({ participantId: participantID });
+    const payload = JSON.stringify({ participantId: participantID, sessionToken });
     navigator.sendBeacon(`/api/rooms/${encodeURIComponent(roomID)}/leave`, new Blob([payload], { type: 'application/json' }));
 });