fix: Insecure and simplistic authentication system exposing user data

[Aditya8369]

Implemented a full client-side hardening pass for the authentication flow and page security headers.

What I changed

1. Hardened credential handling in auth.js

• Replaced plaintext password storage with PBKDF2 hashing (Web Crypto API) + per-user salt + iterations:
  • auth.js
  • auth.js
• Stored user record now contains hash metadata instead of raw password.
• Added legacy migration path for old plaintext users on next successful login:
  • auth.js

2. Added input validation and sanitization in auth.js

• Username sanitization and format checks:
  • auth.js
• Email normalization + validation:
  • auth.js, auth.js
• Password strength policy enforcement:
  • auth.js
• Sign-up and sign-in handlers now validate before processing:
  • auth.js
  • auth.js

3. Switched auth session state to sessionStorage with expiry

• Added short-lived auth session object in sessionStorage:
  • auth.js
  • auth.js
  • auth.js
  • auth.js
• Added enforced expiry window (2 hours):
  • auth.js
• Updated page protection and navbar user display:
  • auth.js
  • auth.js
• Logout now clears only session auth token:
  • auth.js
• Old localStorage auth flags are cleaned up:
  • auth.js

4. Updated sign-in/sign-up redirect checks to session-based auth

• signin.html
• signup.html

5. Added CSP meta tags to protected/auth pages

• signin.html
• signup.html
• index.html
• about.html
• contact.html
• contribute.html
• projects.html
• index.html

Important security note

• CSRF protection is fundamentally a server concern (cookie-bound sessions + CSRF token validation). In a static, client-only auth model, CSRF cannot be meaningfully enforced the same way.
• This update is a safer stopgap, not production-grade authentication.
• For real security, move auth to server-side (or Firebase/Auth provider), keep secrets off the client, and use HttpOnly secure cookies with backend session/token validation.

Validation

• JavaScript/HTML checks show no new auth-related errors in changed auth files.
• Existing non-auth warnings (e.g., playsinline compatibility and some form-label lint warnings) remain unchanged.

closes #49

[vercel]

@Aditya8369 is attempting to deploy a commit to the jiya's projects Team on Vercel.

A member of the Team first needs to authorize it.

[netlify]

❌ Deploy Preview for addminiproject failed.

Name	Link
🔨 Latest commit	0693743
🔍 Latest deploy log	https://app.netlify.com/projects/addminiproject/deploys/69b3fa4cb7953000089286fe