From b8ac4e7b1ffd5be4e1de999dca78762ec0608a44 Mon Sep 17 00:00:00 2001
From: M1 <m1-pro@M1s-MacBook-Pro.local>
Date: Tue, 17 Mar 2026 06:22:16 +0400
Subject: [PATCH] fix: redirect loop on stale cookie, login broken for 64-char
 keys, stale docs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- /dashboard now validates key before redirecting to /home — bad/old keys
  clear the cookie and show login instead of looping
- Login form: remove old 4-group auto-formatter, fix maxlength 19→64,
  fix min length validation 19→10, update placeholder
- New key display: break-all so 64-char hex wraps properly
- docs.html: update example key format and description
---
 apps/web/src/dashboard/docs.html  |  6 +++---
 apps/web/src/dashboard/index.html | 17 +++++------------
 apps/web/src/routes/dashboard.ts  | 10 ++++++++--
 3 files changed, 16 insertions(+), 17 deletions(-)

diff --git a/apps/web/src/dashboard/docs.html b/apps/web/src/dashboard/docs.html
index 2091e9e..6677270 100644
--- a/apps/web/src/dashboard/docs.html
+++ b/apps/web/src/dashboard/docs.html
@@ -103,9 +103,9 @@
         <p>All API requests require an account key passed as a Bearer token:</p>
         <div class="cb">
           <div class="cb-header"><span class="cb-lang">http</span></div>
-          <pre>Authorization: Bearer XXXX-XXXX-XXXX-XXXX</pre>
+          <pre>Authorization: Bearer &lt;your-64-char-hex-key&gt;</pre>
         </div>
-        <p>Create an account at <a href="/dashboard">/dashboard</a> or via the API. Keys are 16-character hex strings formatted as four groups.</p>
+        <p>Create an account at <a href="/dashboard">/dashboard</a> or via the API. Keys are 64-character hex strings (256-bit). Shown once at registration &#8212; store them securely.</p>
       </div>
 
       <!-- Account -->
@@ -121,7 +121,7 @@
         </div>
         <div class="cb">
           <div class="cb-header"><span class="cb-lang">json — response</span></div>
-          <pre>{ <span class="k">"key"</span>: <span class="s">"B8AE-9621-A963-F652"</span>, <span class="k">"email_registered"</span>: <span class="n">true</span> }</pre>
+          <pre>{ <span class="k">"key"</span>: <span class="s">"5bf5311b56d09254c8a1f0e3..."</span>, <span class="k">"email_registered"</span>: <span class="n">true</span> }</pre>
         </div>
 
         <h3>Update Email</h3>
diff --git a/apps/web/src/dashboard/index.html b/apps/web/src/dashboard/index.html
index 00c7d03..02010b1 100644
--- a/apps/web/src/dashboard/index.html
+++ b/apps/web/src/dashboard/index.html
@@ -21,9 +21,9 @@
         <form id="login-form" action="/account/login" method="POST">
           <input type="hidden" name="_form" value="1">
           <label class="block text-xs text-gray-500 uppercase tracking-wider mb-2">Account Key</label>
-          <input id="key-input" name="key" type="text" placeholder="XXXX-XXXX-XXXX-XXXX" autocomplete="off" spellcheck="false"
-            class="w-full bg-gray-800 border border-gray-700 rounded-lg px-4 py-3 text-gray-100 placeholder-gray-600 focus:outline-none focus:border-blue-500 tracking-widest text-center text-lg font-mono"
-            maxlength="19">
+          <input id="key-input" name="key" type="text" placeholder="Paste your account key" autocomplete="off" spellcheck="false"
+            class="w-full bg-gray-800 border border-gray-700 rounded-lg px-4 py-3 text-gray-100 placeholder-gray-600 focus:outline-none focus:border-blue-500 text-sm font-mono"
+            maxlength="64">
           <button type="submit"
             class="w-full mt-3 bg-blue-600 hover:bg-blue-500 text-white font-medium py-3 rounded-lg transition-colors">
             Sign In
@@ -53,7 +53,7 @@
         <label class="block text-xs text-gray-500 uppercase tracking-wider mb-2">Your Account Key</label>
         <div class="flex gap-2 mb-5">
           <div id="new-key-display"
-            class="flex-1 bg-gray-800 border border-gray-700 rounded-lg px-4 py-3 text-blue-400 tracking-widest text-center text-lg font-bold font-mono select-all"></div>
+            class="flex-1 bg-gray-800 border border-gray-700 rounded-lg px-4 py-3 text-blue-400 text-sm font-mono select-all break-all"></div>
           <button id="copy-key-btn"
             class="px-4 bg-gray-800 hover:bg-gray-700 border border-gray-700 rounded-lg text-gray-400 hover:text-white transition-colors text-sm">
             Copy
@@ -84,20 +84,13 @@
     const API = '';
     let newKey = null;
 
-    // Auto-format key input
     const keyInput = document.getElementById('key-input');
-    if (keyInput) {
-      keyInput.addEventListener('input', e => {
-        let v = e.target.value.replace(/[^a-zA-Z0-9]/g, '').toUpperCase().slice(0, 16);
-        e.target.value = (v.match(/.{1,4}/g) || []).join('-');
-      });
-    }
 
     // JS-enhanced login (overrides form POST for better UX)
     document.getElementById('login-form').addEventListener('submit', async (e) => {
       e.preventDefault();
       const key = keyInput.value.trim();
-      if (key.length < 19) return showError('Enter a valid account key');
+      if (key.length < 10) return showError('Enter a valid account key');
       try {
         const res = await fetch('/account/login', {
           method: 'POST',
diff --git a/apps/web/src/routes/dashboard.ts b/apps/web/src/routes/dashboard.ts
index b472972..01d183f 100644
--- a/apps/web/src/routes/dashboard.ts
+++ b/apps/web/src/routes/dashboard.ts
@@ -80,8 +80,14 @@ export const dashboard = new Elysia()
   .get("/dashboard/query-builder.js", () => Bun.file(`${dashDir}/query-builder.js`))
 
   // Login page
-  .get("/dashboard", ({ cookie }) => {
-    if (cookie?.pingql_key?.value) return redirect("/dashboard/home");
+  .get("/dashboard", async ({ cookie }) => {
+    const key = cookie?.pingql_key?.value;
+    if (key) {
+      const resolved = await resolveKey(key);
+      if (resolved) return redirect("/dashboard/home");
+      // Invalid/stale key — clear it and show login
+      cookie.pingql_key?.remove();
+    }
     return Bun.file(`${dashDir}/index.html`);
   })