admin/goodgo-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): migrate tokens from localStorage to httpOnly cookies + CSRF hardening

Browse Source 
Backend:
- Auth controller sets httpOnly secure cookies (access_token, refresh_token, goodgo_authenticated) on login/register/refresh
- JWT strategy reads token from cookie first, falls back to Authorization header
- Added POST /auth/logout to clear auth cookies
- Added POST /auth/exchange-token for OAuth callback token-to-cookie exchange
- Refresh endpoint reads refresh_token from cookie (body fallback for backwards compat)
- CSRF middleware excludes auth endpoints (login, register, refresh, exchange-token, logout)

Frontend:
- Removed all localStorage token storage (goodgo_tokens key)
- Removed authGet/authPost/authPatch helpers from api-client (tokens sent via cookies)
- All API calls use credentials:'include' for cookie-based auth
- Updated auth-store: no more token state, uses isAuthenticated flag from cookie
- Updated admin-api, listings-api to remove explicit token parameters
- Updated all pages (admin dashboard, users, KYC, moderation, listings) to remove token passing
- OAuth callbacks use exchange-token endpoint to convert URL tokens to cookies
- Auth provider simplified (no client-side cookie management needed)

Security improvements:
- JWT no longer accessible via JavaScript (XSS-safe)
- Refresh token scoped to /auth path only
- Server-side goodgo_authenticated cookie with SameSite=Lax
- Access token cookie with SameSite=Strict

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Ho Ngoc Hai
2026-04-08 06:25:11 +07:00
parent 9583d1cb66
commit 6389dcf78e
19 changed files with 151 additions and 191 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
apps/web/lib/admin-api.ts
View File

@@ -96,87 +96,83 @@ export interface KycQueueItem {
export const adminApi = {
// Dashboard
getDashboardStats: (token: string) =>
apiClient.authGet<DashboardStats>('/admin/dashboard', token),
getDashboardStats: () =>
apiClient.get<DashboardStats>('/admin/dashboard'),
getRevenueStats: (token: string, startDate: string, endDate: string, groupBy: 'day' | 'month' = 'month') =>
apiClient.authGet<RevenueStatsItem[]>(
getRevenueStats: (startDate: string, endDate: string, groupBy: 'day' | 'month' = 'month') =>
apiClient.get<RevenueStatsItem[]>(
`/admin/revenue?startDate=${startDate}&endDate=${endDate}&groupBy=${groupBy}`,
token,
),
// Moderation
getModerationQueue: (token: string, page = 1, limit = 20) =>
apiClient.authGet<PaginatedResult<ModerationQueueItem>>(
getModerationQueue: (page = 1, limit = 20) =>
apiClient.get<PaginatedResult<ModerationQueueItem>>(
`/admin/moderation?page=${page}&limit=${limit}`,
token,
),
approveListing: (token: string, listingId: string, moderationNotes?: string) =>
apiClient.authPost<{ success: boolean }>('/admin/moderation/approve', token, {
approveListing: (listingId: string, moderationNotes?: string) =>
apiClient.post<{ success: boolean }>('/admin/moderation/approve', {
listingId,
moderationNotes,
}),
rejectListing: (token: string, listingId: string, reason: string) =>
apiClient.authPost<{ success: boolean }>('/admin/moderation/reject', token, {
rejectListing: (listingId: string, reason: string) =>
apiClient.post<{ success: boolean }>('/admin/moderation/reject', {
listingId,
reason,
}),
bulkModerate: (token: string, listingIds: string[], action: 'approve' | 'reject', reason?: string) =>
apiClient.authPost<{ success: boolean }>('/admin/moderation/bulk', token, {
bulkModerate: (listingIds: string[], action: 'approve' | 'reject', reason?: string) =>
apiClient.post<{ success: boolean }>('/admin/moderation/bulk', {
listingIds,
action,
reason,
}),
// Users
getUsers: (token: string, params: { page?: number; limit?: number; role?: string; isActive?: boolean; search?: string } = {}) => {
getUsers: (params: { page?: number; limit?: number; role?: string; isActive?: boolean; search?: string } = {}) => {
const query = new URLSearchParams();
if (params.page) query.set('page', String(params.page));
if (params.limit) query.set('limit', String(params.limit));
if (params.role) query.set('role', params.role);
if (params.isActive !== undefined) query.set('isActive', String(params.isActive));
if (params.search) query.set('search', params.search);
return apiClient.authGet<PaginatedResult<UserListItem>>(
return apiClient.get<PaginatedResult<UserListItem>>(
`/admin/users?${query.toString()}`,
token,
);
},
getUserDetail: (token: string, userId: string) =>
apiClient.authGet<UserDetail>(`/admin/users/${userId}`, token),
getUserDetail: (userId: string) =>
apiClient.get<UserDetail>(`/admin/users/${userId}`),
updateUserStatus: (token: string, userId: string, isActive: boolean, reason?: string) =>
apiClient.authPost<{ success: boolean }>('/admin/users/status', token, {
updateUserStatus: (userId: string, isActive: boolean, reason?: string) =>
apiClient.post<{ success: boolean }>('/admin/users/status', {
userId,
isActive,
reason,
}),
banUser: (token: string, userId: string, reason: string, unban = false) =>
apiClient.authPost<{ success: boolean }>('/admin/users/ban', token, {
banUser: (userId: string, reason: string, unban = false) =>
apiClient.post<{ success: boolean }>('/admin/users/ban', {
userId,
reason,
unban,
}),
// KYC
getKycQueue: (token: string, page = 1, limit = 20) =>
apiClient.authGet<PaginatedResult<KycQueueItem>>(
getKycQueue: (page = 1, limit = 20) =>
apiClient.get<PaginatedResult<KycQueueItem>>(
`/admin/kyc?page=${page}&limit=${limit}`,
token,
),
approveKyc: (token: string, userId: string, notes?: string) =>
apiClient.authPost<{ success: boolean }>('/admin/kyc/approve', token, {
approveKyc: (userId: string, notes?: string) =>
apiClient.post<{ success: boolean }>('/admin/kyc/approve', {
userId,
notes,
}),
rejectKyc: (token: string, userId: string, reason: string) =>
apiClient.authPost<{ success: boolean }>('/admin/kyc/reject', token, {
rejectKyc: (userId: string, reason: string) =>
apiClient.post<{ success: boolean }>('/admin/kyc/reject', {
userId,
reason,
}),