admin/goodgo-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): migrate tokens from localStorage to httpOnly cookies + CSRF hardening

Browse Source 
Backend:
- Auth controller sets httpOnly secure cookies (access_token, refresh_token, goodgo_authenticated) on login/register/refresh
- JWT strategy reads token from cookie first, falls back to Authorization header
- Added POST /auth/logout to clear auth cookies
- Added POST /auth/exchange-token for OAuth callback token-to-cookie exchange
- Refresh endpoint reads refresh_token from cookie (body fallback for backwards compat)
- CSRF middleware excludes auth endpoints (login, register, refresh, exchange-token, logout)

Frontend:
- Removed all localStorage token storage (goodgo_tokens key)
- Removed authGet/authPost/authPatch helpers from api-client (tokens sent via cookies)
- All API calls use credentials:'include' for cookie-based auth
- Updated auth-store: no more token state, uses isAuthenticated flag from cookie
- Updated admin-api, listings-api to remove explicit token parameters
- Updated all pages (admin dashboard, users, KYC, moderation, listings) to remove token passing
- OAuth callbacks use exchange-token endpoint to convert URL tokens to cookies
- Auth provider simplified (no client-side cookie management needed)

Security improvements:
- JWT no longer accessible via JavaScript (XSS-safe)
- Refresh token scoped to /auth path only
- Server-side goodgo_authenticated cookie with SameSite=Lax
- Access token cookie with SameSite=Strict

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Ho Ngoc Hai
2026-04-08 06:25:11 +07:00
parent 9583d1cb66
commit 6389dcf78e
19 changed files with 151 additions and 191 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
apps/web/lib/api-client.ts
View File

@@ -17,7 +17,7 @@ type RequestOptions = Omit<RequestInit, 'body'> & {
function getCsrfToken(): string | undefined {
if (typeof document === 'undefined') return undefined;
const match = document.cookie.match(/(?:^|;\s*)XSRF-TOKEN=([^;]*)/);
return match ? decodeURIComponent(match[1]) : undefined;
return match?.[1] ? decodeURIComponent(match[1]) : undefined;
}
const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS']);
@@ -53,10 +53,6 @@ async function request<T>(endpoint: string, options: RequestOptions = {}): Promi
return res.json();
}
function authHeaders(token: string): HeadersInit {
return { Authorization: `Bearer ${token}` };
}
export const apiClient = {
get: <T>(endpoint: string, headers?: HeadersInit) =>
request<T>(endpoint, { method: 'GET', headers }),
@@ -67,12 +63,6 @@ export const apiClient = {
patch: <T>(endpoint: string, body?: unknown, headers?: HeadersInit) =>
request<T>(endpoint, { method: 'PATCH', body, headers }),
authGet: <T>(endpoint: string, token: string) =>
request<T>(endpoint, { method: 'GET', headers: authHeaders(token) }),
authPost: <T>(endpoint: string, token: string, body?: unknown) =>
request<T>(endpoint, { method: 'POST', body, headers: authHeaders(token) }),
authPatch: <T>(endpoint: string, token: string, body?: unknown) =>
request<T>(endpoint, { method: 'PATCH', body, headers: authHeaders(token) }),
delete: <T>(endpoint: string, headers?: HeadersInit) =>
request<T>(endpoint, { method: 'DELETE', headers }),
};