admin/goodgo-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8825a13d1d22ce4998b75ad1aa8e8eb46e29fb1d
goodgo-platform/apps/web/lib/auth-api.ts
Ho Ngoc Hai 6389dcf78e fix(auth): migrate tokens from localStorage to httpOnly cookies + CSRF hardening 
Backend:
- Auth controller sets httpOnly secure cookies (access_token, refresh_token, goodgo_authenticated) on login/register/refresh
- JWT strategy reads token from cookie first, falls back to Authorization header
- Added POST /auth/logout to clear auth cookies
- Added POST /auth/exchange-token for OAuth callback token-to-cookie exchange
- Refresh endpoint reads refresh_token from cookie (body fallback for backwards compat)
- CSRF middleware excludes auth endpoints (login, register, refresh, exchange-token, logout)

Frontend:
- Removed all localStorage token storage (goodgo_tokens key)
- Removed authGet/authPost/authPatch helpers from api-client (tokens sent via cookies)
- All API calls use credentials:'include' for cookie-based auth
- Updated auth-store: no more token state, uses isAuthenticated flag from cookie
- Updated admin-api, listings-api to remove explicit token parameters
- Updated all pages (admin dashboard, users, KYC, moderation, listings) to remove token passing
- OAuth callbacks use exchange-token endpoint to convert URL tokens to cookies
- Auth provider simplified (no client-side cookie management needed)

Security improvements:
- JWT no longer accessible via JavaScript (XSS-safe)
- Refresh token scoped to /auth path only
- Server-side goodgo_authenticated cookie with SameSite=Lax
- Access token cookie with SameSite=Strict

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-08 06:25:11 +07:00

49 lines
1.1 KiB
TypeScript
Raw Blame History

import { apiClient } from './api-client';
export interface UserProfile {
id: string;
email: string | null;
phone: string;
fullName: string;
avatarUrl: string | null;
role: string;
kycStatus: string;
isActive: boolean;
createdAt: string;
}
export interface RegisterPayload {
phone: string;
password: string;
fullName: string;
email?: string;
}
export interface LoginPayload {
phone: string;
password: string;
}
export const authApi = {
register: (data: RegisterPayload) =>
apiClient.post<{ message: string }>('/auth/register', data),
login: (data: LoginPayload) =>
apiClient.post<{ message: string }>('/auth/login', data),
refresh: () =>
apiClient.post<{ message: string }>('/auth/refresh'),
logout: () =>
apiClient.post<{ message: string }>('/auth/logout'),
exchangeToken: (accessToken: string, refreshToken: string, expiresIn?: number) =>
apiClient.post<{ message: string }>('/auth/exchange-token', {
accessToken,
refreshToken,
expiresIn,
}),
getProfile: () => apiClient.get<UserProfile>('/auth/profile'),
};
Reference in New Issue View Git Blame Copy Permalink