6389dcf78e
Backend: - Auth controller sets httpOnly secure cookies (access_token, refresh_token, goodgo_authenticated) on login/register/refresh - JWT strategy reads token from cookie first, falls back to Authorization header - Added POST /auth/logout to clear auth cookies - Added POST /auth/exchange-token for OAuth callback token-to-cookie exchange - Refresh endpoint reads refresh_token from cookie (body fallback for backwards compat) - CSRF middleware excludes auth endpoints (login, register, refresh, exchange-token, logout) Frontend: - Removed all localStorage token storage (goodgo_tokens key) - Removed authGet/authPost/authPatch helpers from api-client (tokens sent via cookies) - All API calls use credentials:'include' for cookie-based auth - Updated auth-store: no more token state, uses isAuthenticated flag from cookie - Updated admin-api, listings-api to remove explicit token parameters - Updated all pages (admin dashboard, users, KYC, moderation, listings) to remove token passing - OAuth callbacks use exchange-token endpoint to convert URL tokens to cookies - Auth provider simplified (no client-side cookie management needed) Security improvements: - JWT no longer accessible via JavaScript (XSS-safe) - Refresh token scoped to /auth path only - Server-side goodgo_authenticated cookie with SameSite=Lax - Access token cookie with SameSite=Strict Co-Authored-By: Paperclip <noreply@paperclip.ing>
69 lines
1.9 KiB
TypeScript
69 lines
1.9 KiB
TypeScript
const API_BASE_URL = process.env['NEXT_PUBLIC_API_URL'] || 'http://localhost:3001';
|
|
|
|
export class ApiError extends Error {
|
|
constructor(
|
|
public status: number,
|
|
message: string,
|
|
) {
|
|
super(message);
|
|
this.name = 'ApiError';
|
|
}
|
|
}
|
|
|
|
type RequestOptions = Omit<RequestInit, 'body'> & {
|
|
body?: unknown;
|
|
};
|
|
|
|
function getCsrfToken(): string | undefined {
|
|
if (typeof document === 'undefined') return undefined;
|
|
const match = document.cookie.match(/(?:^|;\s*)XSRF-TOKEN=([^;]*)/);
|
|
return match?.[1] ? decodeURIComponent(match[1]) : undefined;
|
|
}
|
|
|
|
const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS']);
|
|
|
|
async function request<T>(endpoint: string, options: RequestOptions = {}): Promise<T> {
|
|
const { body, headers, ...rest } = options;
|
|
const method = options.method?.toUpperCase() ?? 'GET';
|
|
|
|
const csrfHeaders: HeadersInit = {};
|
|
if (!SAFE_METHODS.has(method)) {
|
|
const csrfToken = getCsrfToken();
|
|
if (csrfToken) {
|
|
csrfHeaders['X-CSRF-Token'] = csrfToken;
|
|
}
|
|
}
|
|
|
|
const res = await fetch(`${API_BASE_URL}${endpoint}`, {
|
|
...rest,
|
|
credentials: 'include',
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
...csrfHeaders,
|
|
...headers,
|
|
},
|
|
body: body ? JSON.stringify(body) : undefined,
|
|
});
|
|
|
|
if (!res.ok) {
|
|
const error = await res.json().catch(() => ({ message: res.statusText }));
|
|
throw new ApiError(res.status, error.message || 'Request failed');
|
|
}
|
|
|
|
return res.json();
|
|
}
|
|
|
|
export const apiClient = {
|
|
get: <T>(endpoint: string, headers?: HeadersInit) =>
|
|
request<T>(endpoint, { method: 'GET', headers }),
|
|
|
|
post: <T>(endpoint: string, body?: unknown, headers?: HeadersInit) =>
|
|
request<T>(endpoint, { method: 'POST', body, headers }),
|
|
|
|
patch: <T>(endpoint: string, body?: unknown, headers?: HeadersInit) =>
|
|
request<T>(endpoint, { method: 'PATCH', body, headers }),
|
|
|
|
delete: <T>(endpoint: string, headers?: HeadersInit) =>
|
|
request<T>(endpoint, { method: 'DELETE', headers }),
|
|
};
|