Migrate backend auth to cookies

2025-11-05 15:44:21 +00:00 · 2024-12-05 21:56:35 +01:00
parent b4528c1561
commit de9e9102db
17 changed files with 237 additions and 198 deletions
--- a/server/cmd/server/main.go
+++ b/server/cmd/server/main.go
@@ -13,6 +13,9 @@ import (
 // @license.name Apache 2.0
 // @license.url http://www.apache.org/licenses/LICENSE-2.0.html
 // @BasePath /api/v1
+// @SecurityDefinitions.ApiKey CookieAuth
+// @In cookie
+// @Name access_token
 func main() {
 	// Load configuration
 	cfg, err := app.LoadConfig()
--- a/server/internal/app/config.go
+++ b/server/internal/app/config.go
@@ -15,7 +15,8 @@ type Config struct {
 	WorkDir           string
 	StaticPath        string
 	Port              string
-	AppURL            string
+	RootURL           string
+	Domain            string
 	CORSOrigins       []string
 	AdminEmail        string
 	AdminPassword     string
@@ -77,8 +78,12 @@ func LoadConfig() (*Config, error) {
 		config.Port = port
 	}

-	if appURL := os.Getenv("NOVAMD_APP_URL"); appURL != "" {
-		config.AppURL = appURL
+	if rootURL := os.Getenv("NOVAMD_ROOT_URL"); rootURL != "" {
+		config.RootURL = rootURL
+	}
+
+	if domain := os.Getenv("NOVAMD_DOMAIN"); domain != "" {
+		config.Domain = domain
 	}

 	if corsOrigins := os.Getenv("NOVAMD_CORS_ORIGINS"); corsOrigins != "" {
--- a/server/internal/app/config_test.go
+++ b/server/internal/app/config_test.go
@@ -49,7 +49,8 @@ func TestLoad(t *testing.T) {
 			"NOVAMD_WORKDIR",
 			"NOVAMD_STATIC_PATH",
 			"NOVAMD_PORT",
-			"NOVAMD_APP_URL",
+			"NOVAMD_ROOT_URL",
+			"NOVAMD_DOMAIN",
 			"NOVAMD_CORS_ORIGINS",
 			"NOVAMD_ADMIN_EMAIL",
 			"NOVAMD_ADMIN_PASSWORD",
@@ -95,7 +96,7 @@ func TestLoad(t *testing.T) {
 			"NOVAMD_WORKDIR":             "/custom/work/dir",
 			"NOVAMD_STATIC_PATH":         "/custom/static/path",
 			"NOVAMD_PORT":                "3000",
-			"NOVAMD_APP_URL":             "http://localhost:3000",
+			"NOVAMD_ROOT_URL":            "http://localhost:3000",
 			"NOVAMD_CORS_ORIGINS":        "http://localhost:3000,http://localhost:3001",
 			"NOVAMD_ADMIN_EMAIL":         "admin@example.com",
 			"NOVAMD_ADMIN_PASSWORD":      "password123",
@@ -124,7 +125,7 @@ func TestLoad(t *testing.T) {
 			{"WorkDir", cfg.WorkDir, "/custom/work/dir"},
 			{"StaticPath", cfg.StaticPath, "/custom/static/path"},
 			{"Port", cfg.Port, "3000"},
-			{"AppURL", cfg.AppURL, "http://localhost:3000"},
+			{"AppURL", cfg.RootURL, "http://localhost:3000"},
 			{"AdminEmail", cfg.AdminEmail, "admin@example.com"},
 			{"AdminPassword", cfg.AdminPassword, "password123"},
 			{"JWTSigningKey", cfg.JWTSigningKey, "secret-key"},
--- a/server/internal/app/init.go
+++ b/server/internal/app/init.go
@@ -40,14 +40,14 @@ func initDatabase(cfg *Config, secretsService secrets.Service) (db.Database, err
 }

 // initAuth initializes JWT and session services
-func initAuth(cfg *Config, database db.Database) (auth.JWTManager, *auth.SessionService, error) {
+func initAuth(cfg *Config, database db.Database) (auth.JWTManager, *auth.SessionService, auth.CookieService, error) {
 	// Get or generate JWT signing key
 	signingKey := cfg.JWTSigningKey
 	if signingKey == "" {
 		var err error
 		signingKey, err = database.EnsureJWTSecret()
 		if err != nil {
-			return nil, nil, fmt.Errorf("failed to ensure JWT secret: %w", err)
+			return nil, nil, nil, fmt.Errorf("failed to ensure JWT secret: %w", err)
 		}
 	}

@@ -58,13 +58,16 @@ func initAuth(cfg *Config, database db.Database) (auth.JWTManager, *auth.Session
 		RefreshTokenExpiry: 7 * 24 * time.Hour,
 	})
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to initialize JWT service: %w", err)
+		return nil, nil, nil, fmt.Errorf("failed to initialize JWT service: %w", err)
 	}

 	// Initialize session service
 	sessionService := auth.NewSessionService(database, jwtManager)

-	return jwtManager, sessionService, nil
+	// Cookie service
+	cookieService := auth.NewCookieService(cfg.IsDevelopment, cfg.Domain)
+
+	return jwtManager, sessionService, cookieService, nil
 }

 // setupAdminUser creates the admin user if it doesn't exist
--- a/server/internal/app/options.go
+++ b/server/internal/app/options.go
@@ -13,6 +13,7 @@ type Options struct {
 	Storage        storage.Manager
 	JWTManager     auth.JWTManager
 	SessionService *auth.SessionService
+	CookieService  auth.CookieService
 }

 // DefaultOptions creates server options with default configuration
@@ -33,7 +34,7 @@ func DefaultOptions(cfg *Config) (*Options, error) {
 	storageManager := storage.NewService(cfg.WorkDir)

 	// Initialize auth services
-	jwtManager, sessionService, err := initAuth(cfg, database)
+	jwtManager, sessionService, cookieService, err := initAuth(cfg, database)
 	if err != nil {
 		return nil, err
 	}
@@ -49,5 +50,6 @@ func DefaultOptions(cfg *Config) (*Options, error) {
 		Storage:        storageManager,
 		JWTManager:     jwtManager,
 		SessionService: sessionService,
+		CookieService:  cookieService,
 	}, nil
 }
--- a/server/internal/app/routes.go
+++ b/server/internal/app/routes.go
@@ -40,7 +40,8 @@ func setupRouter(o Options) *chi.Mux {
 		r.Use(cors.Handler(cors.Options{
 			AllowedOrigins:   o.Config.CORSOrigins,
 			AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
-			AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-Requested-With"},
+			AllowedHeaders:   []string{"Accept", "Content-Type", "X-CSRF-Token"},
+			ExposedHeaders:   []string{"X-CSRF-Token"},
 			AllowCredentials: true,
 			MaxAge:           300,
 		}))
@@ -71,8 +72,8 @@ func setupRouter(o Options) *chi.Mux {

 		// Public routes (no authentication required)
 		r.Group(func(r chi.Router) {
-			r.Post("/auth/login", handler.Login(o.SessionService))
-			r.Post("/auth/refresh", handler.RefreshToken(o.SessionService))
+			r.Post("/auth/login", handler.Login(o.SessionService, o.CookieService))
+			r.Post("/auth/refresh", handler.RefreshToken(o.SessionService, o.CookieService))
 		})

 		// Protected routes (authentication required)
@@ -81,7 +82,7 @@ func setupRouter(o Options) *chi.Mux {
 			r.Use(context.WithUserContextMiddleware)

 			// Auth routes
-			r.Post("/auth/logout", handler.Logout(o.SessionService))
+			r.Post("/auth/logout", handler.Logout(o.SessionService, o.CookieService))
 			r.Get("/auth/me", handler.GetCurrentUser())

 			// User profile routes
--- a/server/internal/auth/cookies.go
+++ b/server/internal/auth/cookies.go
@@ -0,0 +1,91 @@
+// Package auth provides JWT token generation and validation
+package auth
+
+import (
+	"net/http"
+)
+
+// CookieService interface defines methods for generating cookies
+type CookieService interface {
+	GenerateAccessTokenCookie(token string) *http.Cookie
+	GenerateRefreshTokenCookie(token string) *http.Cookie
+	GenerateCSRFCookie(token string) *http.Cookie
+	InvalidateCookie(cookieType string) *http.Cookie
+}
+
+// CookieService
+type cookieService struct {
+	Domain   string
+	Secure   bool
+	SameSite http.SameSite
+}
+
+// NewCookieService creates a new cookie service
+func NewCookieService(isDevelopment bool, domain string) CookieService {
+	secure := !isDevelopment
+	var sameSite http.SameSite
+
+	if isDevelopment {
+		sameSite = http.SameSiteLaxMode
+	} else {
+		sameSite = http.SameSiteStrictMode
+	}
+
+	return &cookieService{
+		Domain:   domain,
+		Secure:   secure,
+		SameSite: sameSite,
+	}
+}
+
+// GenerateAccessTokenCookie creates a new cookie for the access token
+func (c *cookieService) GenerateAccessTokenCookie(token string) *http.Cookie {
+	return &http.Cookie{
+		Name:     "access_token",
+		Value:    token,
+		HttpOnly: true,
+		Secure:   c.Secure,
+		SameSite: c.SameSite,
+		Path:     "/",
+		MaxAge:   900, // 15 minutes
+	}
+}
+
+// GenerateRefreshTokenCookie creates a new cookie for the refresh token
+func (c *cookieService) GenerateRefreshTokenCookie(token string) *http.Cookie {
+	return &http.Cookie{
+		Name:     "refresh_token",
+		Value:    token,
+		HttpOnly: true,
+		Secure:   c.Secure,
+		SameSite: c.SameSite,
+		Path:     "/",
+		MaxAge:   604800, // 7 days
+	}
+}
+
+// GenerateCSRFCookie creates a new cookie for the CSRF token
+func (c *cookieService) GenerateCSRFCookie(token string) *http.Cookie {
+	return &http.Cookie{
+		Name:     "csrf_token",
+		Value:    token,
+		HttpOnly: false, // Frontend needs to read this
+		Secure:   c.Secure,
+		SameSite: c.SameSite,
+		Path:     "/",
+		MaxAge:   900,
+	}
+}
+
+// InvalidateCookie creates a new cookie with a MaxAge of -1 to invalidate the cookie
+func (c *cookieService) InvalidateCookie(cookieType string) *http.Cookie {
+	return &http.Cookie{
+		Name:     cookieType,
+		Value:    "",
+		Path:     "/",
+		MaxAge:   -1,
+		HttpOnly: true,
+		Secure:   c.Secure,
+		SameSite: c.SameSite,
+	}
+}
--- a/server/internal/auth/jwt.go
+++ b/server/internal/auth/jwt.go
@@ -38,7 +38,6 @@ type JWTManager interface {
 	GenerateAccessToken(userID int, role string) (string, error)
 	GenerateRefreshToken(userID int, role string) (string, error)
 	ValidateToken(tokenString string) (*Claims, error)
-	RefreshAccessToken(refreshToken string) (string, error)
 }

 // jwtService handles JWT token generation and validation
@@ -118,17 +117,3 @@ func (s *jwtService) ValidateToken(tokenString string) (*Claims, error) {

 	return nil, fmt.Errorf("invalid token claims")
 }
-
-// RefreshAccessToken creates a new access token using a refreshToken
-func (s *jwtService) RefreshAccessToken(refreshToken string) (string, error) {
-	claims, err := s.ValidateToken(refreshToken)
-	if err != nil {
-		return "", fmt.Errorf("invalid refresh token: %w", err)
-	}
-
-	if claims.Type != RefreshToken {
-		return "", fmt.Errorf("invalid token type: expected refresh token")
-	}
-
-	return s.GenerateAccessToken(claims.UserID, claims.Role)
-}
--- a/server/internal/auth/jwt_test.go
+++ b/server/internal/auth/jwt_test.go
@@ -5,8 +5,6 @@ import (
 	"time"

 	"novamd/internal/auth"
-
-	"github.com/golang-jwt/jwt/v5"
 )

 // jwt_test.go tests
@@ -136,86 +134,3 @@ func TestGenerateAndValidateToken(t *testing.T) {
 		})
 	}
 }
-
-func TestRefreshAccessToken(t *testing.T) {
-	config := auth.JWTConfig{
-		SigningKey:         "test-key",
-		AccessTokenExpiry:  15 * time.Minute,
-		RefreshTokenExpiry: 24 * time.Hour,
-	}
-	service, _ := auth.NewJWTService(config)
-
-	testCases := []struct {
-		name      string
-		userID    int
-		role      string
-		wantErr   bool
-		setupFunc func() string // Added setup function to handle custom token creation
-	}{
-		{
-			name:    "valid refresh token",
-			userID:  1,
-			role:    "admin",
-			wantErr: false,
-			setupFunc: func() string {
-				token, _ := service.GenerateRefreshToken(1, "admin")
-				return token
-			},
-		},
-		{
-			name:    "expired refresh token",
-			userID:  1,
-			role:    "admin",
-			wantErr: true,
-			setupFunc: func() string {
-				// Create a token that's already expired
-				claims := &auth.Claims{
-					RegisteredClaims: jwt.RegisteredClaims{
-						ExpiresAt: jwt.NewNumericDate(time.Now().Add(-time.Hour)), // Expired 1 hour ago
-						IssuedAt:  jwt.NewNumericDate(time.Now().Add(-2 * time.Hour)),
-						NotBefore: jwt.NewNumericDate(time.Now().Add(-2 * time.Hour)),
-					},
-					UserID: 1,
-					Role:   "admin",
-					Type:   auth.RefreshToken,
-				}
-				token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-				tokenString, _ := token.SignedString([]byte(config.SigningKey))
-				return tokenString
-			},
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			refreshToken := tc.setupFunc()
-			newAccessToken, err := service.RefreshAccessToken(refreshToken)
-
-			if tc.wantErr {
-				if err == nil {
-					t.Error("expected error, got nil")
-				}
-				return
-			}
-
-			if err != nil {
-				t.Fatalf("unexpected error: %v", err)
-			}
-
-			claims, err := service.ValidateToken(newAccessToken)
-			if err != nil {
-				t.Fatalf("failed to validate new access token: %v", err)
-			}
-
-			if claims.UserID != tc.userID {
-				t.Errorf("userID = %v, want %v", claims.UserID, tc.userID)
-			}
-			if claims.Role != tc.role {
-				t.Errorf("role = %v, want %v", claims.Role, tc.role)
-			}
-			if claims.Type != auth.AccessToken {
-				t.Errorf("token type = %v, want %v", claims.Type, auth.AccessToken)
-			}
-		})
-	}
-}
--- a/server/internal/auth/middleware.go
+++ b/server/internal/auth/middleware.go
@@ -1,8 +1,8 @@
 package auth

 import (
+	"crypto/subtle"
 	"net/http"
-	"strings"

 	"novamd/internal/context"
 )
@@ -23,21 +23,14 @@ func NewMiddleware(jwtManager JWTManager) *Middleware {
 func (m *Middleware) Authenticate(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Extract token from Authorization header
-		authHeader := r.Header.Get("Authorization")
-		if authHeader == "" {
-			http.Error(w, "Authorization header required", http.StatusUnauthorized)
-			return
-		}
-
-		// Check Bearer token format
-		parts := strings.Split(authHeader, " ")
-		if len(parts) != 2 || parts[0] != "Bearer" {
-			http.Error(w, "Invalid authorization format", http.StatusUnauthorized)
+		cookie, err := r.Cookie("access_token")
+		if err != nil {
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
 			return
 		}

 		// Validate token
-		claims, err := m.jwtManager.ValidateToken(parts[1])
+		claims, err := m.jwtManager.ValidateToken(cookie.Value)
 		if err != nil {
 			http.Error(w, "Invalid token", http.StatusUnauthorized)
 			return
@@ -49,6 +42,26 @@ func (m *Middleware) Authenticate(next http.Handler) http.Handler {
 			return
 		}

+		// Add CSRF check for non-GET requests
+		if r.Method != http.MethodGet && r.Method != http.MethodHead && r.Method != http.MethodOptions {
+			csrfCookie, err := r.Cookie("csrf_token")
+			if err != nil {
+				http.Error(w, "CSRF cookie not found", http.StatusForbidden)
+				return
+			}
+
+			csrfHeader := r.Header.Get("X-CSRF-Token")
+			if csrfHeader == "" {
+				http.Error(w, "CSRF token header not found", http.StatusForbidden)
+				return
+			}
+
+			if subtle.ConstantTimeCompare([]byte(csrfCookie.Value), []byte(csrfHeader)) != 1 {
+				http.Error(w, "CSRF token mismatch", http.StatusForbidden)
+				return
+			}
+		}
+
 		// Create handler context with user information
 		hctx := &context.HandlerContext{
 			UserID:   claims.UserID,
--- a/server/internal/auth/session.go
+++ b/server/internal/auth/session.go
@@ -83,8 +83,14 @@ func (s *SessionService) RefreshSession(refreshToken string) (string, error) {
 }

 // InvalidateSession removes a session with the given sessionID from the database
-func (s *SessionService) InvalidateSession(sessionID string) error {
-	return s.db.DeleteSession(sessionID)
+func (s *SessionService) InvalidateSession(token string) error {
+	// Parse the JWT to get the session info
+	claims, err := s.jwtManager.ValidateToken(token)
+	if err != nil {
+		return fmt.Errorf("invalid token: %w", err)
+	}
+
+	return s.db.DeleteSession(claims.ID)
 }

 // CleanExpiredSessions removes all expired sessions from the database
--- a/server/internal/handlers/admin_handlers.go
+++ b/server/internal/handlers/admin_handlers.go
@@ -51,7 +51,7 @@ type SystemStats struct {
 // @Summary List all users
 // @Description Returns the list of all users
 // @Tags Admin
-// @Security BearerAuth
+// @Security CookieAuth
 // @ID adminListUsers
 // @Produce json
 // @Success 200 {array} models.User
@@ -73,7 +73,7 @@ func (h *Handler) AdminListUsers() http.HandlerFunc {
 // @Summary Create a new user
 // @Description Create a new user as an admin
 // @Tags Admin
-// @Security BearerAuth
+// @Security CookieAuth
 // @ID adminCreateUser
 // @Accept json
 // @Produce json
@@ -149,7 +149,7 @@ func (h *Handler) AdminCreateUser() http.HandlerFunc {
 // @Summary Get a specific user
 // @Description Get a specific user as an admin
 // @Tags Admin
-// @Security BearerAuth
+// @Security CookieAuth
 // @ID adminGetUser
 // @Produce json
 // @Param userId path int true "User ID"
@@ -179,7 +179,7 @@ func (h *Handler) AdminGetUser() http.HandlerFunc {
 // @Summary Update a specific user
 // @Description Update a specific user as an admin
 // @Tags Admin
-// @Security BearerAuth
+// @Security CookieAuth
 // @ID adminUpdateUser
 // @Accept json
 // @Produce json
@@ -245,7 +245,7 @@ func (h *Handler) AdminUpdateUser() http.HandlerFunc {
 // @Summary Delete a specific user
 // @Description Delete a specific user as an admin
 // @Tags Admin
-// @Security BearerAuth
+// @Security CookieAuth
 // @ID adminDeleteUser
 // @Param userId path int true "User ID"
 // @Success 204 "No Content"
@@ -300,7 +300,7 @@ func (h *Handler) AdminDeleteUser() http.HandlerFunc {
 // @Summary List all workspaces
 // @Description List all workspaces and their stats as an admin
 // @Tags Admin
-// @Security BearerAuth
+// @Security CookieAuth
 // @ID adminListWorkspaces
 // @Produce json
 // @Success 200 {array} WorkspaceStats
@@ -353,7 +353,7 @@ func (h *Handler) AdminListWorkspaces() http.HandlerFunc {
 // @Summary Get system statistics
 // @Description Get system-wide statistics as an admin
 // @Tags Admin
-// @Security BearerAuth
+// @Security CookieAuth
 // @ID adminGetSystemStats
 // @Produce json
 // @Success 200 {object} SystemStats
--- a/server/internal/handlers/auth_handlers.go
+++ b/server/internal/handlers/auth_handlers.go
@@ -1,11 +1,14 @@
 package handlers

 import (
+	"crypto/rand"
+	"encoding/hex"
 	"encoding/json"
 	"net/http"
 	"novamd/internal/auth"
 	"novamd/internal/context"
 	"novamd/internal/models"
+	"time"

 	"golang.org/x/crypto/bcrypt"
 )
@@ -18,27 +21,15 @@ type LoginRequest struct {

 // LoginResponse represents a user login response
 type LoginResponse struct {
-	AccessToken  string          `json:"accessToken"`
-	RefreshToken string          `json:"refreshToken"`
-	User         *models.User    `json:"user"`
-	Session      *models.Session `json:"session"`
-}
-
-// RefreshRequest represents a refresh token request
-type RefreshRequest struct {
-	RefreshToken string `json:"refreshToken"`
-}
-
-// RefreshResponse represents a refresh token response
-type RefreshResponse struct {
-	AccessToken string `json:"accessToken"`
+	User      *models.User `json:"user"`
+	SessionID string       `json:"sessionId,omitempty"`
+	ExpiresAt time.Time    `json:"expiresAt,omitempty"`
 }

 // Login godoc
 // @Summary Login
-// @Description Logs in a user
+// @Description Logs in a user and returns a session with access and refresh tokens
 // @Tags auth
-// @ID login
 // @Accept json
 // @Produce json
 // @Param body body LoginRequest true "Login request"
@@ -48,7 +39,7 @@ type RefreshResponse struct {
 // @Failure 401 {object} ErrorResponse "Invalid credentials"
 // @Failure 500 {object} ErrorResponse "Failed to create session"
 // @Router /auth/login [post]
-func (h *Handler) Login(authService *auth.SessionService) http.HandlerFunc {
+func (h *Handler) Login(authService *auth.SessionService, cookieService auth.CookieService) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var req LoginRequest
 		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
@@ -83,12 +74,27 @@ func (h *Handler) Login(authService *auth.SessionService) http.HandlerFunc {
 			return
 		}

-		// Prepare response
+		// Generate CSRF token
+		csrfToken := make([]byte, 32)
+		if _, err := rand.Read(csrfToken); err != nil {
+			respondError(w, "Failed to generate CSRF token", http.StatusInternalServerError)
+			return
+		}
+		csrfTokenString := hex.EncodeToString(csrfToken)
+
+		// Set cookies
+		http.SetCookie(w, cookieService.GenerateAccessTokenCookie(accessToken))
+		http.SetCookie(w, cookieService.GenerateRefreshTokenCookie(session.RefreshToken))
+		http.SetCookie(w, cookieService.GenerateCSRFCookie(csrfTokenString))
+
+		// Send CSRF token in header for initial setup
+		w.Header().Set("X-CSRF-Token", csrfTokenString)
+
+		// Only send user info in response, not tokens
 		response := LoginResponse{
-			AccessToken:  accessToken,
-			RefreshToken: session.RefreshToken,
-			User:         user,
-			Session:      session,
+			User:      user,
+			SessionID: session.ID,
+			ExpiresAt: session.ExpiresAt,
 		}

 		respondJSON(w, response)
@@ -100,25 +106,30 @@ func (h *Handler) Login(authService *auth.SessionService) http.HandlerFunc {
 // @Description Log out invalidates the user's session
 // @Tags auth
 // @ID logout
-// @Security BearerAuth
 // @Success 204 "No Content"
 // @Failure 400 {object} ErrorResponse "Session ID required"
 // @Failure 500 {object} ErrorResponse "Failed to logout"
 // @Router /auth/logout [post]
-func (h *Handler) Logout(authService *auth.SessionService) http.HandlerFunc {
+func (h *Handler) Logout(authService *auth.SessionService, cookieService auth.CookieService) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		sessionID := r.Header.Get("X-Session-ID")
-		if sessionID == "" {
-			respondError(w, "Session ID required", http.StatusBadRequest)
+		// Get session ID from cookie
+		sessionCookie, err := r.Cookie("access_token")
+		if err != nil {
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
 			return
 		}

-		err := authService.InvalidateSession(sessionID)
-		if err != nil {
-			respondError(w, "Failed to logout", http.StatusInternalServerError)
+		// Invalidate the session in the database
+		if err := authService.InvalidateSession(sessionCookie.Value); err != nil {
+			respondError(w, "Failed to invalidate session", http.StatusInternalServerError)
 			return
 		}

+		// Clear cookies
+		http.SetCookie(w, cookieService.InvalidateCookie("access_token"))
+		http.SetCookie(w, cookieService.InvalidateCookie("refresh_token"))
+		http.SetCookie(w, cookieService.InvalidateCookie("csrf_token"))
+
 		w.WriteHeader(http.StatusNoContent)
 	}
 }
@@ -131,36 +142,39 @@ func (h *Handler) Logout(authService *auth.SessionService) http.HandlerFunc {
 // @Accept json
 // @Produce json
 // @Param body body RefreshRequest true "Refresh request"
-// @Success 200 {object} RefreshResponse
+// @Success 200 "Tokens refreshed successfully via cookies"
 // @Failure 400 {object} ErrorResponse "Invalid request body"
 // @Failure 400 {object} ErrorResponse "Refresh token required"
 // @Failure 401 {object} ErrorResponse "Invalid refresh token"
 // @Router /auth/refresh [post]
-func (h *Handler) RefreshToken(authService *auth.SessionService) http.HandlerFunc {
+func (h *Handler) RefreshToken(authService *auth.SessionService, cookieService auth.CookieService) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		var req RefreshRequest
-		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-			respondError(w, "Invalid request body", http.StatusBadRequest)
-			return
-		}
-
-		if req.RefreshToken == "" {
+		refreshCookie, err := r.Cookie("refresh_token")
+		if err != nil {
 			respondError(w, "Refresh token required", http.StatusBadRequest)
 			return
 		}

 		// Generate new access token
-		accessToken, err := authService.RefreshSession(req.RefreshToken)
+		accessToken, err := authService.RefreshSession(refreshCookie.Value)
 		if err != nil {
 			respondError(w, "Invalid refresh token", http.StatusUnauthorized)
 			return
 		}

-		response := RefreshResponse{
-			AccessToken: accessToken,
+		// Generate new CSRF token
+		csrfToken := make([]byte, 32)
+		if _, err := rand.Read(csrfToken); err != nil {
+			respondError(w, "Failed to generate CSRF token", http.StatusInternalServerError)
+			return
 		}
+		csrfTokenString := hex.EncodeToString(csrfToken)

-		respondJSON(w, response)
+		http.SetCookie(w, cookieService.GenerateAccessTokenCookie(accessToken))
+		http.SetCookie(w, cookieService.GenerateCSRFCookie(csrfTokenString))
+
+		w.Header().Set("X-CSRF-Token", csrfTokenString)
+		w.WriteHeader(http.StatusOK)
 	}
 }

@@ -169,7 +183,7 @@ func (h *Handler) RefreshToken(authService *auth.SessionService) http.HandlerFun
 // @Description Returns the current authenticated user
 // @Tags auth
 // @ID getCurrentUser
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce json
 // @Success 200 {object} models.User
 // @Failure 404 {object} ErrorResponse "User not found"
--- a/server/internal/handlers/file_handlers.go
+++ b/server/internal/handlers/file_handlers.go
@@ -40,7 +40,7 @@ type UpdateLastOpenedFileRequest struct {
 // @Description Lists all files in the user's workspace
 // @Tags files
 // @ID listFiles
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce json
 // @Param workspace_name path string true "Workspace name"
 // @Success 200 {array} storage.FileNode
@@ -68,7 +68,7 @@ func (h *Handler) ListFiles() http.HandlerFunc {
 // @Description Returns the paths of files with the given name in the user's workspace
 // @Tags files
 // @ID lookupFileByName
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce json
 // @Param workspace_name path string true "Workspace name"
 // @Param filename query string true "File name"
@@ -104,7 +104,7 @@ func (h *Handler) LookupFileByName() http.HandlerFunc {
 // @Description Returns the content of a file in the user's workspace
 // @Tags files
 // @ID getFileContent
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce plain
 // @Param workspace_name path string true "Workspace name"
 // @Param file_path path string true "File path"
@@ -153,7 +153,7 @@ func (h *Handler) GetFileContent() http.HandlerFunc {
 // @Description Saves the content of a file in the user's workspace
 // @Tags files
 // @ID saveFile
-// @Security BearerAuth
+// @Security CookieAuth
 // @Accept plain
 // @Produce json
 // @Param workspace_name path string true "Workspace name"
@@ -204,7 +204,7 @@ func (h *Handler) SaveFile() http.HandlerFunc {
 // @Description Deletes a file in the user's workspace
 // @Tags files
 // @ID deleteFile
-// @Security BearerAuth
+// @Security CookieAuth
 // @Param workspace_name path string true "Workspace name"
 // @Param file_path path string true "File path"
 // @Success 204 "No Content - File deleted successfully"
@@ -246,7 +246,7 @@ func (h *Handler) DeleteFile() http.HandlerFunc {
 // @Description Returns the path of the last opened file in the user's workspace
 // @Tags files
 // @ID getLastOpenedFile
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce json
 // @Param workspace_name path string true "Workspace name"
 // @Success 200 {object} LastOpenedFileResponse
@@ -280,7 +280,7 @@ func (h *Handler) GetLastOpenedFile() http.HandlerFunc {
 // @Description Updates the last opened file in the user's workspace
 // @Tags files
 // @ID updateLastOpenedFile
-// @Security BearerAuth
+// @Security CookieAuth
 // @Accept json
 // @Produce json
 // @Param workspace_name path string true "Workspace name"
--- a/server/internal/handlers/git_handlers.go
+++ b/server/internal/handlers/git_handlers.go
@@ -27,7 +27,7 @@ type PullResponse struct {
 // @Description Stages, commits, and pushes changes to the remote repository
 // @Tags git
 // @ID stageCommitAndPush
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce json
 // @Param workspace_name path string true "Workspace name"
 // @Param body body CommitRequest true "Commit request"
@@ -70,7 +70,7 @@ func (h *Handler) StageCommitAndPush() http.HandlerFunc {
 // @Description Pulls changes from the remote repository
 // @Tags git
 // @ID pullChanges
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce json
 // @Param workspace_name path string true "Workspace name"
 // @Success 200 {object} PullResponse
--- a/server/internal/handlers/user_handlers.go
+++ b/server/internal/handlers/user_handlers.go
@@ -27,7 +27,7 @@ type DeleteAccountRequest struct {
 // @Description Updates the user's profile
 // @Tags users
 // @ID updateProfile
-// @Security BearerAuth
+// @Security CookieAuth
 // @Accept json
 // @Produce json
 // @Param body body UpdateProfileRequest true "Profile update request"
@@ -137,7 +137,7 @@ func (h *Handler) UpdateProfile() http.HandlerFunc {
 // @Description Deletes the user's account and all associated data
 // @Tags users
 // @ID deleteAccount
-// @Security BearerAuth
+// @Security CookieAuth
 // @Accept json
 // @Produce json
 // @Param body body DeleteAccountRequest true "Account deletion request"
--- a/server/internal/handlers/workspace_handlers.go
+++ b/server/internal/handlers/workspace_handlers.go
@@ -24,7 +24,7 @@ type LastWorkspaceNameResponse struct {
 // @Description Lists all workspaces for the current user
 // @Tags workspaces
 // @ID listWorkspaces
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce json
 // @Success 200 {array} models.Workspace
 // @Failure 500 {object} ErrorResponse "Failed to list workspaces"
@@ -51,7 +51,7 @@ func (h *Handler) ListWorkspaces() http.HandlerFunc {
 // @Description Creates a new workspace
 // @Tags workspaces
 // @ID createWorkspace
-// @Security BearerAuth
+// @Security CookieAuth
 // @Accept json
 // @Produce json
 // @Param body body models.Workspace true "Workspace"
@@ -115,7 +115,7 @@ func (h *Handler) CreateWorkspace() http.HandlerFunc {
 // @Description Returns the current workspace
 // @Tags workspaces
 // @ID getWorkspace
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce json
 // @Param workspace_name path string true "Workspace name"
 // @Success 200 {object} models.Workspace
@@ -155,7 +155,7 @@ func gitSettingsChanged(new, old *models.Workspace) bool {
 // @Description Updates the current workspace
 // @Tags workspaces
 // @ID updateWorkspace
-// @Security BearerAuth
+// @Security CookieAuth
 // @Accept json
 // @Produce json
 // @Param workspace_name path string true "Workspace name"
@@ -223,7 +223,7 @@ func (h *Handler) UpdateWorkspace() http.HandlerFunc {
 // @Description Deletes the current workspace
 // @Tags workspaces
 // @ID deleteWorkspace
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce json
 // @Param workspace_name path string true "Workspace name"
 // @Success 200 {object} DeleteWorkspaceResponse
@@ -307,7 +307,7 @@ func (h *Handler) DeleteWorkspace() http.HandlerFunc {
 // @Description Returns the name of the last opened workspace
 // @Tags workspaces
 // @ID getLastWorkspaceName
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce json
 // @Success 200 {object} LastWorkspaceNameResponse
 // @Failure 500 {object} ErrorResponse "Failed to get last workspace"
@@ -334,7 +334,7 @@ func (h *Handler) GetLastWorkspaceName() http.HandlerFunc {
 // @Description Updates the name of the last opened workspace
 // @Tags workspaces
 // @ID updateLastWorkspaceName
-// @Security BearerAuth
+// @Security CookieAuth
 // @Accept json
 // @Produce json
 // @Success 204 "No Content - Last workspace updated successfully"