From de9e9102db8000fa6d8619ab2e82db30d9c404f1 Mon Sep 17 00:00:00 2001 From: LordMathis Date: Thu, 5 Dec 2024 21:56:35 +0100 Subject: [PATCH] Migrate backend auth to cookies --- server/cmd/server/main.go | 3 + server/internal/app/config.go | 11 +- server/internal/app/config_test.go | 7 +- server/internal/app/init.go | 11 +- server/internal/app/options.go | 4 +- server/internal/app/routes.go | 9 +- server/internal/auth/cookies.go | 91 ++++++++++++++++ server/internal/auth/jwt.go | 15 --- server/internal/auth/jwt_test.go | 85 --------------- server/internal/auth/middleware.go | 37 ++++--- server/internal/auth/session.go | 10 +- server/internal/handlers/admin_handlers.go | 14 +-- server/internal/handlers/auth_handlers.go | 102 ++++++++++-------- server/internal/handlers/file_handlers.go | 14 +-- server/internal/handlers/git_handlers.go | 4 +- server/internal/handlers/user_handlers.go | 4 +- .../internal/handlers/workspace_handlers.go | 14 +-- 17 files changed, 237 insertions(+), 198 deletions(-) create mode 100644 server/internal/auth/cookies.go diff --git a/server/cmd/server/main.go b/server/cmd/server/main.go index ae26731..e7fc445 100644 --- a/server/cmd/server/main.go +++ b/server/cmd/server/main.go @@ -13,6 +13,9 @@ import ( // @license.name Apache 2.0 // @license.url http://www.apache.org/licenses/LICENSE-2.0.html // @BasePath /api/v1 +// @SecurityDefinitions.ApiKey CookieAuth +// @In cookie +// @Name access_token func main() { // Load configuration cfg, err := app.LoadConfig() diff --git a/server/internal/app/config.go b/server/internal/app/config.go index fc34487..b9ff02a 100644 --- a/server/internal/app/config.go +++ b/server/internal/app/config.go @@ -15,7 +15,8 @@ type Config struct { WorkDir string StaticPath string Port string - AppURL string + RootURL string + Domain string CORSOrigins []string AdminEmail string AdminPassword string @@ -77,8 +78,12 @@ func LoadConfig() (*Config, error) { config.Port = port } - if appURL := os.Getenv("NOVAMD_APP_URL"); appURL != "" { - config.AppURL = appURL + if rootURL := os.Getenv("NOVAMD_ROOT_URL"); rootURL != "" { + config.RootURL = rootURL + } + + if domain := os.Getenv("NOVAMD_DOMAIN"); domain != "" { + config.Domain = domain } if corsOrigins := os.Getenv("NOVAMD_CORS_ORIGINS"); corsOrigins != "" { diff --git a/server/internal/app/config_test.go b/server/internal/app/config_test.go index 383f73f..71ae11f 100644 --- a/server/internal/app/config_test.go +++ b/server/internal/app/config_test.go @@ -49,7 +49,8 @@ func TestLoad(t *testing.T) { "NOVAMD_WORKDIR", "NOVAMD_STATIC_PATH", "NOVAMD_PORT", - "NOVAMD_APP_URL", + "NOVAMD_ROOT_URL", + "NOVAMD_DOMAIN", "NOVAMD_CORS_ORIGINS", "NOVAMD_ADMIN_EMAIL", "NOVAMD_ADMIN_PASSWORD", @@ -95,7 +96,7 @@ func TestLoad(t *testing.T) { "NOVAMD_WORKDIR": "/custom/work/dir", "NOVAMD_STATIC_PATH": "/custom/static/path", "NOVAMD_PORT": "3000", - "NOVAMD_APP_URL": "http://localhost:3000", + "NOVAMD_ROOT_URL": "http://localhost:3000", "NOVAMD_CORS_ORIGINS": "http://localhost:3000,http://localhost:3001", "NOVAMD_ADMIN_EMAIL": "admin@example.com", "NOVAMD_ADMIN_PASSWORD": "password123", @@ -124,7 +125,7 @@ func TestLoad(t *testing.T) { {"WorkDir", cfg.WorkDir, "/custom/work/dir"}, {"StaticPath", cfg.StaticPath, "/custom/static/path"}, {"Port", cfg.Port, "3000"}, - {"AppURL", cfg.AppURL, "http://localhost:3000"}, + {"AppURL", cfg.RootURL, "http://localhost:3000"}, {"AdminEmail", cfg.AdminEmail, "admin@example.com"}, {"AdminPassword", cfg.AdminPassword, "password123"}, {"JWTSigningKey", cfg.JWTSigningKey, "secret-key"}, diff --git a/server/internal/app/init.go b/server/internal/app/init.go index eec83b4..923dae8 100644 --- a/server/internal/app/init.go +++ b/server/internal/app/init.go @@ -40,14 +40,14 @@ func initDatabase(cfg *Config, secretsService secrets.Service) (db.Database, err } // initAuth initializes JWT and session services -func initAuth(cfg *Config, database db.Database) (auth.JWTManager, *auth.SessionService, error) { +func initAuth(cfg *Config, database db.Database) (auth.JWTManager, *auth.SessionService, auth.CookieService, error) { // Get or generate JWT signing key signingKey := cfg.JWTSigningKey if signingKey == "" { var err error signingKey, err = database.EnsureJWTSecret() if err != nil { - return nil, nil, fmt.Errorf("failed to ensure JWT secret: %w", err) + return nil, nil, nil, fmt.Errorf("failed to ensure JWT secret: %w", err) } } @@ -58,13 +58,16 @@ func initAuth(cfg *Config, database db.Database) (auth.JWTManager, *auth.Session RefreshTokenExpiry: 7 * 24 * time.Hour, }) if err != nil { - return nil, nil, fmt.Errorf("failed to initialize JWT service: %w", err) + return nil, nil, nil, fmt.Errorf("failed to initialize JWT service: %w", err) } // Initialize session service sessionService := auth.NewSessionService(database, jwtManager) - return jwtManager, sessionService, nil + // Cookie service + cookieService := auth.NewCookieService(cfg.IsDevelopment, cfg.Domain) + + return jwtManager, sessionService, cookieService, nil } // setupAdminUser creates the admin user if it doesn't exist diff --git a/server/internal/app/options.go b/server/internal/app/options.go index 9e8b2fb..be5e3cc 100644 --- a/server/internal/app/options.go +++ b/server/internal/app/options.go @@ -13,6 +13,7 @@ type Options struct { Storage storage.Manager JWTManager auth.JWTManager SessionService *auth.SessionService + CookieService auth.CookieService } // DefaultOptions creates server options with default configuration @@ -33,7 +34,7 @@ func DefaultOptions(cfg *Config) (*Options, error) { storageManager := storage.NewService(cfg.WorkDir) // Initialize auth services - jwtManager, sessionService, err := initAuth(cfg, database) + jwtManager, sessionService, cookieService, err := initAuth(cfg, database) if err != nil { return nil, err } @@ -49,5 +50,6 @@ func DefaultOptions(cfg *Config) (*Options, error) { Storage: storageManager, JWTManager: jwtManager, SessionService: sessionService, + CookieService: cookieService, }, nil } diff --git a/server/internal/app/routes.go b/server/internal/app/routes.go index f3e9df7..ecd1a35 100644 --- a/server/internal/app/routes.go +++ b/server/internal/app/routes.go @@ -40,7 +40,8 @@ func setupRouter(o Options) *chi.Mux { r.Use(cors.Handler(cors.Options{ AllowedOrigins: o.Config.CORSOrigins, AllowedMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"}, - AllowedHeaders: []string{"Accept", "Authorization", "Content-Type", "X-Requested-With"}, + AllowedHeaders: []string{"Accept", "Content-Type", "X-CSRF-Token"}, + ExposedHeaders: []string{"X-CSRF-Token"}, AllowCredentials: true, MaxAge: 300, })) @@ -71,8 +72,8 @@ func setupRouter(o Options) *chi.Mux { // Public routes (no authentication required) r.Group(func(r chi.Router) { - r.Post("/auth/login", handler.Login(o.SessionService)) - r.Post("/auth/refresh", handler.RefreshToken(o.SessionService)) + r.Post("/auth/login", handler.Login(o.SessionService, o.CookieService)) + r.Post("/auth/refresh", handler.RefreshToken(o.SessionService, o.CookieService)) }) // Protected routes (authentication required) @@ -81,7 +82,7 @@ func setupRouter(o Options) *chi.Mux { r.Use(context.WithUserContextMiddleware) // Auth routes - r.Post("/auth/logout", handler.Logout(o.SessionService)) + r.Post("/auth/logout", handler.Logout(o.SessionService, o.CookieService)) r.Get("/auth/me", handler.GetCurrentUser()) // User profile routes diff --git a/server/internal/auth/cookies.go b/server/internal/auth/cookies.go new file mode 100644 index 0000000..7bed834 --- /dev/null +++ b/server/internal/auth/cookies.go @@ -0,0 +1,91 @@ +// Package auth provides JWT token generation and validation +package auth + +import ( + "net/http" +) + +// CookieService interface defines methods for generating cookies +type CookieService interface { + GenerateAccessTokenCookie(token string) *http.Cookie + GenerateRefreshTokenCookie(token string) *http.Cookie + GenerateCSRFCookie(token string) *http.Cookie + InvalidateCookie(cookieType string) *http.Cookie +} + +// CookieService +type cookieService struct { + Domain string + Secure bool + SameSite http.SameSite +} + +// NewCookieService creates a new cookie service +func NewCookieService(isDevelopment bool, domain string) CookieService { + secure := !isDevelopment + var sameSite http.SameSite + + if isDevelopment { + sameSite = http.SameSiteLaxMode + } else { + sameSite = http.SameSiteStrictMode + } + + return &cookieService{ + Domain: domain, + Secure: secure, + SameSite: sameSite, + } +} + +// GenerateAccessTokenCookie creates a new cookie for the access token +func (c *cookieService) GenerateAccessTokenCookie(token string) *http.Cookie { + return &http.Cookie{ + Name: "access_token", + Value: token, + HttpOnly: true, + Secure: c.Secure, + SameSite: c.SameSite, + Path: "/", + MaxAge: 900, // 15 minutes + } +} + +// GenerateRefreshTokenCookie creates a new cookie for the refresh token +func (c *cookieService) GenerateRefreshTokenCookie(token string) *http.Cookie { + return &http.Cookie{ + Name: "refresh_token", + Value: token, + HttpOnly: true, + Secure: c.Secure, + SameSite: c.SameSite, + Path: "/", + MaxAge: 604800, // 7 days + } +} + +// GenerateCSRFCookie creates a new cookie for the CSRF token +func (c *cookieService) GenerateCSRFCookie(token string) *http.Cookie { + return &http.Cookie{ + Name: "csrf_token", + Value: token, + HttpOnly: false, // Frontend needs to read this + Secure: c.Secure, + SameSite: c.SameSite, + Path: "/", + MaxAge: 900, + } +} + +// InvalidateCookie creates a new cookie with a MaxAge of -1 to invalidate the cookie +func (c *cookieService) InvalidateCookie(cookieType string) *http.Cookie { + return &http.Cookie{ + Name: cookieType, + Value: "", + Path: "/", + MaxAge: -1, + HttpOnly: true, + Secure: c.Secure, + SameSite: c.SameSite, + } +} diff --git a/server/internal/auth/jwt.go b/server/internal/auth/jwt.go index 59790f0..66b6c24 100644 --- a/server/internal/auth/jwt.go +++ b/server/internal/auth/jwt.go @@ -38,7 +38,6 @@ type JWTManager interface { GenerateAccessToken(userID int, role string) (string, error) GenerateRefreshToken(userID int, role string) (string, error) ValidateToken(tokenString string) (*Claims, error) - RefreshAccessToken(refreshToken string) (string, error) } // jwtService handles JWT token generation and validation @@ -118,17 +117,3 @@ func (s *jwtService) ValidateToken(tokenString string) (*Claims, error) { return nil, fmt.Errorf("invalid token claims") } - -// RefreshAccessToken creates a new access token using a refreshToken -func (s *jwtService) RefreshAccessToken(refreshToken string) (string, error) { - claims, err := s.ValidateToken(refreshToken) - if err != nil { - return "", fmt.Errorf("invalid refresh token: %w", err) - } - - if claims.Type != RefreshToken { - return "", fmt.Errorf("invalid token type: expected refresh token") - } - - return s.GenerateAccessToken(claims.UserID, claims.Role) -} diff --git a/server/internal/auth/jwt_test.go b/server/internal/auth/jwt_test.go index 61aa3ad..61ca928 100644 --- a/server/internal/auth/jwt_test.go +++ b/server/internal/auth/jwt_test.go @@ -5,8 +5,6 @@ import ( "time" "novamd/internal/auth" - - "github.com/golang-jwt/jwt/v5" ) // jwt_test.go tests @@ -136,86 +134,3 @@ func TestGenerateAndValidateToken(t *testing.T) { }) } } - -func TestRefreshAccessToken(t *testing.T) { - config := auth.JWTConfig{ - SigningKey: "test-key", - AccessTokenExpiry: 15 * time.Minute, - RefreshTokenExpiry: 24 * time.Hour, - } - service, _ := auth.NewJWTService(config) - - testCases := []struct { - name string - userID int - role string - wantErr bool - setupFunc func() string // Added setup function to handle custom token creation - }{ - { - name: "valid refresh token", - userID: 1, - role: "admin", - wantErr: false, - setupFunc: func() string { - token, _ := service.GenerateRefreshToken(1, "admin") - return token - }, - }, - { - name: "expired refresh token", - userID: 1, - role: "admin", - wantErr: true, - setupFunc: func() string { - // Create a token that's already expired - claims := &auth.Claims{ - RegisteredClaims: jwt.RegisteredClaims{ - ExpiresAt: jwt.NewNumericDate(time.Now().Add(-time.Hour)), // Expired 1 hour ago - IssuedAt: jwt.NewNumericDate(time.Now().Add(-2 * time.Hour)), - NotBefore: jwt.NewNumericDate(time.Now().Add(-2 * time.Hour)), - }, - UserID: 1, - Role: "admin", - Type: auth.RefreshToken, - } - token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) - tokenString, _ := token.SignedString([]byte(config.SigningKey)) - return tokenString - }, - }, - } - - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - refreshToken := tc.setupFunc() - newAccessToken, err := service.RefreshAccessToken(refreshToken) - - if tc.wantErr { - if err == nil { - t.Error("expected error, got nil") - } - return - } - - if err != nil { - t.Fatalf("unexpected error: %v", err) - } - - claims, err := service.ValidateToken(newAccessToken) - if err != nil { - t.Fatalf("failed to validate new access token: %v", err) - } - - if claims.UserID != tc.userID { - t.Errorf("userID = %v, want %v", claims.UserID, tc.userID) - } - if claims.Role != tc.role { - t.Errorf("role = %v, want %v", claims.Role, tc.role) - } - if claims.Type != auth.AccessToken { - t.Errorf("token type = %v, want %v", claims.Type, auth.AccessToken) - } - }) - } -} diff --git a/server/internal/auth/middleware.go b/server/internal/auth/middleware.go index 8018612..7754f7b 100644 --- a/server/internal/auth/middleware.go +++ b/server/internal/auth/middleware.go @@ -1,8 +1,8 @@ package auth import ( + "crypto/subtle" "net/http" - "strings" "novamd/internal/context" ) @@ -23,21 +23,14 @@ func NewMiddleware(jwtManager JWTManager) *Middleware { func (m *Middleware) Authenticate(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // Extract token from Authorization header - authHeader := r.Header.Get("Authorization") - if authHeader == "" { - http.Error(w, "Authorization header required", http.StatusUnauthorized) - return - } - - // Check Bearer token format - parts := strings.Split(authHeader, " ") - if len(parts) != 2 || parts[0] != "Bearer" { - http.Error(w, "Invalid authorization format", http.StatusUnauthorized) + cookie, err := r.Cookie("access_token") + if err != nil { + http.Error(w, "Unauthorized", http.StatusUnauthorized) return } // Validate token - claims, err := m.jwtManager.ValidateToken(parts[1]) + claims, err := m.jwtManager.ValidateToken(cookie.Value) if err != nil { http.Error(w, "Invalid token", http.StatusUnauthorized) return @@ -49,6 +42,26 @@ func (m *Middleware) Authenticate(next http.Handler) http.Handler { return } + // Add CSRF check for non-GET requests + if r.Method != http.MethodGet && r.Method != http.MethodHead && r.Method != http.MethodOptions { + csrfCookie, err := r.Cookie("csrf_token") + if err != nil { + http.Error(w, "CSRF cookie not found", http.StatusForbidden) + return + } + + csrfHeader := r.Header.Get("X-CSRF-Token") + if csrfHeader == "" { + http.Error(w, "CSRF token header not found", http.StatusForbidden) + return + } + + if subtle.ConstantTimeCompare([]byte(csrfCookie.Value), []byte(csrfHeader)) != 1 { + http.Error(w, "CSRF token mismatch", http.StatusForbidden) + return + } + } + // Create handler context with user information hctx := &context.HandlerContext{ UserID: claims.UserID, diff --git a/server/internal/auth/session.go b/server/internal/auth/session.go index 897fb3d..afaaf06 100644 --- a/server/internal/auth/session.go +++ b/server/internal/auth/session.go @@ -83,8 +83,14 @@ func (s *SessionService) RefreshSession(refreshToken string) (string, error) { } // InvalidateSession removes a session with the given sessionID from the database -func (s *SessionService) InvalidateSession(sessionID string) error { - return s.db.DeleteSession(sessionID) +func (s *SessionService) InvalidateSession(token string) error { + // Parse the JWT to get the session info + claims, err := s.jwtManager.ValidateToken(token) + if err != nil { + return fmt.Errorf("invalid token: %w", err) + } + + return s.db.DeleteSession(claims.ID) } // CleanExpiredSessions removes all expired sessions from the database diff --git a/server/internal/handlers/admin_handlers.go b/server/internal/handlers/admin_handlers.go index a776204..8c01590 100644 --- a/server/internal/handlers/admin_handlers.go +++ b/server/internal/handlers/admin_handlers.go @@ -51,7 +51,7 @@ type SystemStats struct { // @Summary List all users // @Description Returns the list of all users // @Tags Admin -// @Security BearerAuth +// @Security CookieAuth // @ID adminListUsers // @Produce json // @Success 200 {array} models.User @@ -73,7 +73,7 @@ func (h *Handler) AdminListUsers() http.HandlerFunc { // @Summary Create a new user // @Description Create a new user as an admin // @Tags Admin -// @Security BearerAuth +// @Security CookieAuth // @ID adminCreateUser // @Accept json // @Produce json @@ -149,7 +149,7 @@ func (h *Handler) AdminCreateUser() http.HandlerFunc { // @Summary Get a specific user // @Description Get a specific user as an admin // @Tags Admin -// @Security BearerAuth +// @Security CookieAuth // @ID adminGetUser // @Produce json // @Param userId path int true "User ID" @@ -179,7 +179,7 @@ func (h *Handler) AdminGetUser() http.HandlerFunc { // @Summary Update a specific user // @Description Update a specific user as an admin // @Tags Admin -// @Security BearerAuth +// @Security CookieAuth // @ID adminUpdateUser // @Accept json // @Produce json @@ -245,7 +245,7 @@ func (h *Handler) AdminUpdateUser() http.HandlerFunc { // @Summary Delete a specific user // @Description Delete a specific user as an admin // @Tags Admin -// @Security BearerAuth +// @Security CookieAuth // @ID adminDeleteUser // @Param userId path int true "User ID" // @Success 204 "No Content" @@ -300,7 +300,7 @@ func (h *Handler) AdminDeleteUser() http.HandlerFunc { // @Summary List all workspaces // @Description List all workspaces and their stats as an admin // @Tags Admin -// @Security BearerAuth +// @Security CookieAuth // @ID adminListWorkspaces // @Produce json // @Success 200 {array} WorkspaceStats @@ -353,7 +353,7 @@ func (h *Handler) AdminListWorkspaces() http.HandlerFunc { // @Summary Get system statistics // @Description Get system-wide statistics as an admin // @Tags Admin -// @Security BearerAuth +// @Security CookieAuth // @ID adminGetSystemStats // @Produce json // @Success 200 {object} SystemStats diff --git a/server/internal/handlers/auth_handlers.go b/server/internal/handlers/auth_handlers.go index 68b637f..e59a98d 100644 --- a/server/internal/handlers/auth_handlers.go +++ b/server/internal/handlers/auth_handlers.go @@ -1,11 +1,14 @@ package handlers import ( + "crypto/rand" + "encoding/hex" "encoding/json" "net/http" "novamd/internal/auth" "novamd/internal/context" "novamd/internal/models" + "time" "golang.org/x/crypto/bcrypt" ) @@ -18,27 +21,15 @@ type LoginRequest struct { // LoginResponse represents a user login response type LoginResponse struct { - AccessToken string `json:"accessToken"` - RefreshToken string `json:"refreshToken"` - User *models.User `json:"user"` - Session *models.Session `json:"session"` -} - -// RefreshRequest represents a refresh token request -type RefreshRequest struct { - RefreshToken string `json:"refreshToken"` -} - -// RefreshResponse represents a refresh token response -type RefreshResponse struct { - AccessToken string `json:"accessToken"` + User *models.User `json:"user"` + SessionID string `json:"sessionId,omitempty"` + ExpiresAt time.Time `json:"expiresAt,omitempty"` } // Login godoc // @Summary Login -// @Description Logs in a user +// @Description Logs in a user and returns a session with access and refresh tokens // @Tags auth -// @ID login // @Accept json // @Produce json // @Param body body LoginRequest true "Login request" @@ -48,7 +39,7 @@ type RefreshResponse struct { // @Failure 401 {object} ErrorResponse "Invalid credentials" // @Failure 500 {object} ErrorResponse "Failed to create session" // @Router /auth/login [post] -func (h *Handler) Login(authService *auth.SessionService) http.HandlerFunc { +func (h *Handler) Login(authService *auth.SessionService, cookieService auth.CookieService) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { var req LoginRequest if err := json.NewDecoder(r.Body).Decode(&req); err != nil { @@ -83,12 +74,27 @@ func (h *Handler) Login(authService *auth.SessionService) http.HandlerFunc { return } - // Prepare response + // Generate CSRF token + csrfToken := make([]byte, 32) + if _, err := rand.Read(csrfToken); err != nil { + respondError(w, "Failed to generate CSRF token", http.StatusInternalServerError) + return + } + csrfTokenString := hex.EncodeToString(csrfToken) + + // Set cookies + http.SetCookie(w, cookieService.GenerateAccessTokenCookie(accessToken)) + http.SetCookie(w, cookieService.GenerateRefreshTokenCookie(session.RefreshToken)) + http.SetCookie(w, cookieService.GenerateCSRFCookie(csrfTokenString)) + + // Send CSRF token in header for initial setup + w.Header().Set("X-CSRF-Token", csrfTokenString) + + // Only send user info in response, not tokens response := LoginResponse{ - AccessToken: accessToken, - RefreshToken: session.RefreshToken, - User: user, - Session: session, + User: user, + SessionID: session.ID, + ExpiresAt: session.ExpiresAt, } respondJSON(w, response) @@ -100,25 +106,30 @@ func (h *Handler) Login(authService *auth.SessionService) http.HandlerFunc { // @Description Log out invalidates the user's session // @Tags auth // @ID logout -// @Security BearerAuth // @Success 204 "No Content" // @Failure 400 {object} ErrorResponse "Session ID required" // @Failure 500 {object} ErrorResponse "Failed to logout" // @Router /auth/logout [post] -func (h *Handler) Logout(authService *auth.SessionService) http.HandlerFunc { +func (h *Handler) Logout(authService *auth.SessionService, cookieService auth.CookieService) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { - sessionID := r.Header.Get("X-Session-ID") - if sessionID == "" { - respondError(w, "Session ID required", http.StatusBadRequest) + // Get session ID from cookie + sessionCookie, err := r.Cookie("access_token") + if err != nil { + http.Error(w, "Unauthorized", http.StatusUnauthorized) return } - err := authService.InvalidateSession(sessionID) - if err != nil { - respondError(w, "Failed to logout", http.StatusInternalServerError) + // Invalidate the session in the database + if err := authService.InvalidateSession(sessionCookie.Value); err != nil { + respondError(w, "Failed to invalidate session", http.StatusInternalServerError) return } + // Clear cookies + http.SetCookie(w, cookieService.InvalidateCookie("access_token")) + http.SetCookie(w, cookieService.InvalidateCookie("refresh_token")) + http.SetCookie(w, cookieService.InvalidateCookie("csrf_token")) + w.WriteHeader(http.StatusNoContent) } } @@ -131,36 +142,39 @@ func (h *Handler) Logout(authService *auth.SessionService) http.HandlerFunc { // @Accept json // @Produce json // @Param body body RefreshRequest true "Refresh request" -// @Success 200 {object} RefreshResponse +// @Success 200 "Tokens refreshed successfully via cookies" // @Failure 400 {object} ErrorResponse "Invalid request body" // @Failure 400 {object} ErrorResponse "Refresh token required" // @Failure 401 {object} ErrorResponse "Invalid refresh token" // @Router /auth/refresh [post] -func (h *Handler) RefreshToken(authService *auth.SessionService) http.HandlerFunc { +func (h *Handler) RefreshToken(authService *auth.SessionService, cookieService auth.CookieService) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { - var req RefreshRequest - if err := json.NewDecoder(r.Body).Decode(&req); err != nil { - respondError(w, "Invalid request body", http.StatusBadRequest) - return - } - - if req.RefreshToken == "" { + refreshCookie, err := r.Cookie("refresh_token") + if err != nil { respondError(w, "Refresh token required", http.StatusBadRequest) return } // Generate new access token - accessToken, err := authService.RefreshSession(req.RefreshToken) + accessToken, err := authService.RefreshSession(refreshCookie.Value) if err != nil { respondError(w, "Invalid refresh token", http.StatusUnauthorized) return } - response := RefreshResponse{ - AccessToken: accessToken, + // Generate new CSRF token + csrfToken := make([]byte, 32) + if _, err := rand.Read(csrfToken); err != nil { + respondError(w, "Failed to generate CSRF token", http.StatusInternalServerError) + return } + csrfTokenString := hex.EncodeToString(csrfToken) - respondJSON(w, response) + http.SetCookie(w, cookieService.GenerateAccessTokenCookie(accessToken)) + http.SetCookie(w, cookieService.GenerateCSRFCookie(csrfTokenString)) + + w.Header().Set("X-CSRF-Token", csrfTokenString) + w.WriteHeader(http.StatusOK) } } @@ -169,7 +183,7 @@ func (h *Handler) RefreshToken(authService *auth.SessionService) http.HandlerFun // @Description Returns the current authenticated user // @Tags auth // @ID getCurrentUser -// @Security BearerAuth +// @Security CookieAuth // @Produce json // @Success 200 {object} models.User // @Failure 404 {object} ErrorResponse "User not found" diff --git a/server/internal/handlers/file_handlers.go b/server/internal/handlers/file_handlers.go index 6104d98..a19597c 100644 --- a/server/internal/handlers/file_handlers.go +++ b/server/internal/handlers/file_handlers.go @@ -40,7 +40,7 @@ type UpdateLastOpenedFileRequest struct { // @Description Lists all files in the user's workspace // @Tags files // @ID listFiles -// @Security BearerAuth +// @Security CookieAuth // @Produce json // @Param workspace_name path string true "Workspace name" // @Success 200 {array} storage.FileNode @@ -68,7 +68,7 @@ func (h *Handler) ListFiles() http.HandlerFunc { // @Description Returns the paths of files with the given name in the user's workspace // @Tags files // @ID lookupFileByName -// @Security BearerAuth +// @Security CookieAuth // @Produce json // @Param workspace_name path string true "Workspace name" // @Param filename query string true "File name" @@ -104,7 +104,7 @@ func (h *Handler) LookupFileByName() http.HandlerFunc { // @Description Returns the content of a file in the user's workspace // @Tags files // @ID getFileContent -// @Security BearerAuth +// @Security CookieAuth // @Produce plain // @Param workspace_name path string true "Workspace name" // @Param file_path path string true "File path" @@ -153,7 +153,7 @@ func (h *Handler) GetFileContent() http.HandlerFunc { // @Description Saves the content of a file in the user's workspace // @Tags files // @ID saveFile -// @Security BearerAuth +// @Security CookieAuth // @Accept plain // @Produce json // @Param workspace_name path string true "Workspace name" @@ -204,7 +204,7 @@ func (h *Handler) SaveFile() http.HandlerFunc { // @Description Deletes a file in the user's workspace // @Tags files // @ID deleteFile -// @Security BearerAuth +// @Security CookieAuth // @Param workspace_name path string true "Workspace name" // @Param file_path path string true "File path" // @Success 204 "No Content - File deleted successfully" @@ -246,7 +246,7 @@ func (h *Handler) DeleteFile() http.HandlerFunc { // @Description Returns the path of the last opened file in the user's workspace // @Tags files // @ID getLastOpenedFile -// @Security BearerAuth +// @Security CookieAuth // @Produce json // @Param workspace_name path string true "Workspace name" // @Success 200 {object} LastOpenedFileResponse @@ -280,7 +280,7 @@ func (h *Handler) GetLastOpenedFile() http.HandlerFunc { // @Description Updates the last opened file in the user's workspace // @Tags files // @ID updateLastOpenedFile -// @Security BearerAuth +// @Security CookieAuth // @Accept json // @Produce json // @Param workspace_name path string true "Workspace name" diff --git a/server/internal/handlers/git_handlers.go b/server/internal/handlers/git_handlers.go index 1ab45e0..3135b6e 100644 --- a/server/internal/handlers/git_handlers.go +++ b/server/internal/handlers/git_handlers.go @@ -27,7 +27,7 @@ type PullResponse struct { // @Description Stages, commits, and pushes changes to the remote repository // @Tags git // @ID stageCommitAndPush -// @Security BearerAuth +// @Security CookieAuth // @Produce json // @Param workspace_name path string true "Workspace name" // @Param body body CommitRequest true "Commit request" @@ -70,7 +70,7 @@ func (h *Handler) StageCommitAndPush() http.HandlerFunc { // @Description Pulls changes from the remote repository // @Tags git // @ID pullChanges -// @Security BearerAuth +// @Security CookieAuth // @Produce json // @Param workspace_name path string true "Workspace name" // @Success 200 {object} PullResponse diff --git a/server/internal/handlers/user_handlers.go b/server/internal/handlers/user_handlers.go index 58d4403..7249b63 100644 --- a/server/internal/handlers/user_handlers.go +++ b/server/internal/handlers/user_handlers.go @@ -27,7 +27,7 @@ type DeleteAccountRequest struct { // @Description Updates the user's profile // @Tags users // @ID updateProfile -// @Security BearerAuth +// @Security CookieAuth // @Accept json // @Produce json // @Param body body UpdateProfileRequest true "Profile update request" @@ -137,7 +137,7 @@ func (h *Handler) UpdateProfile() http.HandlerFunc { // @Description Deletes the user's account and all associated data // @Tags users // @ID deleteAccount -// @Security BearerAuth +// @Security CookieAuth // @Accept json // @Produce json // @Param body body DeleteAccountRequest true "Account deletion request" diff --git a/server/internal/handlers/workspace_handlers.go b/server/internal/handlers/workspace_handlers.go index 2b26d0d..e04e543 100644 --- a/server/internal/handlers/workspace_handlers.go +++ b/server/internal/handlers/workspace_handlers.go @@ -24,7 +24,7 @@ type LastWorkspaceNameResponse struct { // @Description Lists all workspaces for the current user // @Tags workspaces // @ID listWorkspaces -// @Security BearerAuth +// @Security CookieAuth // @Produce json // @Success 200 {array} models.Workspace // @Failure 500 {object} ErrorResponse "Failed to list workspaces" @@ -51,7 +51,7 @@ func (h *Handler) ListWorkspaces() http.HandlerFunc { // @Description Creates a new workspace // @Tags workspaces // @ID createWorkspace -// @Security BearerAuth +// @Security CookieAuth // @Accept json // @Produce json // @Param body body models.Workspace true "Workspace" @@ -115,7 +115,7 @@ func (h *Handler) CreateWorkspace() http.HandlerFunc { // @Description Returns the current workspace // @Tags workspaces // @ID getWorkspace -// @Security BearerAuth +// @Security CookieAuth // @Produce json // @Param workspace_name path string true "Workspace name" // @Success 200 {object} models.Workspace @@ -155,7 +155,7 @@ func gitSettingsChanged(new, old *models.Workspace) bool { // @Description Updates the current workspace // @Tags workspaces // @ID updateWorkspace -// @Security BearerAuth +// @Security CookieAuth // @Accept json // @Produce json // @Param workspace_name path string true "Workspace name" @@ -223,7 +223,7 @@ func (h *Handler) UpdateWorkspace() http.HandlerFunc { // @Description Deletes the current workspace // @Tags workspaces // @ID deleteWorkspace -// @Security BearerAuth +// @Security CookieAuth // @Produce json // @Param workspace_name path string true "Workspace name" // @Success 200 {object} DeleteWorkspaceResponse @@ -307,7 +307,7 @@ func (h *Handler) DeleteWorkspace() http.HandlerFunc { // @Description Returns the name of the last opened workspace // @Tags workspaces // @ID getLastWorkspaceName -// @Security BearerAuth +// @Security CookieAuth // @Produce json // @Success 200 {object} LastWorkspaceNameResponse // @Failure 500 {object} ErrorResponse "Failed to get last workspace" @@ -334,7 +334,7 @@ func (h *Handler) GetLastWorkspaceName() http.HandlerFunc { // @Description Updates the name of the last opened workspace // @Tags workspaces // @ID updateLastWorkspaceName -// @Security BearerAuth +// @Security CookieAuth // @Accept json // @Produce json // @Success 204 "No Content - Last workspace updated successfully"