Migrate backend auth to cookies

2025-11-06 07:54:22 +00:00 · 2024-12-05 21:56:35 +01:00
parent b4528c1561
commit de9e9102db
17 changed files with 237 additions and 198 deletions
--- a/server/internal/app/config.go
+++ b/server/internal/app/config.go
@@ -15,7 +15,8 @@ type Config struct {
 	WorkDir           string
 	StaticPath        string
 	Port              string
-	AppURL            string
+	RootURL           string
+	Domain            string
 	CORSOrigins       []string
 	AdminEmail        string
 	AdminPassword     string
@@ -77,8 +78,12 @@ func LoadConfig() (*Config, error) {
 		config.Port = port
 	}

-	if appURL := os.Getenv("NOVAMD_APP_URL"); appURL != "" {
-		config.AppURL = appURL
+	if rootURL := os.Getenv("NOVAMD_ROOT_URL"); rootURL != "" {
+		config.RootURL = rootURL
+	}
+
+	if domain := os.Getenv("NOVAMD_DOMAIN"); domain != "" {
+		config.Domain = domain
 	}

 	if corsOrigins := os.Getenv("NOVAMD_CORS_ORIGINS"); corsOrigins != "" {
--- a/server/internal/app/config_test.go
+++ b/server/internal/app/config_test.go
@@ -49,7 +49,8 @@ func TestLoad(t *testing.T) {
 			"NOVAMD_WORKDIR",
 			"NOVAMD_STATIC_PATH",
 			"NOVAMD_PORT",
-			"NOVAMD_APP_URL",
+			"NOVAMD_ROOT_URL",
+			"NOVAMD_DOMAIN",
 			"NOVAMD_CORS_ORIGINS",
 			"NOVAMD_ADMIN_EMAIL",
 			"NOVAMD_ADMIN_PASSWORD",
@@ -95,7 +96,7 @@ func TestLoad(t *testing.T) {
 			"NOVAMD_WORKDIR":             "/custom/work/dir",
 			"NOVAMD_STATIC_PATH":         "/custom/static/path",
 			"NOVAMD_PORT":                "3000",
-			"NOVAMD_APP_URL":             "http://localhost:3000",
+			"NOVAMD_ROOT_URL":            "http://localhost:3000",
 			"NOVAMD_CORS_ORIGINS":        "http://localhost:3000,http://localhost:3001",
 			"NOVAMD_ADMIN_EMAIL":         "admin@example.com",
 			"NOVAMD_ADMIN_PASSWORD":      "password123",
@@ -124,7 +125,7 @@ func TestLoad(t *testing.T) {
 			{"WorkDir", cfg.WorkDir, "/custom/work/dir"},
 			{"StaticPath", cfg.StaticPath, "/custom/static/path"},
 			{"Port", cfg.Port, "3000"},
-			{"AppURL", cfg.AppURL, "http://localhost:3000"},
+			{"AppURL", cfg.RootURL, "http://localhost:3000"},
 			{"AdminEmail", cfg.AdminEmail, "admin@example.com"},
 			{"AdminPassword", cfg.AdminPassword, "password123"},
 			{"JWTSigningKey", cfg.JWTSigningKey, "secret-key"},
--- a/server/internal/app/init.go
+++ b/server/internal/app/init.go
@@ -40,14 +40,14 @@ func initDatabase(cfg *Config, secretsService secrets.Service) (db.Database, err
 }

 // initAuth initializes JWT and session services
-func initAuth(cfg *Config, database db.Database) (auth.JWTManager, *auth.SessionService, error) {
+func initAuth(cfg *Config, database db.Database) (auth.JWTManager, *auth.SessionService, auth.CookieService, error) {
 	// Get or generate JWT signing key
 	signingKey := cfg.JWTSigningKey
 	if signingKey == "" {
 		var err error
 		signingKey, err = database.EnsureJWTSecret()
 		if err != nil {
-			return nil, nil, fmt.Errorf("failed to ensure JWT secret: %w", err)
+			return nil, nil, nil, fmt.Errorf("failed to ensure JWT secret: %w", err)
 		}
 	}

@@ -58,13 +58,16 @@ func initAuth(cfg *Config, database db.Database) (auth.JWTManager, *auth.Session
 		RefreshTokenExpiry: 7 * 24 * time.Hour,
 	})
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to initialize JWT service: %w", err)
+		return nil, nil, nil, fmt.Errorf("failed to initialize JWT service: %w", err)
 	}

 	// Initialize session service
 	sessionService := auth.NewSessionService(database, jwtManager)

-	return jwtManager, sessionService, nil
+	// Cookie service
+	cookieService := auth.NewCookieService(cfg.IsDevelopment, cfg.Domain)
+
+	return jwtManager, sessionService, cookieService, nil
 }

 // setupAdminUser creates the admin user if it doesn't exist
--- a/server/internal/app/options.go
+++ b/server/internal/app/options.go
@@ -13,6 +13,7 @@ type Options struct {
 	Storage        storage.Manager
 	JWTManager     auth.JWTManager
 	SessionService *auth.SessionService
+	CookieService  auth.CookieService
 }

 // DefaultOptions creates server options with default configuration
@@ -33,7 +34,7 @@ func DefaultOptions(cfg *Config) (*Options, error) {
 	storageManager := storage.NewService(cfg.WorkDir)

 	// Initialize auth services
-	jwtManager, sessionService, err := initAuth(cfg, database)
+	jwtManager, sessionService, cookieService, err := initAuth(cfg, database)
 	if err != nil {
 		return nil, err
 	}
@@ -49,5 +50,6 @@ func DefaultOptions(cfg *Config) (*Options, error) {
 		Storage:        storageManager,
 		JWTManager:     jwtManager,
 		SessionService: sessionService,
+		CookieService:  cookieService,
 	}, nil
 }
--- a/server/internal/app/routes.go
+++ b/server/internal/app/routes.go
@@ -40,7 +40,8 @@ func setupRouter(o Options) *chi.Mux {
 		r.Use(cors.Handler(cors.Options{
 			AllowedOrigins:   o.Config.CORSOrigins,
 			AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
-			AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-Requested-With"},
+			AllowedHeaders:   []string{"Accept", "Content-Type", "X-CSRF-Token"},
+			ExposedHeaders:   []string{"X-CSRF-Token"},
 			AllowCredentials: true,
 			MaxAge:           300,
 		}))
@@ -71,8 +72,8 @@ func setupRouter(o Options) *chi.Mux {

 		// Public routes (no authentication required)
 		r.Group(func(r chi.Router) {
-			r.Post("/auth/login", handler.Login(o.SessionService))
-			r.Post("/auth/refresh", handler.RefreshToken(o.SessionService))
+			r.Post("/auth/login", handler.Login(o.SessionService, o.CookieService))
+			r.Post("/auth/refresh", handler.RefreshToken(o.SessionService, o.CookieService))
 		})

 		// Protected routes (authentication required)
@@ -81,7 +82,7 @@ func setupRouter(o Options) *chi.Mux {
 			r.Use(context.WithUserContextMiddleware)

 			// Auth routes
-			r.Post("/auth/logout", handler.Logout(o.SessionService))
+			r.Post("/auth/logout", handler.Logout(o.SessionService, o.CookieService))
 			r.Get("/auth/me", handler.GetCurrentUser())

 			// User profile routes