Migrate backend auth to cookies

2025-11-06 07:54:22 +00:00 · 2024-12-05 21:56:35 +01:00
parent b4528c1561
commit de9e9102db
17 changed files with 237 additions and 198 deletions
--- a/server/internal/handlers/admin_handlers.go
+++ b/server/internal/handlers/admin_handlers.go
@@ -51,7 +51,7 @@ type SystemStats struct {
 // @Summary List all users
 // @Description Returns the list of all users
 // @Tags Admin
-// @Security BearerAuth
+// @Security CookieAuth
 // @ID adminListUsers
 // @Produce json
 // @Success 200 {array} models.User
@@ -73,7 +73,7 @@ func (h *Handler) AdminListUsers() http.HandlerFunc {
 // @Summary Create a new user
 // @Description Create a new user as an admin
 // @Tags Admin
-// @Security BearerAuth
+// @Security CookieAuth
 // @ID adminCreateUser
 // @Accept json
 // @Produce json
@@ -149,7 +149,7 @@ func (h *Handler) AdminCreateUser() http.HandlerFunc {
 // @Summary Get a specific user
 // @Description Get a specific user as an admin
 // @Tags Admin
-// @Security BearerAuth
+// @Security CookieAuth
 // @ID adminGetUser
 // @Produce json
 // @Param userId path int true "User ID"
@@ -179,7 +179,7 @@ func (h *Handler) AdminGetUser() http.HandlerFunc {
 // @Summary Update a specific user
 // @Description Update a specific user as an admin
 // @Tags Admin
-// @Security BearerAuth
+// @Security CookieAuth
 // @ID adminUpdateUser
 // @Accept json
 // @Produce json
@@ -245,7 +245,7 @@ func (h *Handler) AdminUpdateUser() http.HandlerFunc {
 // @Summary Delete a specific user
 // @Description Delete a specific user as an admin
 // @Tags Admin
-// @Security BearerAuth
+// @Security CookieAuth
 // @ID adminDeleteUser
 // @Param userId path int true "User ID"
 // @Success 204 "No Content"
@@ -300,7 +300,7 @@ func (h *Handler) AdminDeleteUser() http.HandlerFunc {
 // @Summary List all workspaces
 // @Description List all workspaces and their stats as an admin
 // @Tags Admin
-// @Security BearerAuth
+// @Security CookieAuth
 // @ID adminListWorkspaces
 // @Produce json
 // @Success 200 {array} WorkspaceStats
@@ -353,7 +353,7 @@ func (h *Handler) AdminListWorkspaces() http.HandlerFunc {
 // @Summary Get system statistics
 // @Description Get system-wide statistics as an admin
 // @Tags Admin
-// @Security BearerAuth
+// @Security CookieAuth
 // @ID adminGetSystemStats
 // @Produce json
 // @Success 200 {object} SystemStats
--- a/server/internal/handlers/auth_handlers.go
+++ b/server/internal/handlers/auth_handlers.go
@@ -1,11 +1,14 @@
 package handlers

 import (
+	"crypto/rand"
+	"encoding/hex"
 	"encoding/json"
 	"net/http"
 	"novamd/internal/auth"
 	"novamd/internal/context"
 	"novamd/internal/models"
+	"time"

 	"golang.org/x/crypto/bcrypt"
 )
@@ -18,27 +21,15 @@ type LoginRequest struct {

 // LoginResponse represents a user login response
 type LoginResponse struct {
-	AccessToken  string          `json:"accessToken"`
-	RefreshToken string          `json:"refreshToken"`
-	User         *models.User    `json:"user"`
-	Session      *models.Session `json:"session"`
-}
-
-// RefreshRequest represents a refresh token request
-type RefreshRequest struct {
-	RefreshToken string `json:"refreshToken"`
-}
-
-// RefreshResponse represents a refresh token response
-type RefreshResponse struct {
-	AccessToken string `json:"accessToken"`
+	User      *models.User `json:"user"`
+	SessionID string       `json:"sessionId,omitempty"`
+	ExpiresAt time.Time    `json:"expiresAt,omitempty"`
 }

 // Login godoc
 // @Summary Login
-// @Description Logs in a user
+// @Description Logs in a user and returns a session with access and refresh tokens
 // @Tags auth
-// @ID login
 // @Accept json
 // @Produce json
 // @Param body body LoginRequest true "Login request"
@@ -48,7 +39,7 @@ type RefreshResponse struct {
 // @Failure 401 {object} ErrorResponse "Invalid credentials"
 // @Failure 500 {object} ErrorResponse "Failed to create session"
 // @Router /auth/login [post]
-func (h *Handler) Login(authService *auth.SessionService) http.HandlerFunc {
+func (h *Handler) Login(authService *auth.SessionService, cookieService auth.CookieService) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var req LoginRequest
 		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
@@ -83,12 +74,27 @@ func (h *Handler) Login(authService *auth.SessionService) http.HandlerFunc {
 			return
 		}

-		// Prepare response
+		// Generate CSRF token
+		csrfToken := make([]byte, 32)
+		if _, err := rand.Read(csrfToken); err != nil {
+			respondError(w, "Failed to generate CSRF token", http.StatusInternalServerError)
+			return
+		}
+		csrfTokenString := hex.EncodeToString(csrfToken)
+
+		// Set cookies
+		http.SetCookie(w, cookieService.GenerateAccessTokenCookie(accessToken))
+		http.SetCookie(w, cookieService.GenerateRefreshTokenCookie(session.RefreshToken))
+		http.SetCookie(w, cookieService.GenerateCSRFCookie(csrfTokenString))
+
+		// Send CSRF token in header for initial setup
+		w.Header().Set("X-CSRF-Token", csrfTokenString)
+
+		// Only send user info in response, not tokens
 		response := LoginResponse{
-			AccessToken:  accessToken,
-			RefreshToken: session.RefreshToken,
-			User:         user,
-			Session:      session,
+			User:      user,
+			SessionID: session.ID,
+			ExpiresAt: session.ExpiresAt,
 		}

 		respondJSON(w, response)
@@ -100,25 +106,30 @@ func (h *Handler) Login(authService *auth.SessionService) http.HandlerFunc {
 // @Description Log out invalidates the user's session
 // @Tags auth
 // @ID logout
-// @Security BearerAuth
 // @Success 204 "No Content"
 // @Failure 400 {object} ErrorResponse "Session ID required"
 // @Failure 500 {object} ErrorResponse "Failed to logout"
 // @Router /auth/logout [post]
-func (h *Handler) Logout(authService *auth.SessionService) http.HandlerFunc {
+func (h *Handler) Logout(authService *auth.SessionService, cookieService auth.CookieService) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		sessionID := r.Header.Get("X-Session-ID")
-		if sessionID == "" {
-			respondError(w, "Session ID required", http.StatusBadRequest)
+		// Get session ID from cookie
+		sessionCookie, err := r.Cookie("access_token")
+		if err != nil {
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
 			return
 		}

-		err := authService.InvalidateSession(sessionID)
-		if err != nil {
-			respondError(w, "Failed to logout", http.StatusInternalServerError)
+		// Invalidate the session in the database
+		if err := authService.InvalidateSession(sessionCookie.Value); err != nil {
+			respondError(w, "Failed to invalidate session", http.StatusInternalServerError)
 			return
 		}

+		// Clear cookies
+		http.SetCookie(w, cookieService.InvalidateCookie("access_token"))
+		http.SetCookie(w, cookieService.InvalidateCookie("refresh_token"))
+		http.SetCookie(w, cookieService.InvalidateCookie("csrf_token"))
+
 		w.WriteHeader(http.StatusNoContent)
 	}
 }
@@ -131,36 +142,39 @@ func (h *Handler) Logout(authService *auth.SessionService) http.HandlerFunc {
 // @Accept json
 // @Produce json
 // @Param body body RefreshRequest true "Refresh request"
-// @Success 200 {object} RefreshResponse
+// @Success 200 "Tokens refreshed successfully via cookies"
 // @Failure 400 {object} ErrorResponse "Invalid request body"
 // @Failure 400 {object} ErrorResponse "Refresh token required"
 // @Failure 401 {object} ErrorResponse "Invalid refresh token"
 // @Router /auth/refresh [post]
-func (h *Handler) RefreshToken(authService *auth.SessionService) http.HandlerFunc {
+func (h *Handler) RefreshToken(authService *auth.SessionService, cookieService auth.CookieService) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		var req RefreshRequest
-		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-			respondError(w, "Invalid request body", http.StatusBadRequest)
-			return
-		}
-
-		if req.RefreshToken == "" {
+		refreshCookie, err := r.Cookie("refresh_token")
+		if err != nil {
 			respondError(w, "Refresh token required", http.StatusBadRequest)
 			return
 		}

 		// Generate new access token
-		accessToken, err := authService.RefreshSession(req.RefreshToken)
+		accessToken, err := authService.RefreshSession(refreshCookie.Value)
 		if err != nil {
 			respondError(w, "Invalid refresh token", http.StatusUnauthorized)
 			return
 		}

-		response := RefreshResponse{
-			AccessToken: accessToken,
+		// Generate new CSRF token
+		csrfToken := make([]byte, 32)
+		if _, err := rand.Read(csrfToken); err != nil {
+			respondError(w, "Failed to generate CSRF token", http.StatusInternalServerError)
+			return
 		}
+		csrfTokenString := hex.EncodeToString(csrfToken)

-		respondJSON(w, response)
+		http.SetCookie(w, cookieService.GenerateAccessTokenCookie(accessToken))
+		http.SetCookie(w, cookieService.GenerateCSRFCookie(csrfTokenString))
+
+		w.Header().Set("X-CSRF-Token", csrfTokenString)
+		w.WriteHeader(http.StatusOK)
 	}
 }

@@ -169,7 +183,7 @@ func (h *Handler) RefreshToken(authService *auth.SessionService) http.HandlerFun
 // @Description Returns the current authenticated user
 // @Tags auth
 // @ID getCurrentUser
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce json
 // @Success 200 {object} models.User
 // @Failure 404 {object} ErrorResponse "User not found"
--- a/server/internal/handlers/file_handlers.go
+++ b/server/internal/handlers/file_handlers.go
@@ -40,7 +40,7 @@ type UpdateLastOpenedFileRequest struct {
 // @Description Lists all files in the user's workspace
 // @Tags files
 // @ID listFiles
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce json
 // @Param workspace_name path string true "Workspace name"
 // @Success 200 {array} storage.FileNode
@@ -68,7 +68,7 @@ func (h *Handler) ListFiles() http.HandlerFunc {
 // @Description Returns the paths of files with the given name in the user's workspace
 // @Tags files
 // @ID lookupFileByName
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce json
 // @Param workspace_name path string true "Workspace name"
 // @Param filename query string true "File name"
@@ -104,7 +104,7 @@ func (h *Handler) LookupFileByName() http.HandlerFunc {
 // @Description Returns the content of a file in the user's workspace
 // @Tags files
 // @ID getFileContent
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce plain
 // @Param workspace_name path string true "Workspace name"
 // @Param file_path path string true "File path"
@@ -153,7 +153,7 @@ func (h *Handler) GetFileContent() http.HandlerFunc {
 // @Description Saves the content of a file in the user's workspace
 // @Tags files
 // @ID saveFile
-// @Security BearerAuth
+// @Security CookieAuth
 // @Accept plain
 // @Produce json
 // @Param workspace_name path string true "Workspace name"
@@ -204,7 +204,7 @@ func (h *Handler) SaveFile() http.HandlerFunc {
 // @Description Deletes a file in the user's workspace
 // @Tags files
 // @ID deleteFile
-// @Security BearerAuth
+// @Security CookieAuth
 // @Param workspace_name path string true "Workspace name"
 // @Param file_path path string true "File path"
 // @Success 204 "No Content - File deleted successfully"
@@ -246,7 +246,7 @@ func (h *Handler) DeleteFile() http.HandlerFunc {
 // @Description Returns the path of the last opened file in the user's workspace
 // @Tags files
 // @ID getLastOpenedFile
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce json
 // @Param workspace_name path string true "Workspace name"
 // @Success 200 {object} LastOpenedFileResponse
@@ -280,7 +280,7 @@ func (h *Handler) GetLastOpenedFile() http.HandlerFunc {
 // @Description Updates the last opened file in the user's workspace
 // @Tags files
 // @ID updateLastOpenedFile
-// @Security BearerAuth
+// @Security CookieAuth
 // @Accept json
 // @Produce json
 // @Param workspace_name path string true "Workspace name"
--- a/server/internal/handlers/git_handlers.go
+++ b/server/internal/handlers/git_handlers.go
@@ -27,7 +27,7 @@ type PullResponse struct {
 // @Description Stages, commits, and pushes changes to the remote repository
 // @Tags git
 // @ID stageCommitAndPush
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce json
 // @Param workspace_name path string true "Workspace name"
 // @Param body body CommitRequest true "Commit request"
@@ -70,7 +70,7 @@ func (h *Handler) StageCommitAndPush() http.HandlerFunc {
 // @Description Pulls changes from the remote repository
 // @Tags git
 // @ID pullChanges
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce json
 // @Param workspace_name path string true "Workspace name"
 // @Success 200 {object} PullResponse
--- a/server/internal/handlers/user_handlers.go
+++ b/server/internal/handlers/user_handlers.go
@@ -27,7 +27,7 @@ type DeleteAccountRequest struct {
 // @Description Updates the user's profile
 // @Tags users
 // @ID updateProfile
-// @Security BearerAuth
+// @Security CookieAuth
 // @Accept json
 // @Produce json
 // @Param body body UpdateProfileRequest true "Profile update request"
@@ -137,7 +137,7 @@ func (h *Handler) UpdateProfile() http.HandlerFunc {
 // @Description Deletes the user's account and all associated data
 // @Tags users
 // @ID deleteAccount
-// @Security BearerAuth
+// @Security CookieAuth
 // @Accept json
 // @Produce json
 // @Param body body DeleteAccountRequest true "Account deletion request"
--- a/server/internal/handlers/workspace_handlers.go
+++ b/server/internal/handlers/workspace_handlers.go
@@ -24,7 +24,7 @@ type LastWorkspaceNameResponse struct {
 // @Description Lists all workspaces for the current user
 // @Tags workspaces
 // @ID listWorkspaces
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce json
 // @Success 200 {array} models.Workspace
 // @Failure 500 {object} ErrorResponse "Failed to list workspaces"
@@ -51,7 +51,7 @@ func (h *Handler) ListWorkspaces() http.HandlerFunc {
 // @Description Creates a new workspace
 // @Tags workspaces
 // @ID createWorkspace
-// @Security BearerAuth
+// @Security CookieAuth
 // @Accept json
 // @Produce json
 // @Param body body models.Workspace true "Workspace"
@@ -115,7 +115,7 @@ func (h *Handler) CreateWorkspace() http.HandlerFunc {
 // @Description Returns the current workspace
 // @Tags workspaces
 // @ID getWorkspace
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce json
 // @Param workspace_name path string true "Workspace name"
 // @Success 200 {object} models.Workspace
@@ -155,7 +155,7 @@ func gitSettingsChanged(new, old *models.Workspace) bool {
 // @Description Updates the current workspace
 // @Tags workspaces
 // @ID updateWorkspace
-// @Security BearerAuth
+// @Security CookieAuth
 // @Accept json
 // @Produce json
 // @Param workspace_name path string true "Workspace name"
@@ -223,7 +223,7 @@ func (h *Handler) UpdateWorkspace() http.HandlerFunc {
 // @Description Deletes the current workspace
 // @Tags workspaces
 // @ID deleteWorkspace
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce json
 // @Param workspace_name path string true "Workspace name"
 // @Success 200 {object} DeleteWorkspaceResponse
@@ -307,7 +307,7 @@ func (h *Handler) DeleteWorkspace() http.HandlerFunc {
 // @Description Returns the name of the last opened workspace
 // @Tags workspaces
 // @ID getLastWorkspaceName
-// @Security BearerAuth
+// @Security CookieAuth
 // @Produce json
 // @Success 200 {object} LastWorkspaceNameResponse
 // @Failure 500 {object} ErrorResponse "Failed to get last workspace"
@@ -334,7 +334,7 @@ func (h *Handler) GetLastWorkspaceName() http.HandlerFunc {
 // @Description Updates the name of the last opened workspace
 // @Tags workspaces
 // @ID updateLastWorkspaceName
-// @Security BearerAuth
+// @Security CookieAuth
 // @Accept json
 // @Produce json
 // @Success 204 "No Content - Last workspace updated successfully"