feat(auth): store JWT in HTTP-only cookie instead of JS-accessible cookie - phperkaigi-2026-albatross

diff options

author	nsfisis <nsfisis@gmail.com>	2026-02-13 23:46:16 +0900
committer	nsfisis <nsfisis@gmail.com>	2026-02-13 23:46:16 +0900
commit	7258ca81812a24edd382438ce6e9ebc538549427 (patch)
tree	9bbc034be62777a2412d871211188268d7c56da4 /backend/schema.sql
parent	7757f26295cbf19c4d6fa068e2cb6bdc2589d01a (diff)
download	phperkaigi-2026-albatross-7258ca81812a24edd382438ce6e9ebc538549427.tar.gz phperkaigi-2026-albatross-7258ca81812a24edd382438ce6e9ebc538549427.tar.zst phperkaigi-2026-albatross-7258ca81812a24edd382438ce6e9ebc538549427.zip

feat(auth): store JWT in HTTP-only cookie instead of JS-accessible cookie

Prevent XSS-based token theft by making the JWT inaccessible to JavaScript. The backend now sets/clears the cookie via Set-Cookie headers, and the frontend retrieves user info from /api/me instead of decoding the JWT directly. - Add JWTCookieMiddleware to parse cookie and inject claims into context - Add /me and /logout endpoints to OpenAPI spec and handlers - Update PostLogin to return user object + Set-Cookie header - Replace Authorization header auth with cookie-based auth throughout - Rewrite frontend auth to use /api/me instead of jwt-decode - Remove jwt-decode dependency - Configure CORS with credentials for local dev Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Diffstat (limited to 'backend/schema.sql')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: