diff options
| author | nsfisis <nsfisis@gmail.com> | 2026-02-13 23:46:16 +0900 |
|---|---|---|
| committer | nsfisis <nsfisis@gmail.com> | 2026-02-13 23:46:16 +0900 |
| commit | 7258ca81812a24edd382438ce6e9ebc538549427 (patch) | |
| tree | 9bbc034be62777a2412d871211188268d7c56da4 /frontend/app/api/schema.d.ts | |
| parent | 7757f26295cbf19c4d6fa068e2cb6bdc2589d01a (diff) | |
| download | phperkaigi-2026-albatross-7258ca81812a24edd382438ce6e9ebc538549427.tar.gz phperkaigi-2026-albatross-7258ca81812a24edd382438ce6e9ebc538549427.tar.zst phperkaigi-2026-albatross-7258ca81812a24edd382438ce6e9ebc538549427.zip | |
feat(auth): store JWT in HTTP-only cookie instead of JS-accessible cookie
Prevent XSS-based token theft by making the JWT inaccessible to
JavaScript. The backend now sets/clears the cookie via Set-Cookie
headers, and the frontend retrieves user info from /api/me instead
of decoding the JWT directly.
- Add JWTCookieMiddleware to parse cookie and inject claims into context
- Add /me and /logout endpoints to OpenAPI spec and handlers
- Update PostLogin to return user object + Set-Cookie header
- Replace Authorization header auth with cookie-based auth throughout
- Rewrite frontend auth to use /api/me instead of jwt-decode
- Remove jwt-decode dependency
- Configure CORS with credentials for local dev
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Diffstat (limited to 'frontend/app/api/schema.d.ts')
| -rw-r--r-- | frontend/app/api/schema.d.ts | 112 |
1 files changed, 85 insertions, 27 deletions
diff --git a/frontend/app/api/schema.d.ts b/frontend/app/api/schema.d.ts index 04bfc10..6f9e270 100644 --- a/frontend/app/api/schema.d.ts +++ b/frontend/app/api/schema.d.ts @@ -21,6 +21,40 @@ export interface paths { patch?: never; trace?: never; }; + "/logout": { + parameters: { + query?: never; + header?: never; + path?: never; + cookie?: never; + }; + get?: never; + put?: never; + /** User logout */ + post: operations["postLogout"]; + delete?: never; + options?: never; + head?: never; + patch?: never; + trace?: never; + }; + "/me": { + parameters: { + query?: never; + header?: never; + path?: never; + cookie?: never; + }; + /** Get current user */ + get: operations["getMe"]; + put?: never; + post?: never; + delete?: never; + options?: never; + head?: never; + patch?: never; + trace?: never; + }; "/games": { parameters: { query?: never; @@ -291,7 +325,6 @@ export interface components { }; }; parameters: { - header_authorization: string; path_game_id: number; }; requestBodies: never; @@ -325,20 +358,59 @@ export interface operations { }; content: { "application/json": { - /** @example xxxxx.xxxxx.xxxxx */ - token: string; + user: components["schemas"]["User"]; }; }; }; 401: components["responses"]["Unauthorized"]; }; }; - getGames: { + postLogout: { parameters: { query?: never; - header: { - Authorization: components["parameters"]["header_authorization"]; + header?: never; + path?: never; + cookie?: never; + }; + requestBody?: never; + responses: { + /** @description Successfully logged out */ + 200: { + headers: { + [name: string]: unknown; + }; + content?: never; }; + 401: components["responses"]["Unauthorized"]; + }; + }; + getMe: { + parameters: { + query?: never; + header?: never; + path?: never; + cookie?: never; + }; + requestBody?: never; + responses: { + /** @description Current user info */ + 200: { + headers: { + [name: string]: unknown; + }; + content: { + "application/json": { + user: components["schemas"]["User"]; + }; + }; + }; + 401: components["responses"]["Unauthorized"]; + }; + }; + getGames: { + parameters: { + query?: never; + header?: never; path?: never; cookie?: never; }; @@ -362,9 +434,7 @@ export interface operations { getGame: { parameters: { query?: never; - header: { - Authorization: components["parameters"]["header_authorization"]; - }; + header?: never; path: { game_id: components["parameters"]["path_game_id"]; }; @@ -391,9 +461,7 @@ export interface operations { getGamePlayLatestState: { parameters: { query?: never; - header: { - Authorization: components["parameters"]["header_authorization"]; - }; + header?: never; path: { game_id: components["parameters"]["path_game_id"]; }; @@ -420,9 +488,7 @@ export interface operations { postGamePlayCode: { parameters: { query?: never; - header: { - Authorization: components["parameters"]["header_authorization"]; - }; + header?: never; path: { game_id: components["parameters"]["path_game_id"]; }; @@ -452,9 +518,7 @@ export interface operations { postGamePlaySubmit: { parameters: { query?: never; - header: { - Authorization: components["parameters"]["header_authorization"]; - }; + header?: never; path: { game_id: components["parameters"]["path_game_id"]; }; @@ -484,9 +548,7 @@ export interface operations { getGameWatchRanking: { parameters: { query?: never; - header: { - Authorization: components["parameters"]["header_authorization"]; - }; + header?: never; path: { game_id: components["parameters"]["path_game_id"]; }; @@ -513,9 +575,7 @@ export interface operations { getGameWatchLatestStates: { parameters: { query?: never; - header: { - Authorization: components["parameters"]["header_authorization"]; - }; + header?: never; path: { game_id: components["parameters"]["path_game_id"]; }; @@ -550,9 +610,7 @@ export interface operations { game4: number; game5: number; }; - header: { - Authorization: components["parameters"]["header_authorization"]; - }; + header?: never; path?: never; cookie?: never; }; |