feat(auth): store JWT in HTTP-only cookie instead of JS-accessible cookie

Prevent XSS-based token theft by making the JWT inaccessible to JavaScript. The backend now sets/clears the cookie via Set-Cookie headers, and the frontend retrieves user info from /api/me instead of decoding the JWT directly. - Add JWTCookieMiddleware to parse cookie and inject claims into context - Add /me and /logout endpoints to OpenAPI spec and handlers - Update PostLogin to return user object + Set-Cookie header - Replace Authorization header auth with cookie-based auth throughout - Rewrite frontend auth to use /api/me instead of jwt-decode - Remove jwt-decode dependency - Configure CORS with credentials for local dev Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
author: nsfisis <nsfisis@gmail.com> 2026-02-13 23:46:16 +0900
committer: nsfisis <nsfisis@gmail.com> 2026-02-13 23:46:16 +0900
commit: 7258ca81812a24edd382438ce6e9ebc538549427 (patch)
tree: 9bbc034be62777a2412d871211188268d7c56da4 /openapi
parent: 7757f26295cbf19c4d6fa068e2cb6bdc2589d01a (diff)
download: phperkaigi-2026-albatross-7258ca81812a24edd382438ce6e9ebc538549427.tar.gz
phperkaigi-2026-albatross-7258ca81812a24edd382438ce6e9ebc538549427.tar.zst
phperkaigi-2026-albatross-7258ca81812a24edd382438ce6e9ebc538549427.zip
1 files changed, 31 insertions, 20 deletions
diff --git a/openapi/api-server.yaml b/openapi/api-server.yaml
index 8709db2..15b75b6 100644
--- a/openapi/api-server.yaml
+++ b/openapi/api-server.yaml
@@ -1,7 +1,7 @@
 openapi: 3.0.0
 info:
   title: Albatross internal web API
-  version: 0.2.0
+  version: 0.3.0
 paths:
   /login:
     post:
@@ -31,19 +31,43 @@ paths:
               schema:
                 type: object
                 properties:
-                  token:
-                    type: string
-                    example: "xxxxx.xxxxx.xxxxx"
+                  user:
+                    $ref: '#/components/schemas/User'
                 required:
-                  - token
+                  - user
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+  /logout:
+    post:
+      operationId: postLogout
+      summary: User logout
+      responses:
+        '200':
+          description: Successfully logged out
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+  /me:
+    get:
+      operationId: getMe
+      summary: Get current user
+      responses:
+        '200':
+          description: Current user info
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  user:
+                    $ref: '#/components/schemas/User'
+                required:
+                  - user
         '401':
           $ref: '#/components/responses/Unauthorized'
   /games:
     get:
       operationId: getGames
       summary: List games
-      parameters:
-        - $ref: '#/components/parameters/header_authorization'
       responses:
         '200':
           description: List of games
@@ -67,7 +91,6 @@ paths:
       operationId: getGame
       summary: Get a game
       parameters:
-        - $ref: '#/components/parameters/header_authorization'
         - $ref: '#/components/parameters/path_game_id'
       responses:
         '200':
@@ -92,7 +115,6 @@ paths:
       operationId: getGamePlayLatestState
       summary: Get the latest execution result for player
       parameters:
-        - $ref: '#/components/parameters/header_authorization'
         - $ref: '#/components/parameters/path_game_id'
       responses:
         '200':
@@ -117,7 +139,6 @@ paths:
       operationId: postGamePlayCode
       summary: Post the latest code
       parameters:
-        - $ref: '#/components/parameters/header_authorization'
         - $ref: '#/components/parameters/path_game_id'
       requestBody:
         required: true
@@ -145,7 +166,6 @@ paths:
       operationId: postGamePlaySubmit
       summary: Submit the answer
       parameters:
-        - $ref: '#/components/parameters/header_authorization'
         - $ref: '#/components/parameters/path_game_id'
       requestBody:
         required: true
@@ -173,7 +193,6 @@ paths:
       operationId: getGameWatchRanking
       summary: Get the latest player ranking
       parameters:
-        - $ref: '#/components/parameters/header_authorization'
         - $ref: '#/components/parameters/path_game_id'
       responses:
         '200':
@@ -200,7 +219,6 @@ paths:
       operationId: getGameWatchLatestStates
       summary: Get all the latest game states of the main players
       parameters:
-        - $ref: '#/components/parameters/header_authorization'
         - $ref: '#/components/parameters/path_game_id'
       responses:
         '200':
@@ -227,7 +245,6 @@ paths:
       operationId: getTournament
       summary: Get tournament bracket data
       parameters:
-        - $ref: '#/components/parameters/header_authorization'
         - in: query
           name: game1
           schema:
@@ -273,12 +290,6 @@ paths:
           $ref: '#/components/responses/NotFound'
 components:
   parameters:
-    header_authorization:
-      in: header
-      name: Authorization
-      schema:
-        type: string
-      required: true
     path_game_id:
       in: path
       name: game_id
author	nsfisis <nsfisis@gmail.com>	2026-02-13 23:46:16 +0900
committer	nsfisis <nsfisis@gmail.com>	2026-02-13 23:46:16 +0900
commit	7258ca81812a24edd382438ce6e9ebc538549427 (patch)
tree	9bbc034be62777a2412d871211188268d7c56da4 /openapi
parent	7757f26295cbf19c4d6fa068e2cb6bdc2589d01a (diff)
download	phperkaigi-2026-albatross-7258ca81812a24edd382438ce6e9ebc538549427.tar.gz phperkaigi-2026-albatross-7258ca81812a24edd382438ce6e9ebc538549427.tar.zst phperkaigi-2026-albatross-7258ca81812a24edd382438ce6e9ebc538549427.zip