From 96fad1a4e78c7209e5a0f3496e8b59d591fbe500 Mon Sep 17 00:00:00 2001 From: nsfisis Date: Sun, 15 Feb 2026 11:12:50 +0900 Subject: refactor(auth): replace JWT authentication with server-side sessions Migrate from stateless JWT tokens to server-side session management backed by PostgreSQL. Sessions are hashed with SHA-256 before storage, cleaned up periodically, and invalidated on logout. This removes the need for JWT_SECRET/COOKIE_SECRET environment variables and the golang-jwt dependency. Co-Authored-By: Claude Opus 4.6 --- backend/admin/handler.go | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) (limited to 'backend/admin/handler.go') diff --git a/backend/admin/handler.go b/backend/admin/handler.go index 28e7970..a18e32a 100644 --- a/backend/admin/handler.go +++ b/backend/admin/handler.go @@ -13,7 +13,7 @@ import ( "github.com/labstack/echo/v4" "albatross-2026-backend/account" - "albatross-2026-backend/auth" + "albatross-2026-backend/api" "albatross-2026-backend/config" "albatross-2026-backend/db" ) @@ -32,15 +32,11 @@ func NewHandler(q *db.Queries, conf *config.Config) *Handler { func (h *Handler) newAdminMiddleware() echo.MiddlewareFunc { return func(next echo.HandlerFunc) echo.HandlerFunc { return func(c echo.Context) error { - jwt, err := c.Cookie("albatross_token") - if err != nil { - return c.Redirect(http.StatusSeeOther, h.conf.BasePath+"login") - } - claims, err := auth.ParseJWT(jwt.Value) - if err != nil { + user, ok := api.GetUserFromContext(c.Request().Context()) + if !ok { return c.Redirect(http.StatusSeeOther, h.conf.BasePath+"login") } - if !claims.IsAdmin { + if !user.IsAdmin { return echo.NewHTTPError(http.StatusForbidden) } return next(c) -- cgit v1.3.1