From 7258ca81812a24edd382438ce6e9ebc538549427 Mon Sep 17 00:00:00 2001 From: nsfisis Date: Fri, 13 Feb 2026 23:46:16 +0900 Subject: feat(auth): store JWT in HTTP-only cookie instead of JS-accessible cookie Prevent XSS-based token theft by making the JWT inaccessible to JavaScript. The backend now sets/clears the cookie via Set-Cookie headers, and the frontend retrieves user info from /api/me instead of decoding the JWT directly. - Add JWTCookieMiddleware to parse cookie and inject claims into context - Add /me and /logout endpoints to OpenAPI spec and handlers - Update PostLogin to return user object + Set-Cookie header - Replace Authorization header auth with cookie-based auth throughout - Rewrite frontend auth to use /api/me instead of jwt-decode - Remove jwt-decode dependency - Configure CORS with credentials for local dev Co-Authored-By: Claude Opus 4.6 --- backend/api/auth_middleware.go | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 backend/api/auth_middleware.go (limited to 'backend/api/auth_middleware.go') diff --git a/backend/api/auth_middleware.go b/backend/api/auth_middleware.go new file mode 100644 index 0000000..97f8946 --- /dev/null +++ b/backend/api/auth_middleware.go @@ -0,0 +1,32 @@ +package api + +import ( + "context" + + "github.com/labstack/echo/v4" + + "albatross-2026-backend/auth" +) + +type contextKey struct{} + +func JWTCookieMiddleware(next echo.HandlerFunc) echo.HandlerFunc { + return func(c echo.Context) error { + cookie, err := c.Cookie("albatross_token") + if err != nil { + return next(c) + } + claims, err := auth.ParseJWT(cookie.Value) + if err != nil { + return next(c) + } + ctx := context.WithValue(c.Request().Context(), contextKey{}, claims) + c.SetRequest(c.Request().WithContext(ctx)) + return next(c) + } +} + +func GetJWTClaimsFromContext(ctx context.Context) (*auth.JWTClaims, bool) { + claims, ok := ctx.Value(contextKey{}).(*auth.JWTClaims) + return claims, ok +} -- cgit v1.3.1