From 7258ca81812a24edd382438ce6e9ebc538549427 Mon Sep 17 00:00:00 2001 From: nsfisis Date: Fri, 13 Feb 2026 23:46:16 +0900 Subject: feat(auth): store JWT in HTTP-only cookie instead of JS-accessible cookie Prevent XSS-based token theft by making the JWT inaccessible to JavaScript. The backend now sets/clears the cookie via Set-Cookie headers, and the frontend retrieves user info from /api/me instead of decoding the JWT directly. - Add JWTCookieMiddleware to parse cookie and inject claims into context - Add /me and /logout endpoints to OpenAPI spec and handlers - Update PostLogin to return user object + Set-Cookie header - Replace Authorization header auth with cookie-based auth throughout - Rewrite frontend auth to use /api/me instead of jwt-decode - Remove jwt-decode dependency - Configure CORS with credentials for local dev Co-Authored-By: Claude Opus 4.6 --- backend/gen/api/handler_wrapper_gen.go | 24 +++++------------------- 1 file changed, 5 insertions(+), 19 deletions(-) (limited to 'backend/gen/api/handler_wrapper_gen.go') diff --git a/backend/gen/api/handler_wrapper_gen.go b/backend/gen/api/handler_wrapper_gen.go index 1aeaba7..5a5ce2d 100644 --- a/backend/gen/api/handler_wrapper_gen.go +++ b/backend/gen/api/handler_wrapper_gen.go @@ -104,10 +104,8 @@ package api import ( "context" - "errors" - "strings" - "albatross-2026-backend/auth" + "albatross-2026-backend/config" "albatross-2026-backend/db" ) @@ -117,33 +115,21 @@ type HandlerWrapper struct { impl Handler } -func NewHandler(queries *db.Queries, hub GameHubInterface) *HandlerWrapper { +func NewHandler(queries *db.Queries, hub GameHubInterface, conf *config.Config) *HandlerWrapper { return &HandlerWrapper{ impl: Handler{ q: queries, hub: hub, + conf: conf, }, } } -func parseJWTClaimsFromAuthorizationHeader(authorization string) (*auth.JWTClaims, error) { - const prefix = "Bearer " - if !strings.HasPrefix(authorization, prefix) { - return nil, errors.New("invalid authorization header") - } - token := authorization[len(prefix):] - claims, err := auth.ParseJWT(token) - if err != nil { - return nil, err - } - return claims, nil -} - {{ range . }} func (h *HandlerWrapper) {{ .Name }}(ctx context.Context, request {{ .Name }}RequestObject) ({{ .Name }}ResponseObject, error) { {{ if .RequiresLogin -}} - user, err := parseJWTClaimsFromAuthorizationHeader(request.Params.Authorization) - if err != nil { + user, ok := GetJWTClaimsFromContext(ctx) + if !ok { return {{ .Name }}401JSONResponse{ UnauthorizedJSONResponse: UnauthorizedJSONResponse{ Message: "Unauthorized", -- cgit v1.3.1