From 7258ca81812a24edd382438ce6e9ebc538549427 Mon Sep 17 00:00:00 2001 From: nsfisis Date: Fri, 13 Feb 2026 23:46:16 +0900 Subject: feat(auth): store JWT in HTTP-only cookie instead of JS-accessible cookie Prevent XSS-based token theft by making the JWT inaccessible to JavaScript. The backend now sets/clears the cookie via Set-Cookie headers, and the frontend retrieves user info from /api/me instead of decoding the JWT directly. - Add JWTCookieMiddleware to parse cookie and inject claims into context - Add /me and /logout endpoints to OpenAPI spec and handlers - Update PostLogin to return user object + Set-Cookie header - Replace Authorization header auth with cookie-based auth throughout - Rewrite frontend auth to use /api/me instead of jwt-decode - Remove jwt-decode dependency - Configure CORS with credentials for local dev Co-Authored-By: Claude Opus 4.6 --- frontend/app/components/ProtectedRoute.tsx | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'frontend/app/components/ProtectedRoute.tsx') diff --git a/frontend/app/components/ProtectedRoute.tsx b/frontend/app/components/ProtectedRoute.tsx index 3aeaebc..b943696 100644 --- a/frontend/app/components/ProtectedRoute.tsx +++ b/frontend/app/components/ProtectedRoute.tsx @@ -6,7 +6,11 @@ export default function ProtectedRoute({ }: { children: React.ReactNode; }) { - const { isLoggedIn } = useAuth(); + const { isLoggedIn, isLoading } = useAuth(); + + if (isLoading) { + return null; + } if (!isLoggedIn) { return ; -- cgit v1.3.1