From 7258ca81812a24edd382438ce6e9ebc538549427 Mon Sep 17 00:00:00 2001 From: nsfisis Date: Fri, 13 Feb 2026 23:46:16 +0900 Subject: feat(auth): store JWT in HTTP-only cookie instead of JS-accessible cookie Prevent XSS-based token theft by making the JWT inaccessible to JavaScript. The backend now sets/clears the cookie via Set-Cookie headers, and the frontend retrieves user info from /api/me instead of decoding the JWT directly. - Add JWTCookieMiddleware to parse cookie and inject claims into context - Add /me and /logout endpoints to OpenAPI spec and handlers - Update PostLogin to return user object + Set-Cookie header - Replace Authorization header auth with cookie-based auth throughout - Rewrite frontend auth to use /api/me instead of jwt-decode - Remove jwt-decode dependency - Configure CORS with credentials for local dev Co-Authored-By: Claude Opus 4.6 --- frontend/package.json | 1 - 1 file changed, 1 deletion(-) (limited to 'frontend/package.json') diff --git a/frontend/package.json b/frontend/package.json index c024f7a..b7b5f09 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -20,7 +20,6 @@ "@fortawesome/react-fontawesome": "^0.2.2", "hast-util-to-jsx-runtime": "^2.3.6", "jotai": "^2.12.1", - "jwt-decode": "^4.0.0", "openapi-fetch": "^0.13.4", "react": "^19.0.0", "react-dom": "^19.0.0", -- cgit v1.3.1