From 12975ce26e0ab5c66375077519abd0d61c7f1600 Mon Sep 17 00:00:00 2001 From: Hayden <64056131+hay-kot@users.noreply.github.com> Date: Fri, 17 Feb 2023 21:57:21 -0900 Subject: [PATCH] feat: change auth to use cookies (#301) * frontend cookie implementation * accept cookies for authentication * remove auth store * add self attr --- backend/app/api/middleware.go | 66 ++++++++++-- frontend/components/App/Header.vue | 6 +- frontend/composables/use-api.ts | 9 +- frontend/composables/use-auth-context.ts | 129 +++++++++++++++++++++++ frontend/layouts/default.vue | 7 +- frontend/middleware/auth.ts | 8 +- frontend/pages/index.vue | 15 +-- frontend/pages/profile.vue | 3 +- frontend/stores/auth.ts | 47 --------- 9 files changed, 204 insertions(+), 86 deletions(-) create mode 100644 frontend/composables/use-auth-context.ts delete mode 100644 frontend/stores/auth.ts diff --git a/backend/app/api/middleware.go b/backend/app/api/middleware.go index b41c9134..c6946180 100644 --- a/backend/app/api/middleware.go +++ b/backend/app/api/middleware.go @@ -4,6 +4,7 @@ import ( "context" "errors" "net/http" + "net/url" "strings" "github.com/hay-kot/homebox/backend/internal/core/services" @@ -68,6 +69,45 @@ func (a *app) mwRoles(rm RoleMode, required ...string) server.Middleware { } } +type KeyFunc func(r *http.Request) (string, error) + +func getBearer(r *http.Request) (string, error) { + auth := r.Header.Get("Authorization") + if auth == "" { + return "", errors.New("authorization header is required") + } + + return auth, nil +} + +func getQuery(r *http.Request) (string, error) { + token := r.URL.Query().Get("access_token") + if token == "" { + return "", errors.New("access_token query is required") + } + + token, err := url.QueryUnescape(token) + if err != nil { + return "", errors.New("access_token query is required") + } + + return token, nil +} + +func getCookie(r *http.Request) (string, error) { + cookie, err := r.Cookie("hb.auth.token") + if err != nil { + return "", errors.New("access_token cookie is required") + } + + token, err := url.QueryUnescape(cookie.Value) + if err != nil { + return "", errors.New("access_token cookie is required") + } + + return token, nil +} + // mwAuthToken is a middleware that will check the database for a stateful token // and attach it's user to the request context, or return an appropriate error. // Authorization support is by token via Headers or Query Parameter @@ -75,26 +115,36 @@ func (a *app) mwRoles(rm RoleMode, required ...string) server.Middleware { // Example: // - header = "Bearer 1234567890" // - query = "?access_token=1234567890" +// - cookie = hb.auth.token = 1234567890 func (a *app) mwAuthToken(next server.Handler) server.Handler { return server.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error { - requestToken := r.Header.Get("Authorization") - if requestToken == "" { - // check for query param - requestToken = r.URL.Query().Get("access_token") - if requestToken == "" { - return validate.NewRequestError(errors.New("Authorization header or query is required"), http.StatusUnauthorized) + keyFuncs := [...]KeyFunc{ + getBearer, + getCookie, + getQuery, + } + + var requestToken string + for _, keyFunc := range keyFuncs { + token, err := keyFunc(r) + if err == nil { + requestToken = token + break } } + if requestToken == "" { + return validate.NewRequestError(errors.New("Authorization header or query is required"), http.StatusUnauthorized) + } + requestToken = strings.TrimPrefix(requestToken, "Bearer ") r = r.WithContext(context.WithValue(r.Context(), hashedToken, requestToken)) usr, err := a.services.User.GetSelf(r.Context(), requestToken) - // Check the database for the token if err != nil { - return validate.NewRequestError(errors.New("Authorization header is required"), http.StatusUnauthorized) + return validate.NewRequestError(errors.New("valid authorization header is required"), http.StatusUnauthorized) } r = r.WithContext(services.SetUserCtx(r.Context(), &usr, requestToken)) diff --git a/frontend/components/App/Header.vue b/frontend/components/App/Header.vue index 1561c873..a142f8df 100644 --- a/frontend/components/App/Header.vue +++ b/frontend/components/App/Header.vue @@ -1,11 +1,9 @@