Nautilus/ledgerdock
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix auth session persistence with HttpOnly cookies and CSRF

Browse Source
This commit is contained in:
Beda Schmid
2026-03-01 21:39:22 -03:00
parent a9333ec973
commit 26eae1a09b
14 changed files with 255 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
doc/api-contract.md
View File

@@ -13,11 +13,12 @@ Primary implementation modules:
## Authentication And Authorization
- Authentication is session-based bearer auth.
- Authentication is cookie-based session auth with a server-issued hashed session token.
- Clients authenticate with `POST /auth/login` using username and password.
- Backend issues per-user bearer session tokens and stores hashed session state server-side.
- Backend issues a server-stored session token and sets `HttpOnly` `dcm_session` and readable `dcm_csrf` cookies.
- Login brute-force protection enforces Redis-backed throttle checks keyed by username and source IP.
- Clients send issued tokens as `Authorization: Bearer <token>`.
- State-changing requests from browser clients must send `x-csrf-token: <dcm_csrf>` in request headers (double-submit pattern).
- For non-browser API clients, the optional `Authorization: Bearer <token>` path remains supported when the token is sent explicitly.
- `GET /auth/me` returns current identity and role.
- `POST /auth/logout` revokes current session token.

3
doc/frontend-design-foundation.md
View File

@@ -52,8 +52,7 @@ Do not hardcode new palette or spacing values in component styles when a token a
## Authenticated Media Delivery
- Document previews and thumbnails must load through authenticated fetch flows in `frontend/src/lib/api.ts`, then render via temporary object URLs.
- Runtime auth keeps server-issued per-user session tokens only in active-tab memory via `setRuntimeApiToken` and `getRuntimeApiToken`.
- Users must sign in again after a full browser reload, new tab launch, or browser restart because tokens are not persisted in browser storage.
- Runtime auth is cookie-backed; valid sessions are reused by browser reload and tab reuse while the `dcm_session` cookie remains valid.
- Static build-time token distribution is not supported.
- Direct `window.open` calls for protected media endpoints are not allowed because browser navigation requests do not include the API token header.
- Download actions for original files and markdown exports must use authenticated blob fetches plus controlled browser download triggers.

9
doc/operations-and-configuration.md
View File

@@ -45,7 +45,7 @@ docker compose logs -f
## Authentication Model
- Legacy shared build-time frontend token behavior was removed.
- API now uses server-issued per-user bearer sessions.
- API now uses server-issued sessions that are stored in HttpOnly cookies (`dcm_session`) with a separate CSRF cookie (`dcm_csrf`).
- Bootstrap users are provisioned from environment:
- `AUTH_BOOTSTRAP_ADMIN_USERNAME`
- `AUTH_BOOTSTRAP_ADMIN_PASSWORD`
@@ -56,7 +56,7 @@ docker compose logs -f
- `AUTH_LOGIN_FAILURE_WINDOW_SECONDS`
- `AUTH_LOGIN_LOCKOUT_BASE_SECONDS`
- `AUTH_LOGIN_LOCKOUT_MAX_SECONDS`
- Frontend signs in through `/api/v1/auth/login` and keeps issued session token only in active runtime memory.
- Frontend signs in through `/api/v1/auth/login` and relies on browser session persistence for valid cookie-backed sessions.
## DEV And LIVE Configuration Matrix
@@ -98,7 +98,7 @@ Recommended LIVE pattern:
2. Keep container published ports bound to localhost or internal network.
3. Set `PUBLIC_BASE_URL` and `VITE_API_BASE` to final HTTPS URLs.
4. Set `CORS_ORIGINS` to exact HTTPS frontend origins.
5. Credentialed CORS is intentionally disabled in application code for bearer-header auth.
5. Credentialed CORS is enabled and constrained for cookie-based sessions with strict origin allowlists.
## Security Controls
@@ -119,8 +119,7 @@ Recommended LIVE pattern:
## Frontend Runtime
- Frontend no longer consumes `VITE_API_TOKEN`.
- Session tokens are not persisted to browser storage.
- Users must sign in again after full page reload, opening a new tab, or browser restart.
- Session authentication is cookie-based; browser reloads and new tabs can reuse an active session until it expires or is revoked.
- Protected media and file download flows still use authenticated fetch plus blob/object URL handling.
## Validation Checklist