Fix auth session persistence with HttpOnly cookies and CSRF
This commit is contained in:
@@ -13,11 +13,12 @@ Primary implementation modules:
|
||||
|
||||
## Authentication And Authorization
|
||||
|
||||
- Authentication is session-based bearer auth.
|
||||
- Authentication is cookie-based session auth with a server-issued hashed session token.
|
||||
- Clients authenticate with `POST /auth/login` using username and password.
|
||||
- Backend issues per-user bearer session tokens and stores hashed session state server-side.
|
||||
- Backend issues a server-stored session token and sets `HttpOnly` `dcm_session` and readable `dcm_csrf` cookies.
|
||||
- Login brute-force protection enforces Redis-backed throttle checks keyed by username and source IP.
|
||||
- Clients send issued tokens as `Authorization: Bearer <token>`.
|
||||
- State-changing requests from browser clients must send `x-csrf-token: <dcm_csrf>` in request headers (double-submit pattern).
|
||||
- For non-browser API clients, the optional `Authorization: Bearer <token>` path remains supported when the token is sent explicitly.
|
||||
- `GET /auth/me` returns current identity and role.
|
||||
- `POST /auth/logout` revokes current session token.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user