drawbu.dev / compiles.at
this repo has no description
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

back(auth): drop cookies support for auth

Clément 6196d597 6518636f

+8 -17
+1 -2
backend/internal/handlers/auth.go
··· 2 2 3 3 import ( 4 4 "encoding/json" 5 - "fmt" 6 5 "net/http" 7 6 8 7 "uiua.online/internal/middlewares" ··· 31 30 return 32 31 } 33 32 34 - w.Header().Set("Set-Cookie", fmt.Sprintf("session=%s; HttpOnly; Secure; SameSite=Lax; Max-Age=%d", token, 7*24*60*60)) 33 + w.Write([]byte(token)) 35 34 w.WriteHeader(http.StatusOK) 36 35 } 37 36
+2 -7
backend/internal/handlers/auth_test.go
··· 34 34 panic(fmt.Sprintf("could not login user; received %d", w.Code)) 35 35 } 36 36 37 - rawHeader := w.Header().Get("Set-Cookie") 38 - token := strings.Split(strings.Split(rawHeader, ";")[0], "=")[1] 39 - if token == "" { 40 - panic("token is empty") 41 - } 42 - return token 37 + return w.Body.String() 43 38 } 44 39 45 40 func TestLogin(t *testing.T) { ··· 66 61 w := httptest.NewRecorder() 67 62 body := strings.NewReader(`{"email": "contact@drawbu.dev", "password": "password"}`) 68 63 req := httptest.NewRequest(http.MethodGet, "/auth/whoami", body) 69 - req.Header.Set("Cookie", fmt.Sprintf("token=%s;", token)) 64 + req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token)) 70 65 r.ServeHTTP(w, req) 71 66 72 67 if w.Code != http.StatusOK {
+4 -7
backend/internal/middlewares/auth.go
··· 3 3 import ( 4 4 "context" 5 5 "net/http" 6 + "strings" 6 7 7 8 "uiua.online/internal/services" 8 9 ) ··· 21 22 22 23 func (m *AuthMiddleware) RequireAuth(next http.Handler) http.Handler { 23 24 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 24 - token, err := r.Cookie("session") 25 - if err != nil { 26 - http.Error(w, "missing authorization header", http.StatusUnauthorized) 27 - return 28 - } 25 + header := r.Header.Get("Authorization") 26 + token := strings.TrimPrefix(header, "Bearer ") 29 27 30 - userId, err := m.session.GetUserFromSession(token.Value) 28 + userId, err := m.session.GetUserFromSession(token) 31 29 if err != nil { 32 - w.Header().Set("Set-Cookie", "session=; Max-Age=0") 33 30 http.Error(w, "invalid token", http.StatusUnauthorized) 34 31 return 35 32 }
+1 -1
backend/internal/middlewares/cors.go
··· 10 10 return cors.Handler(cors.Options{ 11 11 AllowedOrigins: []string{"http://localhost:5173", "https://api.uiua.online"}, 12 12 AllowedMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"}, 13 - AllowedHeaders: []string{"Accept", "Cookie", "Content-Type"}, 13 + AllowedHeaders: []string{"Accept", "Authorization", "Content-Type"}, 14 14 AllowCredentials: true, 15 15 MaxAge: 300, // Maximum value not ignored by any of major browsers 16 16 })(next)