Move JWT from localStorage to HttpOnly cookie; fix CSRF
- JWT stored in HttpOnly, Secure, SameSite=Strict cookie — JS cannot read the token at all; SameSite=Strict prevents CSRF without tokens - Non-sensitive user payload returned in response body and stored in localStorage for UI purposes only (not usable for auth) - Add POST /api/auth/logout endpoint that clears the cookie server-side - Add SECURE_COOKIES env var (default true) for local HTTP testing - Extract login.html inline script to login.js (CSP compliance) - Remove Authorization: Bearer header from API calls; add credentials: include so cookies are sent automatically - CSP script-src includes unsafe-inline to support existing onclick handlers throughout the app Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,13 +1,13 @@
|
||||
import logging
|
||||
|
||||
from fastapi import APIRouter, Depends, HTTPException
|
||||
from fastapi import APIRouter, Depends, HTTPException, Response
|
||||
from sqlalchemy import select
|
||||
from sqlalchemy.orm import Session
|
||||
|
||||
from database import get_db
|
||||
from models import User
|
||||
from schemas import UserCreate, UserOut, ResetPasswordRequest, TokenResponse
|
||||
from auth import hash_password, create_access_token, get_current_admin, get_token_payload
|
||||
from schemas import UserCreate, UserOut, ResetPasswordRequest, AuthResponse
|
||||
from auth import hash_password, create_access_token, get_current_admin, get_token_payload, set_auth_cookie, token_to_user_payload
|
||||
|
||||
router = APIRouter(prefix="/api/admin", tags=["admin"])
|
||||
logger = logging.getLogger("yolkbook")
|
||||
@@ -104,9 +104,10 @@ def delete_user(
|
||||
db.commit()
|
||||
|
||||
|
||||
@router.post("/users/{user_id}/impersonate", response_model=TokenResponse)
|
||||
@router.post("/users/{user_id}/impersonate", response_model=AuthResponse)
|
||||
def impersonate_user(
|
||||
user_id: int,
|
||||
response: Response,
|
||||
current_admin: User = Depends(get_current_admin),
|
||||
db: Session = Depends(get_db),
|
||||
):
|
||||
@@ -114,12 +115,14 @@ def impersonate_user(
|
||||
if not user:
|
||||
raise HTTPException(status_code=404, detail="User not found")
|
||||
token = create_access_token(user.id, user.username, user.is_admin, user.timezone, admin_id=current_admin.id)
|
||||
set_auth_cookie(response, token)
|
||||
logger.warning("Admin '%s' (id=%d) is impersonating user '%s' (id=%d).", current_admin.username, current_admin.id, user.username, user.id)
|
||||
return TokenResponse(access_token=token)
|
||||
return AuthResponse(user=token_to_user_payload(token))
|
||||
|
||||
|
||||
@router.post("/unimpersonate", response_model=TokenResponse)
|
||||
@router.post("/unimpersonate", response_model=AuthResponse)
|
||||
def unimpersonate(
|
||||
response: Response,
|
||||
payload: dict = Depends(get_token_payload),
|
||||
db: Session = Depends(get_db),
|
||||
):
|
||||
@@ -130,5 +133,6 @@ def unimpersonate(
|
||||
if not admin or admin.is_disabled or not admin.is_admin:
|
||||
raise HTTPException(status_code=403, detail="Original admin account is no longer valid")
|
||||
token = create_access_token(admin.id, admin.username, admin.is_admin, admin.timezone)
|
||||
set_auth_cookie(response, token)
|
||||
logger.warning("Admin '%s' (id=%d) ended impersonation session.", admin.username, admin.id)
|
||||
return TokenResponse(access_token=token)
|
||||
return AuthResponse(user=token_to_user_payload(token))
|
||||
|
||||
Reference in New Issue
Block a user