Move JWT from localStorage to HttpOnly cookie; fix CSRF
- JWT stored in HttpOnly, Secure, SameSite=Strict cookie — JS cannot read the token at all; SameSite=Strict prevents CSRF without tokens - Non-sensitive user payload returned in response body and stored in localStorage for UI purposes only (not usable for auth) - Add POST /api/auth/logout endpoint that clears the cookie server-side - Add SECURE_COOKIES env var (default true) for local HTTP testing - Extract login.html inline script to login.js (CSP compliance) - Remove Authorization: Bearer header from API calls; add credentials: include so cookies are sent automatically - CSP script-src includes unsafe-inline to support existing onclick handlers throughout the app Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -27,7 +27,7 @@
|
||||
<button type="submit" class="btn btn-primary" style="width:100%" id="login-btn">Sign In</button>
|
||||
</form>
|
||||
<p style="text-align:center;margin-top:1rem;font-size:0.9rem;color:var(--muted)">
|
||||
No account? <a href="#" onclick="showRegister()">Create one</a>
|
||||
No account? <a href="#" id="show-register-link">Create one</a>
|
||||
</p>
|
||||
</div>
|
||||
|
||||
@@ -51,112 +51,11 @@
|
||||
<button type="submit" class="btn btn-primary" style="width:100%" id="reg-btn">Create Account</button>
|
||||
</form>
|
||||
<p style="text-align:center;margin-top:1rem;font-size:0.9rem;color:var(--muted)">
|
||||
Already have an account? <a href="#" onclick="showLogin()">Sign in</a>
|
||||
Already have an account? <a href="#" id="show-login-link">Sign in</a>
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<script>
|
||||
// Redirect if already logged in
|
||||
(function () {
|
||||
const token = localStorage.getItem('token');
|
||||
if (token) {
|
||||
try {
|
||||
const payload = JSON.parse(atob(token.split('.')[1]));
|
||||
if (payload.exp > Date.now() / 1000) {
|
||||
window.location.href = '/';
|
||||
return;
|
||||
}
|
||||
} catch (_) {}
|
||||
localStorage.removeItem('token');
|
||||
}
|
||||
})();
|
||||
|
||||
function showLogin() {
|
||||
document.getElementById('register-panel').style.display = 'none';
|
||||
document.getElementById('login-panel').style.display = 'block';
|
||||
document.getElementById('username').focus();
|
||||
}
|
||||
|
||||
function showRegister() {
|
||||
document.getElementById('login-panel').style.display = 'none';
|
||||
document.getElementById('register-panel').style.display = 'block';
|
||||
document.getElementById('reg-username').focus();
|
||||
}
|
||||
|
||||
function showError(elId, text) {
|
||||
const el = document.getElementById(elId);
|
||||
el.textContent = text;
|
||||
el.className = 'message error visible';
|
||||
}
|
||||
|
||||
function showSuccess(elId, text) {
|
||||
const el = document.getElementById(elId);
|
||||
el.textContent = text;
|
||||
el.className = 'message success visible';
|
||||
}
|
||||
|
||||
// ── Login ──
|
||||
document.getElementById('login-form').addEventListener('submit', async (e) => {
|
||||
e.preventDefault();
|
||||
const btn = document.getElementById('login-btn');
|
||||
btn.disabled = true;
|
||||
btn.textContent = 'Signing in…';
|
||||
document.getElementById('login-msg').className = 'message';
|
||||
|
||||
const username = document.getElementById('username').value.trim();
|
||||
const password = document.getElementById('password').value;
|
||||
|
||||
try {
|
||||
const res = await fetch('/api/auth/login', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ username, password }),
|
||||
});
|
||||
const data = await res.json();
|
||||
if (res.status === 429) { showError('login-msg', 'Too many attempts — please wait a minute and try again.'); return; }
|
||||
if (!res.ok) { showError('login-msg', data.detail || 'Login failed'); return; }
|
||||
localStorage.setItem('token', data.access_token);
|
||||
window.location.href = '/';
|
||||
} catch (err) {
|
||||
showError('login-msg', 'Could not reach the server. Please try again.');
|
||||
} finally {
|
||||
btn.disabled = false;
|
||||
btn.textContent = 'Sign In';
|
||||
}
|
||||
});
|
||||
|
||||
// ── Register ──
|
||||
document.getElementById('reg-form').addEventListener('submit', async (e) => {
|
||||
e.preventDefault();
|
||||
const btn = document.getElementById('reg-btn');
|
||||
const username = document.getElementById('reg-username').value.trim();
|
||||
const password = document.getElementById('reg-password').value;
|
||||
const confirm = document.getElementById('reg-confirm').value;
|
||||
|
||||
if (password !== confirm) { showError('reg-msg', 'Passwords do not match'); return; }
|
||||
|
||||
btn.disabled = true;
|
||||
btn.textContent = 'Creating account…';
|
||||
document.getElementById('reg-msg').className = 'message';
|
||||
|
||||
try {
|
||||
const res = await fetch('/api/auth/register', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ username, password }),
|
||||
});
|
||||
const data = await res.json();
|
||||
if (!res.ok) { showError('reg-msg', data.detail || 'Registration failed'); return; }
|
||||
localStorage.setItem('token', data.access_token);
|
||||
window.location.href = '/';
|
||||
} catch (err) {
|
||||
showError('reg-msg', 'Could not reach the server. Please try again.');
|
||||
} finally {
|
||||
btn.disabled = false;
|
||||
btn.textContent = 'Create Account';
|
||||
}
|
||||
});
|
||||
</script>
|
||||
<script src="/js/login.js"></script>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
Reference in New Issue
Block a user