bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: migrate auth tokens to httpOnly cookies (hybrid bearer token approach)

Browse Source 
Backend:
- CookieBearerToken middleware reads httpOnly cookie and injects Authorization
  header before Sanctum validates (prepended to API middleware group)
- SetAuthCookie trait provides cookie creation/expiry helpers with per-app
  cookie names (crewli_admin_token, crewli_app_token, crewli_portal_token)
- LoginController sets token via Set-Cookie, removes it from JSON body
- LogoutController expires the auth cookie on logout
- AuthRefreshController (POST /auth/refresh) rotates tokens with new cookie
- InvitationController accept also sets token via cookie, not JSON body
- All cookies: httpOnly, SameSite=Strict, Secure (in production)

Frontend (all three SPAs):
- Removed all localStorage token storage (apps/app, apps/portal)
- Removed all JS-readable cookie token storage (apps/admin)
- Removed Authorization: Bearer header interceptors from axios
- Auth stores now rely on GET /auth/me to validate httpOnly cookie
- Admin app: new Pinia auth store replaces useCookie-based auth pattern
- withCredentials: true ensures browser sends cookies automatically

Fixes security findings A13-1 (localStorage tokens) and A13-2 (admin
cookie flags). Tokens are now invisible to JavaScript.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-14 16:06:44 +02:00
parent 836cffa232
commit 513ca519b2
32 changed files with 826 additions and 227 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
apps/admin/src/layouts/components/UserProfile.vue
View File

@@ -1,37 +1,21 @@
<script setup lang="ts">
import { PerfectScrollbar } from 'vue3-perfect-scrollbar'
import { useAuthStore } from '@/stores/useAuthStore'
const router = useRouter()
const ability = useAbility()
const authStore = useAuthStore()
// TODO: Get type from backend
const userData = useCookie<any>('userData')
const userData = computed(() => authStore.user)
const logout = async () => {
try {
// Call API logout endpoint
await $api('/auth/logout', { method: 'POST' })
}
catch (err) {
// Continue with logout even if API call fails
console.error('Logout API error:', err)
}
// Remove "accessToken" from cookie
useCookie('accessToken').value = null
// Remove "userData" from cookie
userData.value = null
// Redirect to login page
await router.push('/login')
// We had to remove abilities in then block because if we don't nav menu items mutation is visible while redirecting user to login page
// Remove "userAbilities" from cookie
useCookie('userAbilityRules').value = null
await authStore.logout()
// Reset ability to initial ability
ability.update([])
// Redirect to login page
await router.push('/login')
}
const userProfileList = [