Auth-via-cookies #7

Merged

BothimTV merged 2 commits from auth-via-cookies into main

2026-02-02 19:25:49 +00:00

BothimTV commented

2026-02-02 19:21:25 +00:00

(Migrated from github.com)

Summary by CodeRabbit

New Features
- Implemented secure, cookie-based authentication replacing token storage in browser.
- Added /auth-me endpoint to verify user authentication status and admin privileges.
- HttpOnly cookies automatically sent with requests for seamless authentication.
Chores
- Updated backend dependencies and authentication infrastructure to support cookie-based sessions.
- Removed explicit token management from client storage and API headers.

## Summary by CodeRabbit * **New Features** * Implemented secure, cookie-based authentication replacing token storage in browser. * Added `/auth-me` endpoint to verify user authentication status and admin privileges. * HttpOnly cookies automatically sent with requests for seamless authentication. * **Chores** * Updated backend dependencies and authentication infrastructure to support cookie-based sessions. * Removed explicit token management from client storage and API headers.

coderabbitai[bot] commented

2026-02-02 19:21:35 +00:00

(Migrated from github.com)

📝 Walkthrough

Walkthrough

This pull request migrates authentication from token-based (localStorage + Authorization headers) to cookie-based (HttpOnly cookies + automatic Axios transmission). Backend endpoints now set secure cookies instead of returning tokens, and frontend components removed explicit Authorization headers to rely on automatic cookie transmission via configured Axios withCredentials.

Changes

Cohort / File(s)	Summary
Backend Dependencies & Initialization `backend/package.json`, `backend/src/index.ts`, `docker-compose.yml`	Added `@fastify/cookie` dependency and registered Fastify cookie plugin with COOKIE_SECRET environment variable configuration.
Backend Authentication Routes `backend/src/routes/auth/PATCH.ts`, `backend/src/routes/passkeys/PATCH.ts`	Updated login endpoints to set secure HttpOnly cookies (session_token, is_admin) with 30-day max age and SameSite: Strict instead of returning sessionToken in response body.
Backend Auth Validation `backend/src/routes/auth-me/GET.ts`, `backend/src/types/Route.ts`	Introduced new /auth-me endpoint for client authentication status queries; updated Route base class to extract and validate session_token from req.cookies instead of Authorization header.
Frontend Axios Configuration `frontend/src/plugins/axios.ts`, `frontend/src/plugins/index.ts`	Configured global axios.defaults.withCredentials = true; registered axios plugin during app initialization to ensure credentials sent with all requests.
Frontend Authentication Flows `frontend/src/layouts/default.vue`, `frontend/src/pages/index.vue`, `frontend/src/pages/login.vue`, `frontend/src/pages/checkin.vue`, `frontend/src/pages/spiel.vue`	Replaced localStorage session token checks and admin flags with API calls to /auth-me; simplified login flow to remove localStorage writes; added reactive admin state fetched from backend.
Frontend API Requests `frontend/src/components/SchuelerSelect.vue`, `frontend/src/pages/verwaltung/mail.vue`, `frontend/src/pages/verwaltung/passkeys.vue`, `frontend/src/pages/verwaltung/schueler.vue`, `frontend/src/pages/verwaltung/sessions.vue`, `frontend/src/pages/verwaltung/statistik.vue`	Removed Authorization headers from all API requests across components and pages; requests now rely on cookies sent automatically by Axios.
Frontend Utilities & Documentation `frontend/src/util/cookies.ts`, `.github/copilot-instructions.md`	Added getCookie utility for client-side cookie reading; updated AI documentation to describe cookie-based authentication replacing Bearer token guidance.

Sequence Diagram

sequenceDiagram
    participant Client as Client<br/>(Browser)
    participant Axios as Axios<br/>(withCredentials)
    participant Backend as Backend<br/>(Fastify)
    participant DB as Database

    Note over Client,DB: Old Flow: Token-Based
    Client->>Client: Read session_token<br/>from localStorage
    Client->>Axios: Request + Authorization<br/>header with token
    Axios->>Backend: HTTP request

    Note over Client,DB: New Flow: Cookie-Based
    Client->>Axios: Request (no explicit<br/>Authorization header)
    Note over Axios: withCredentials: true<br/>sends cookies automatically
    Axios->>Backend: HTTP request<br/>+ session_token cookie
    Backend->>Backend: Validate session_token<br/>from req.cookies
    Backend->>DB: Query session by<br/>sessionToken
    DB-->>Backend: Session record
    Backend-->>Axios: Response<br/>(ok, authenticated,<br/>isAdmin)
    Axios-->>Client: Response data

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 Tokens once lived in localStorage's keep,
Now cookies float softly through browsers so deep!
Axios delivers them swift, without a care,
HttpOnly and secure, a trust-worthy pair! 🍪
No headers to craft—just let cookies be free,
Authentication flows wild as can be! 🎉

Note

🎁 Summarized by CodeRabbit Free

Your organization is on the Free plan. CodeRabbit will generate a high-level summary and a walkthrough for each pull request. For a comprehensive line-by-line review, please upgrade your subscription to CodeRabbit Pro by visiting https://app.coderabbit.ai/login.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

<details> <summary>📝 Walkthrough</summary> ## Walkthrough This pull request migrates authentication from token-based (localStorage + Authorization headers) to cookie-based (HttpOnly cookies + automatic Axios transmission). Backend endpoints now set secure cookies instead of returning tokens, and frontend components removed explicit Authorization headers to rely on automatic cookie transmission via configured Axios withCredentials. ## Changes |Cohort / File(s)|Summary| |---|---| |**Backend Dependencies & Initialization** <br> `backend/package.json`, `backend/src/index.ts`, `docker-compose.yml`|Added `@fastify/cookie` dependency and registered Fastify cookie plugin with COOKIE_SECRET environment variable configuration.| |**Backend Authentication Routes** <br> `backend/src/routes/auth/PATCH.ts`, `backend/src/routes/passkeys/PATCH.ts`|Updated login endpoints to set secure HttpOnly cookies (session_token, is_admin) with 30-day max age and SameSite: Strict instead of returning sessionToken in response body.| |**Backend Auth Validation** <br> `backend/src/routes/auth-me/GET.ts`, `backend/src/types/Route.ts`|Introduced new /auth-me endpoint for client authentication status queries; updated Route base class to extract and validate session_token from req.cookies instead of Authorization header.| |**Frontend Axios Configuration** <br> `frontend/src/plugins/axios.ts`, `frontend/src/plugins/index.ts`|Configured global axios.defaults.withCredentials = true; registered axios plugin during app initialization to ensure credentials sent with all requests.| |**Frontend Authentication Flows** <br> `frontend/src/layouts/default.vue`, `frontend/src/pages/index.vue`, `frontend/src/pages/login.vue`, `frontend/src/pages/checkin.vue`, `frontend/src/pages/spiel.vue`|Replaced localStorage session token checks and admin flags with API calls to /auth-me; simplified login flow to remove localStorage writes; added reactive admin state fetched from backend.| |**Frontend API Requests** <br> `frontend/src/components/SchuelerSelect.vue`, `frontend/src/pages/verwaltung/mail.vue`, `frontend/src/pages/verwaltung/passkeys.vue`, `frontend/src/pages/verwaltung/schueler.vue`, `frontend/src/pages/verwaltung/sessions.vue`, `frontend/src/pages/verwaltung/statistik.vue`|Removed Authorization headers from all API requests across components and pages; requests now rely on cookies sent automatically by Axios.| |**Frontend Utilities & Documentation** <br> `frontend/src/util/cookies.ts`, `.github/copilot-instructions.md`|Added getCookie utility for client-side cookie reading; updated AI documentation to describe cookie-based authentication replacing Bearer token guidance.| ## Sequence Diagram ```mermaid sequenceDiagram participant Client as Client<br/>(Browser) participant Axios as Axios<br/>(withCredentials) participant Backend as Backend<br/>(Fastify) participant DB as Database Note over Client,DB: Old Flow: Token-Based Client->>Client: Read session_token<br/>from localStorage Client->>Axios: Request + Authorization<br/>header with token Axios->>Backend: HTTP request Note over Client,DB: New Flow: Cookie-Based Client->>Axios: Request (no explicit<br/>Authorization header) Note over Axios: withCredentials: true<br/>sends cookies automatically Axios->>Backend: HTTP request<br/>+ session_token cookie Backend->>Backend: Validate session_token<br/>from req.cookies Backend->>DB: Query session by<br/>sessionToken DB-->>Backend: Session record Backend-->>Axios: Response<br/>(ok, authenticated,<br/>isAdmin) Axios-->>Client: Response data ``` ## Estimated code review effort 🎯 4 (Complex) | ⏱️ ~45 minutes ## Poem > 🐰 Tokens once lived in localStorage's keep, > Now cookies float softly through browsers so deep! > Axios delivers them swift, without a care, > HttpOnly and secure, a trust-worthy pair! 🍪 > No headers to craft—just let cookies be free, > Authentication flows wild as can be! 🎉 </details>   --- > [!NOTE] > <details> > <summary>🎁 Summarized by CodeRabbit Free</summary> > > Your organization is on the Free plan. CodeRabbit will generate a high-level summary and a walkthrough for each pull request. For a comprehensive line-by-line review, please upgrade your subscription to CodeRabbit Pro by visiting <https://app.coderabbit.ai/login>. > > </details> <sub>Comment `@coderabbitai help` to get the list of available commands and usage tips.</sub>

socket-security[bot] commented

2026-02-02 19:21:58 +00:00

(Migrated from github.com)

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@fastify/cookie@11.0.2

View full report

**Review the following changes in direct dependencies.** Learn more about [Socket for GitHub](https://socket.dev?utm_medium=gh). <table> <thead> <tr> <th>Diff</th> <th width="200px">Package</th> <th align="center" width="100px">Supply Chain<br/>Security</th> <th align="center" width="100px">Vulnerability</th> <th align="center" width="100px">Quality</th> <th align="center" width="100px">Maintenance</th> <th align="center" width="100px">License</th> </tr> </thead> <tbody> <tr><td align="center"><a href="https://socket.dev/dashboard/org/BothimTV/diff-scan/4a7da38f-0c6b-4912-8810-f9ae0e00d7ba?tab=dependencies&dependency_item_key=15930206995"><img src="https://github-app-statics.socket.dev/diff-added.svg" title="Added" alt="Added" width="20" height="20"></a></td><td><a href="https://socket.dev/dashboard/org/BothimTV/diff-scan/4a7da38f-0c6b-4912-8810-f9ae0e00d7ba?tab=dependencies&dependency_item_key=15930206995">@fastify/cookie@11.0.2</a></td><td align="center"><a href="https://socket.dev/dashboard/org/BothimTV/diff-scan/4a7da38f-0c6b-4912-8810-f9ae0e00d7ba?tab=dependencies&dependency_item_key=15930206995"><img src="https://github-app-statics.socket.dev/score-100.svg" title="Supply Chain Security" width="40" height="40" alt="100"></a></td><td align="center"><a href="https://socket.dev/dashboard/org/BothimTV/diff-scan/4a7da38f-0c6b-4912-8810-f9ae0e00d7ba?tab=dependencies&dependency_item_key=15930206995"><img src="https://github-app-statics.socket.dev/score-100.svg" title="Vulnerability" width="40" height="40" alt="100"></a></td><td align="center"><a href="https://socket.dev/dashboard/org/BothimTV/diff-scan/4a7da38f-0c6b-4912-8810-f9ae0e00d7ba?tab=dependencies&dependency_item_key=15930206995"><img src="https://github-app-statics.socket.dev/score-100.svg" title="Quality" width="40" height="40" alt="100"></a></td><td align="center"><a href="https://socket.dev/dashboard/org/BothimTV/diff-scan/4a7da38f-0c6b-4912-8810-f9ae0e00d7ba?tab=dependencies&dependency_item_key=15930206995"><img src="https://github-app-statics.socket.dev/score-86.svg" title="Maintenance" width="40" height="40" alt="86"></a></td><td align="center"><a href="https://socket.dev/dashboard/org/BothimTV/diff-scan/4a7da38f-0c6b-4912-8810-f9ae0e00d7ba?tab=dependencies&dependency_item_key=15930206995"><img src="https://github-app-statics.socket.dev/score-100.svg" title="License" width="40" height="40" alt="100"></a></td></tr> </tbody> </table> [View full report](https://socket.dev/dashboard/org/BothimTV/diff-scan/4a7da38f-0c6b-4912-8810-f9ae0e00d7ba?tab=dependencies)

socket-security[bot] commented

2026-02-02 19:22:00 +00:00

(Migrated from github.com)

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Publisher changed: npm `@fastify/cookie` is now published by fdawgs instead of gurgunday New Author: fdawgs Previous Author: gurgunday From: backend/package.json → `npm/@fastify/cookie@11.0.2` ℹ Read more on: This package \| This alert \| What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@fastify/cookie@11.0.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

> [!WARNING] > **Review the following alerts detected in dependencies.** > > According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about [Socket for GitHub](https://socket.dev?utm_medium=gh). <table> <thead> <tr> <th>Action</th> <th>Severity</th> <th width="800px" align="left">Alert &emsp;(click "▶" to expand/collapse)</th> </tr> </thead> <tbody> <tr> <td valign="top">Warn</td> <td align="center" valign="top"><a href="https://socket.dev/dashboard/org/BothimTV/diff-scan/4a7da38f-0c6b-4912-8810-f9ae0e00d7ba?tab=alerts&alert_item_key=QXwdKmYd5yuyruiwOnyYgES35XQn6fAVvO2wYsxxgYDQ"><img src="https://github-app-statics.socket.dev/severity-0.svg" title="Low" width="20" height="20" alt="Low"></a></td> <td><details open><summary><strong>Publisher changed</strong>: npm <code>@fastify/cookie</code> is now published by fdawgs instead of gurgunday</summary> <p></p> <p><strong>New Author:</strong> <a href="https://socket.dev/npm/user/fdawgs">fdawgs</a></p> <p><strong>Previous Author:</strong> <a href="https://socket.dev/npm/user/gurgunday">gurgunday</a></p> <p><strong>From:</strong> <a href="https://github.com/BothimTV/punktesystem/pull/7/files#diff-495707834ca4b862f9acdfbac70d279023d2c059da13db59594e61ed3354fed5">backend/package.json</a> → <code>npm/@fastify/cookie@11.0.2</code></p> <p>ℹ Read more on: <a href="https://socket.dev/npm/package/@fastify/cookie/overview/11.0.2">This package</a> | <a href="https://socket.dev/dashboard/org/BothimTV/diff-scan/4a7da38f-0c6b-4912-8810-f9ae0e00d7ba?tab=alerts&alert_item_key=QXwdKmYd5yuyruiwOnyYgES35XQn6fAVvO2wYsxxgYDQ">This alert</a> | <a href="https://socket.dev/alerts/newAuthor">What is new author?</a></p> <blockquote> <p><em>Next steps:</em> Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at <code>support@socket.dev</code>. </p> <p><em>Suggestion:</em> Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.</p> <p> <em>Mark the package as acceptable risk</em>. To ignore this alert only in this pull request, reply with the comment <code>@SocketSecurity ignore npm/@fastify/cookie@11.0.2</code>. You can also ignore all packages with <code>@SocketSecurity ignore-all</code>. To ignore an alert for all future pull requests, use Socket's Dashboard to change the <a href="https://socket.dev/dashboard/org/BothimTV/diff-scan/4a7da38f-0c6b-4912-8810-f9ae0e00d7ba?tab=alerts&alert_item_key=QXwdKmYd5yuyruiwOnyYgES35XQn6fAVvO2wYsxxgYDQ">triage state of this alert</a>. </p> </blockquote> </details></td> </tr> </tbody> </table> [View full report](https://socket.dev/dashboard/org/BothimTV/diff-scan/4a7da38f-0c6b-4912-8810-f9ae0e00d7ba?tab=alerts&action=error%2Cwarn)

Commenting is not possible because the repository is archived.

No reviewers