feat(auth): implement cookie-based JWT authentication and logout functionality#105
feat(auth): implement cookie-based JWT authentication and logout functionality#105
Conversation
…tionality - Introduced `CookieJWTAuthentication` to support both header-based and cookie-based JWT authentication, prioritizing headers for explicit auth. - Updated login and refresh views to set JWT tokens in HttpOnly cookies, enhancing security for browser clients. - Added a logout endpoint to clear authentication cookies. - Refactored frontend auth logic to remove reliance on access tokens stored in state, transitioning to cookie-based management. - Updated environment settings and documentation to reflect new JWT cookie configurations.
Ndevu12
added
enhancement
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| try: | ||
| return super().get_validated_token(raw_token) | ||
| except InvalidToken as e: | ||
| raise InvalidToken(f"Invalid token: {str(e)}") |
Check warning
Code scanning / CodeQL
Information exposure through an exception Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 days ago
In general, to fix information exposure through exceptions, do not propagate raw exception messages or stack traces to layers that may be visible to end users. Instead, log the detailed exception server-side (if needed) and raise or return a generic, non-sensitive message to the client.
For this specific file, the best fix is to stop embedding str(e) in the new InvalidToken message in get_validated_token. We can simply raise a new InvalidToken with a generic message such as "Invalid token" or reuse the original exception without altering its message, depending on what is safer and less revealing in this codebase. Since CodeQL flags the flow from e to the formatted string, the minimal, non-breaking change is to keep the try/except structure (so behavior of wrapping super().get_validated_token errors remains the same) but replace f"Invalid token: {str(e)}" with a constant, non-tainted string like "Invalid token". No new imports or additional methods are required.
Concretely:
- In
src/api/authentication.py, inCookieJWTAuthentication.get_validated_token, replace line 29raise InvalidToken(f"Invalid token: {str(e)}")withraise InvalidToken("Invalid token"). - This preserves the exception type and overall control flow (views will still receive
InvalidToken), but no longer includes the inner exception’s message, avoiding potential leakage of stack trace or internal validation details.
| @@ -25,8 +25,9 @@ | ||
| """Validate JWT token with proper error handling.""" | ||
| try: | ||
| return super().get_validated_token(raw_token) | ||
| except InvalidToken as e: | ||
| raise InvalidToken(f"Invalid token: {str(e)}") | ||
| except InvalidToken: | ||
| # Raise a generic error message to avoid leaking internal details | ||
| raise InvalidToken("Invalid token") | ||
|
|
||
| def authenticate(self, request): | ||
| """Authenticate request using header or cookie. |
…cale parsing - Implemented cookie-based JWT access management in middleware to enforce authentication on protected routes. - Added utility functions for parsing locale paths and determining access requirements based on JWT presence. - Updated the `AuthGuard` tests to reflect changes in authentication logic and error handling. - Introduced new tests for authentication path utilities to ensure correct locale handling and access checks. - Refactored the `AuthProvider` to support server-side authentication state hydration and improved state synchronization. - Enhanced the `Providers` component to manage dehydrated state for better performance in server-rendered contexts.
2 participants
CookieJWTAuthenticationto support both header-based and cookie-based JWT authentication, prioritizing headers for explicit auth.closes: #97