Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: add client side cookie to expose login info #1825

Merged
merged 1 commit into from
Nov 2, 2024
Merged

feature: add client side cookie to expose login info #1825

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions docs/src/develop/webapps.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,8 @@ The login endpoint has an optional `rememberMe` request parameter. By default, w

As the cookie is set to be [`HttpOnly`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security) webapp JavaScript has no access to it. Including it in server requests and persisting its value is managed by the browser, governed by the `Set-Cookie` headers sent by the server.

Additionally the server sets cookie `skLoginInfo` when the user logs in and removes it when the user logs out. A webapp can poll for changes of this cookie to be notified of the browser's cookie based login status.

For **token based sessions** a webapp may manage the authentication token itself. It must include it explicitly in fetch call headers.
As JavaScript has no access to headers but cookies are included automatically by browsers when opening WebSocket connections the server will use the server-set, HttpOnly cookie. Normally browsers do not allow shadowing the server-set cookie with a new value. The only option for WebSocket connections is using a query parameter to override the cookie with a token.

Expand Down
14 changes: 13 additions & 1 deletion src/tokensecurity.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,10 @@ const permissionDeniedMessage =

const skPrefix = '/signalk/v1'
const skAuthPrefix = `${skPrefix}/auth`

//cookie to hold login info for webapps to use
const BROWSER_LOGININFO_COOKIE_NAME = 'skLoginInfo'

import { SERVERROUTESPREFIX } from './constants'

const LOGIN_FAILED_MESSAGE = 'Invalid username/password'
Expand Down Expand Up @@ -198,6 +202,13 @@ module.exports = function (app, config) {
)
}
res.cookie('JAUTHENTICATION', reply.token, cookieOptions)
// eslint-disable-next-line no-unused-vars
const { httpOnly, cookieOptionsForBrowserCookie } = cookieOptions
res.cookie(
BROWSER_LOGININFO_COOKIE_NAME,
JSON.stringify({ status: 'loggedIn', user: reply.user })
),
cookieOptionsForBrowserCookie

if (requestType === 'application/json') {
res.json({ token: reply.token })
Expand Down Expand Up @@ -237,6 +248,7 @@ module.exports = function (app, config) {

app.put(['/logout', `${skAuthPrefix}/logout`], function (req, res) {
res.clearCookie('JAUTHENTICATION')
res.clearCookie(BROWSER_LOGININFO_COOKIE_NAME)
res.json('Logout OK')
})
;[
Expand Down Expand Up @@ -295,7 +307,7 @@ module.exports = function (app, config) {
debug(`jwt expiration:${JSON.stringify(jwtOptions)}`)
try {
const token = jwt.sign(payload, configuration.secretKey, jwtOptions)
resolve({ statusCode: 200, token })
resolve({ statusCode: 200, token, user: user.username })
} catch (err) {
resolve({
statusCode: 500,
Expand Down