Skip to content

feature: improve authentication #486

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
perber wants to merge 46 commits into
base: main
Choose a base branch
from
Open

feature: improve authentication #486

perber wants to merge 46 commits into from

Conversation

@perber
Copy link
Owner

@perber perber commented Dec 24, 2025
edited
Loading

  • Add insecure flag to allow http
  • Use secure cookies / if it is https
  • Add session store for revocation of sessions
  • Adjust frontend to use cookies instead of bearer token

@perber perber marked this pull request as ready for review December 25, 2025 22:01
Copilot AI review requested due to automatic review settings December 25, 2025 22:01
@perber perber changed the title Feature/auth improvements feature: improve authentication Dec 25, 2025
Copilot AI reviewed Dec 25, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR migrates the authentication system from JWT tokens in Authorization headers to HTTP-only cookies for improved security. The changes introduce session management with SQLite-based storage, rate limiting for authentication endpoints, and remove the CORS middleware dependency.

Key Changes:

  • Cookie-based authentication: Tokens are now stored in HTTP-only cookies instead of being sent in Authorization headers
  • Session management: New SessionStore implementation tracks refresh tokens in SQLite database
  • Rate limiting: Added middleware to prevent brute-force attacks on login and refresh endpoints
  • Frontend refactoring: Renamed auth store to session store and updated all imports across components

Reviewed changes

Copilot reviewed 33 out of 34 changed files in this pull request and generated 14 comments.

Show a summary per file
File Description
ui/leafwiki-ui/src/stores/session.ts New session store replacing auth store, manages user state without tokens
ui/leafwiki-ui/src/stores/auth.ts Removed - replaced by session.ts
ui/leafwiki-ui/src/lib/api/auth.ts Updated to use cookies via credentials: 'include', removed token handling
ui/leafwiki-ui/src/lib/bootstrapAuth.ts New hook to refresh session on app startup
ui/leafwiki-ui/src/stores/users.ts Updated password change flow to use session store
ui/leafwiki-ui/src/App.tsx Added bootstrap auth hook and session refresh check
internal/core/auth/session_store.go New SQLite-based session storage for refresh tokens
internal/core/auth/auth_service.go Updated to create and validate sessions, track JTIs
internal/http/middleware/auth_cookie.go New middleware for secure cookie management with __Host- prefix
internal/http/middleware/rate_limiter.go New rate limiting middleware using sliding window
internal/http/middleware/auth.go Updated to read access token from cookies
internal/http/api/login_user.go Sets auth cookies on successful login
internal/http/api/logout_user.go New logout endpoint that clears cookies and revokes sessions
internal/http/api/refresh_token_user.go Updated to use cookies for refresh token flow
internal/http/router.go Removed CORS, added rate limiting, updated to RouterOptions struct
internal/wiki/wiki.go Refactored to use WikiOptions struct, always enables search indexing
cmd/leafwiki/main.go Added CLI flags for token timeouts and insecure mode
readme.md Updated documentation with new CLI flags and environment variables
Dockerfile Build script updated to remove CORS flag
go.mod Removed gin-contrib/cors dependency

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copy link

Copilot AI commented Dec 25, 2025

@perber I've opened a new pull request, #487, to work on those changes. Once the pull request is ready, I'll request review from you.

Copilot AI mentioned this pull request Dec 25, 2025
Merged
@perber perber requested a review from Copilot December 25, 2025 23:13
Copilot AI reviewed Dec 25, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 36 out of 37 changed files in this pull request and generated 9 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@perber perber linked an issue Dec 26, 2025 that may be closed by this pull request
Add secure cookie + session DB based authentication with rate limiting #488
Open
@perber perber requested a review from Copilot December 26, 2025 16:44
Copilot AI reviewed Dec 26, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 37 out of 39 changed files in this pull request and generated 6 comments.

Files not reviewed (1)
  • ui/leafwiki-ui/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copy link

Copilot AI commented Dec 26, 2025

@perber I've opened a new pull request, #495, to work on those changes. Once the pull request is ready, I'll request review from you.

Copilot AI mentioned this pull request Dec 26, 2025
Merged
@perber perber force-pushed the feature/auth-improvements branch from 92824c1 to debb43b Compare December 26, 2025 19:33
@perber perber requested a review from Copilot December 26, 2025 21:31
Copilot AI reviewed Dec 26, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 42 out of 44 changed files in this pull request and generated 9 comments.

Files not reviewed (1)
  • ui/leafwiki-ui/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI mentioned this pull request Dec 26, 2025
Merged
Copy link

Copilot AI commented Dec 26, 2025

@perber I've opened a new pull request, #496, to work on those changes. Once the pull request is ready, I'll request review from you.

perber and others added 3 commits December 26, 2025 22:40
@perber
Update internal/core/auth/auth_service.go
e34af98 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@perber
Update internal/core/auth/session_store.go
8ba6b17 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Fix refresh token revocation timing to prevent logout on token genera…
0006980 
…tion failure (#496)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add secure cookie + session DB based authentication with rate limiting

2 participants

@perber