refactor: switch to HttpOnly cookie (#660)

* Switch to httpOnly cookie * create endpoint to retrieve temporary collaboration token * cleanups
2025-11-21 01:11:10 +10:00 · 2025-01-22 22:11:11 +00:00
parent f2235fd2a2
commit 990612793f
29 changed files with 240 additions and 276 deletions
--- a/apps/client/src/lib/api-client.ts
+++ b/apps/client/src/lib/api-client.ts
@ -1,5 +1,4 @@
 import axios, { AxiosInstance } from "axios";
-import Cookies from "js-cookie";
 import Routes from "@/lib/app-route.ts";

 const api: AxiosInstance = axios.create({
@ -7,28 +6,6 @@ const api: AxiosInstance = axios.create({
  withCredentials: true,
 });

-api.interceptors.request.use(
-  (config) => {
-    const tokenData = Cookies.get("authTokens");
-
-    let accessToken: string;
-    try {
-      accessToken = tokenData && JSON.parse(tokenData)?.accessToken;
-    } catch (err) {
-      console.log("invalid authTokens:", err.message);
-      Cookies.remove("authTokens");
-    }
-
-    if (accessToken) {
-      config.headers.Authorization = `Bearer ${accessToken}`;
-    }
-    return config;
-  },
-  (error) => {
-    return Promise.reject(error);
-  }
-);
-
 api.interceptors.response.use(
  (response) => {
    // we need the response headers for these endpoints
@ -45,11 +22,14 @@ api.interceptors.response.use(
  (error) => {
    if (error.response) {
      switch (error.response.status) {
-        case 401:
+        case 401: {
+          const url = new URL(error.request.responseURL)?.pathname;
+          if (url === "/api/auth/collab-token") return;
+
          // Handle unauthorized error
-          Cookies.remove("authTokens");
          redirectToLogin();
          break;
+        }
        case 403:
          // Handle forbidden error
          break;
@ -61,8 +41,6 @@ api.interceptors.response.use(
              .includes("workspace not found")
          ) {
            console.log("workspace not found");
-            Cookies.remove("authTokens");
-
            if (window.location.pathname != Routes.AUTH.SETUP) {
              window.location.href = Routes.AUTH.SETUP;
            }
@ -76,7 +54,7 @@ api.interceptors.response.use(
      }
    }
    return Promise.reject(error);
-  }
+  },
 );

 function redirectToLogin() {