refactor: switch to HttpOnly cookie (#660)

* Switch to httpOnly cookie * create endpoint to retrieve temporary collaboration token * cleanups
2025-11-14 05:41:11 +10:00 · 2025-01-22 22:11:11 +00:00
parent f2235fd2a2
commit 990612793f
29 changed files with 240 additions and 276 deletions
--- a/apps/server/src/core/auth/auth.controller.ts
+++ b/apps/server/src/core/auth/auth.controller.ts
@ -6,6 +6,7 @@ import {
  NotFoundException,
  Post,
  Req,
+  Res,
  UseGuards,
 } from '@nestjs/common';
 import { LoginDto } from './dto/login.dto';
@ -21,6 +22,8 @@ import { JwtAuthGuard } from '../../common/guards/jwt-auth.guard';
 import { ForgotPasswordDto } from './dto/forgot-password.dto';
 import { PasswordResetDto } from './dto/password-reset.dto';
 import { VerifyUserTokenDto } from './dto/verify-user-token.dto';
+import { FastifyReply } from 'fastify';
+import { addDays } from 'date-fns';

@Controller('auth')
 export class AuthController {
@ -31,26 +34,29 @@ export class AuthController {

  @HttpCode(HttpStatus.OK)
  @Post('login')
-  async login(@Req() req, @Body() loginInput: LoginDto) {
-    return this.authService.login(loginInput, req.raw.workspaceId);
+  async login(
+    @Req() req,
+    @Res({ passthrough: true }) res: FastifyReply,
+    @Body() loginInput: LoginDto,
+  ) {
+    const authToken = await this.authService.login(
+      loginInput,
+      req.raw.workspaceId,
+    );
+    this.setAuthCookie(res, authToken);
  }

-  /* @HttpCode(HttpStatus.OK)
-  @Post('register')
-  async register(@Req() req, @Body() createUserDto: CreateUserDto) {
-    return this.authService.register(createUserDto, req.raw.workspaceId);
-  }
-  */
-
  @UseGuards(SetupGuard)
  @HttpCode(HttpStatus.OK)
  @Post('setup')
  async setupWorkspace(
-    @Req() req,
+    @Res({ passthrough: true }) res: FastifyReply,
    @Body() createAdminUserDto: CreateAdminUserDto,
  ) {
    if (this.environmentService.isCloud()) throw new NotFoundException();
-    return this.authService.setup(createAdminUserDto);
+
+    const authToken = await this.authService.setup(createAdminUserDto);
+    this.setAuthCookie(res, authToken);
  }

  @UseGuards(JwtAuthGuard)
@ -76,10 +82,15 @@ export class AuthController {
  @HttpCode(HttpStatus.OK)
  @Post('password-reset')
  async passwordReset(
+    @Res({ passthrough: true }) res: FastifyReply,
    @Body() passwordResetDto: PasswordResetDto,
    @AuthWorkspace() workspace: Workspace,
  ) {
-    return this.authService.passwordReset(passwordResetDto, workspace.id);
+    const authToken = await this.authService.passwordReset(
+      passwordResetDto,
+      workspace.id,
+    );
+    this.setAuthCookie(res, authToken);
  }

  @HttpCode(HttpStatus.OK)
@ -90,4 +101,30 @@ export class AuthController {
  ) {
    return this.authService.verifyUserToken(verifyUserTokenDto, workspace.id);
  }
+
+  @UseGuards(JwtAuthGuard)
+  @HttpCode(HttpStatus.OK)
+  @Post('collab-token')
+  async collabToken(
+    @AuthUser() user: User,
+    @AuthWorkspace() workspace: Workspace,
+  ) {
+    return this.authService.getCollabToken(user.id, workspace.id);
+  }
+
+  @UseGuards(JwtAuthGuard)
+  @HttpCode(HttpStatus.OK)
+  @Post('logout')
+  async logout(@Res({ passthrough: true }) res: FastifyReply) {
+    res.clearCookie('authToken');
+  }
+
+  setAuthCookie(res: FastifyReply, token: string) {
+    res.setCookie('authToken', token, {
+      httpOnly: true,
+      path: '/',
+      expires: addDays(new Date(), 30),
+      secure: this.environmentService.isHttps(),
+    });
+  }
 }