Skip to content

feat!: implement security improvements for authentication#21

Merged
VanessaBizzell merged 3 commits intomainfrom
feature/security-improvements
Feb 12, 2026
Merged

feat!: implement security improvements for authentication#21
VanessaBizzell merged 3 commits intomainfrom
feature/security-improvements

Conversation

@VanessaBizzell
Copy link
Copy Markdown
Contributor

@VanessaBizzell VanessaBizzell commented Feb 12, 2026
edited
Loading

Summary

  • URL encoding: Email and code parameters in login links are now URL-encoded to handle special characters (e.g., + in emails)
  • Input validation: LoginStep1SendVerificationCode now validates returnUrl against allowed list
  • POST for refresh: /auth/refresh changed from GET to POST with JSON body (breaking change)
  • httpOnly cookies: Tokens now delivered via secure httpOnly cookies instead of response body (breaking change)
  • CSRF protection: New CSRFMiddleware and SetCSRFCookie helper for state-changing requests
  • Logout endpoint: New POST /auth/logout to clear token cookies
  • Cookie auth in middleware: VerifyAuthenticationToken now supports both Authorization header and cookie-based auth
  • Go 1.26: Upgraded from Go 1.22 to Go 1.26

Breaking Changes

This is a major version release (v3.0.0). Consumers must update their code:

  1. Refresh endpoint: GET /auth/refresh?token=xxxPOST /auth/refresh with {"token": "xxx"}
  2. Token handling: Tokens returned as cookies, not in response body
  3. Frontend changes: Add credentials: 'include' to fetch calls, add X-CSRF-Token header for POST/PUT/DELETE
  4. Go version: Requires Go 1.26+

Test plan

  • 37 new unit tests covering all security features
  • Manual integration testing with REST client (login → confirm → protected → CSRF-protected action)
  • Test in consumer project (Launch Saviour)

🤖 Generated with Claude Code

VanessaBizzell and others added 3 commits February 12, 2026 15:14
@VanessaBizzell @claude
feat!: implement security improvements for authentication
e4cc4c3 
BREAKING CHANGES:
- Refresh endpoint changed from GET to POST with JSON body
- Tokens now returned as httpOnly cookies instead of response body
- CSRF protection enabled for state-changing requests

Security improvements:
- URL-encode email and code parameters in login links
- Add input validation for returnUrl in LoginStep1SendVerificationCode
- Add httpOnly cookie-based token delivery (SetTokenCookies, ClearTokenCookies)
- Add CSRF middleware and SetCSRFCookie helper
- Update middleware to support both Authorization header and cookie auth
- Add /auth/logout POST endpoint

Also fixes pre-existing test failure for RFC 5321-compliant IP literal emails.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@VanessaBizzell @claude
fix: revert email validator test to original expectation
a4c0388 
Reverts accidental change to pre-existing test case.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@VanessaBizzell @claude
chore: upgrade to Go 1.26
ea1ef11 
- Update go.mod to Go 1.26
- Update CI workflow to use Go 1.26
- Fix email validator test for Go 1.24+ behavior (RFC 5321 IP literals)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@VanessaBizzell VanessaBizzell merged commit daea970 into main Feb 12, 2026
1 check passed
@VanessaBizzell VanessaBizzell deleted the feature/security-improvements branch February 12, 2026 16:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@revitteth revitteth revitteth approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@VanessaBizzell @revitteth