Skip to content

fix: complete HttpOnly cookie-based auth#23

Merged
VanessaBizzell merged 3 commits intomainfrom
fix/httponly-cookie-auth
Feb 25, 2026
Merged

fix: complete HttpOnly cookie-based auth#23
VanessaBizzell merged 3 commits intomainfrom
fix/httponly-cookie-auth

Conversation

@VanessaBizzell
Copy link
Copy Markdown
Contributor

@VanessaBizzell VanessaBizzell commented Feb 25, 2026

Summary

  • RefreshToken handler reads token from HttpOnly cookie instead of JSON body, fixing the 15-minute logout bug (JS can't read HttpOnly cookies)
  • Login and ConfirmCode switch from GET+query params to POST+JSON body, preventing email/code exposure in logs and browser history
  • Configurable RefreshPath on CookieConfig for projects mounting routes behind a prefix (defaults to /auth/refresh)
  • Guard against panic when ReturnUrls config is empty and no returnUrl is sent

Breaking changes

  • POST /auth/login — was GET with query params, now POST with JSON body {"email": "...", "returnUrl": "..."}
  • POST /auth/confirm — was GET with query params, now POST with JSON body {"code": "...", "email": "..."}
  • POST /auth/refresh — reads refresh_token cookie automatically, no longer accepts {"token": "..."} in body
  • Refresh error responses return 401 instead of 500/400

Test plan

  • Regression tests added before any changes (Phase 1 commit)
  • All handler tests updated for POST/cookie changes
  • Custom RefreshPath tests for set/clear cookies
  • Empty ReturnUrls config panic guard tested
  • go test ./... passes (62 tests)

🤖 Generated with Claude Code

VanessaBizzell and others added 3 commits February 25, 2026 15:15
@VanessaBizzell @claude
test: add regression tests before cookie/handler refactor
7a8d5b4 
Lock down current behavior for cookies, auth logic, and HTTP handlers
so Phase 2 refactoring can proceed with confidence.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@VanessaBizzell @claude
fix: read refresh token from cookie, switch login/confirm to POST
aed1df0 
- RefreshToken handler reads from HttpOnly cookie instead of JSON body,
  fixing the 15-minute logout bug (JS can't read HttpOnly cookies)
- Login and ConfirmCode switch from GET+query params to POST+JSON body,
  preventing email/code exposure in logs and browser history
- Add configurable RefreshPath to CookieConfig for projects mounting
  routes behind a prefix (defaults to "/auth/refresh")
- Update all handler tests for new request formats

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@VanessaBizzell @claude
fix: guard against panic when ReturnUrls config is empty
00f8dc7 
Return 400 instead of panicking with index-out-of-range when a login
request omits returnUrl and no ReturnUrls are configured.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@VanessaBizzell VanessaBizzell merged commit 4ed338c into main Feb 25, 2026
1 check passed
@VanessaBizzell VanessaBizzell deleted the fix/httponly-cookie-auth branch February 25, 2026 17:05
@VanessaBizzell VanessaBizzell mentioned this pull request Feb 26, 2026
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@revitteth revitteth revitteth approved these changes

@elliothllm elliothllm Awaiting requested review from elliothllm

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@VanessaBizzell @revitteth