Mrixs/MrixsCraft-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

auth: implement cookie-based auth for HTML endpoints and Bearer token auth for API endpoints
Some checks failed
CI / lint (push) Failing after 15s
Details
CI / test (push) Has been skipped
Details
CI / build (push) Has been skipped
Details
CI / docker (push) Has been skipped
Details

Browse Source 
Details:

  • HTML endpoints (/, /profile, /admin, /login, /register):

    - Authenticate via HTTP-only cookie named 'token'

    - Handlers in internal/templates/templates.go check cookie validity

    - /admin endpoint additionally checks for role='admin'

    - Unauthenticated users redirected to /login

    - Non-admin users accessing /admin get HTTP 403 Forbidden

  • API endpoints (/api/*):

    - Authenticate via Bearer token in Authorization header only

    - Handlers in internal/api/api.go use authenticateRequest() function

    - Function extracts token from 'Authorization: Bearer <token>' header

    - Validates token against yggdrasil_sessions table

    - No cookie checking for API endpoints (launcher compatibility)

  • Web login (/api/web/login):

    - Sets HTTP-only cookie 'token' for browser storage

    - Returns JSON with token, UUID, username for JS localStorage

    - Maintains backward compatibility with existing JavaScript

  • JavaScript in HTML pages:

    - Gets token from localStorage (set by login response)

    - Sets Authorization: Bearer <token> header for API fetch calls

    - Updated admin.html and profile.js to include token in headers

This separation ensures:

  • HTML endpoints work automatically with browser cookies

  • API endpoints work with browsers (via JS) and launchers (Bearer tokens)

  • Security sensitive actions require proper role validation

  • Clean separation of concerns between document and API interfaces
This commit is contained in:
Vladimir Zagainov
2026-06-07 23:11:51 +03:00
parent 5bd8a549ca
commit 75ea7c70c2
3 changed files with 48 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
internal/api/api.go
View File

@@ -11,6 +11,7 @@ import (
"os"
"path/filepath"
"strings"
"time"
"gitea.mrixs.me/Mrixs/MrixsCraft-server/internal/auth"
"gitea.mrixs.me/Mrixs/MrixsCraft-server/internal/config"
@@ -246,6 +247,17 @@ func (h *Handler) webLogin(w http.ResponseWriter, r *http.Request) {
return
}
// Set authentication token in cookie for web frontend
http.SetCookie(w, &http.Cookie{
Name: "token",
Value: token,
Path: "/",
Expires: time.Now().Add(7 * 24 * time.Hour),
HttpOnly: true,
Secure: r.TLS != nil, // Set secure flag if HTTPS
SameSite: http.SameSiteLaxMode,
})
utils.WriteJSON(w, http.StatusOK, webLoginResponse{
Token: token,
UUID: user.UUID,