mirror of
https://github.com/multica-ai/multica.git
synced 2026-07-14 05:39:08 +02:00
* feat(auth): migrate auth token to HttpOnly cookie & implement WebSocket Origin whitelist Security improvements from the MUL-566 audit report: 1. Auth token is now set as an HttpOnly, SameSite=Lax cookie on login, preventing XSS-based token theft. Cookie-based auth includes CSRF protection via double-submit cookie pattern. The Authorization header path is preserved for Electron desktop app and CLI/PAT clients. 2. WebSocket upgrader now validates the Origin header against a configurable allowlist (ALLOWED_ORIGINS env var), rejecting connections from unauthorized origins. Backend: new auth cookie helpers, middleware reads cookie as fallback, WS handler accepts cookie auth, Origin whitelist, logout endpoint. Frontend: CSRF token in API headers, cookie-aware auth store and WS client, web app opts into cookieAuth mode while desktop keeps tokens. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(auth): address PR review — Strict cookies, HMAC-bound CSRF, origin sync 1. SameSite=Lax → SameSite=Strict per spec requirement 2. CSRF token now HMAC-signed with auth token (nonce.signature format), preventing subdomain cookie injection attacks 3. allowedWSOrigins uses atomic.Value to eliminate data race 4. Removed magic "cookie" sentinel string in WSProvider — pass null token and guard with boolean check instead 5. Removed dead delete uploadHeaders["Content-Type"] in API client Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
116 lines
3.6 KiB
Go
116 lines
3.6 KiB
Go
package middleware
|
|
|
|
import (
|
|
"context"
|
|
"log/slog"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/golang-jwt/jwt/v5"
|
|
"github.com/jackc/pgx/v5/pgtype"
|
|
"github.com/multica-ai/multica/server/internal/auth"
|
|
"github.com/multica-ai/multica/server/internal/util"
|
|
db "github.com/multica-ai/multica/server/pkg/db/generated"
|
|
)
|
|
|
|
func uuidToString(u pgtype.UUID) string { return util.UUIDToString(u) }
|
|
|
|
// Auth middleware validates JWT tokens or Personal Access Tokens.
|
|
// Token sources (in priority order):
|
|
// 1. Authorization: Bearer <token> header (PAT or JWT)
|
|
// 2. multica_auth HttpOnly cookie (JWT) — requires valid CSRF token for state-changing requests
|
|
//
|
|
// Sets X-User-ID and X-User-Email headers on the request for downstream handlers.
|
|
func Auth(queries *db.Queries) func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
tokenString, fromCookie := extractToken(r)
|
|
if tokenString == "" {
|
|
slog.Debug("auth: no token found", "path", r.URL.Path)
|
|
http.Error(w, `{"error":"missing authorization"}`, http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
// Cookie-based auth requires CSRF validation for state-changing methods.
|
|
if fromCookie && !auth.ValidateCSRF(r) {
|
|
slog.Debug("auth: CSRF validation failed", "path", r.URL.Path)
|
|
http.Error(w, `{"error":"CSRF validation failed"}`, http.StatusForbidden)
|
|
return
|
|
}
|
|
|
|
// PAT: tokens starting with "mul_"
|
|
if strings.HasPrefix(tokenString, "mul_") {
|
|
if queries == nil {
|
|
http.Error(w, `{"error":"invalid token"}`, http.StatusUnauthorized)
|
|
return
|
|
}
|
|
hash := auth.HashToken(tokenString)
|
|
pat, err := queries.GetPersonalAccessTokenByHash(r.Context(), hash)
|
|
if err != nil {
|
|
slog.Warn("auth: invalid PAT", "path", r.URL.Path, "error", err)
|
|
http.Error(w, `{"error":"invalid token"}`, http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
r.Header.Set("X-User-ID", uuidToString(pat.UserID))
|
|
|
|
// Best-effort: update last_used_at
|
|
go queries.UpdatePersonalAccessTokenLastUsed(context.Background(), pat.ID)
|
|
|
|
next.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
|
|
// JWT
|
|
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (any, error) {
|
|
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
|
|
return nil, jwt.ErrSignatureInvalid
|
|
}
|
|
return auth.JWTSecret(), nil
|
|
})
|
|
if err != nil || !token.Valid {
|
|
slog.Warn("auth: invalid token", "path", r.URL.Path, "error", err)
|
|
http.Error(w, `{"error":"invalid token"}`, http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
claims, ok := token.Claims.(jwt.MapClaims)
|
|
if !ok {
|
|
slog.Warn("auth: invalid claims", "path", r.URL.Path)
|
|
http.Error(w, `{"error":"invalid claims"}`, http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
sub, ok := claims["sub"].(string)
|
|
if !ok || strings.TrimSpace(sub) == "" {
|
|
slog.Warn("auth: invalid claims", "path", r.URL.Path)
|
|
http.Error(w, `{"error":"invalid claims"}`, http.StatusUnauthorized)
|
|
return
|
|
}
|
|
r.Header.Set("X-User-ID", sub)
|
|
if email, ok := claims["email"].(string); ok {
|
|
r.Header.Set("X-User-Email", email)
|
|
}
|
|
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
}
|
|
|
|
// extractToken returns the bearer token and whether it came from a cookie.
|
|
// Priority: Authorization header > multica_auth cookie.
|
|
func extractToken(r *http.Request) (token string, fromCookie bool) {
|
|
if authHeader := r.Header.Get("Authorization"); authHeader != "" {
|
|
tokenString := strings.TrimPrefix(authHeader, "Bearer ")
|
|
if tokenString != authHeader {
|
|
return tokenString, false
|
|
}
|
|
}
|
|
|
|
if cookie, err := r.Cookie(auth.AuthCookieName); err == nil && cookie.Value != "" {
|
|
return cookie.Value, true
|
|
}
|
|
|
|
return "", false
|
|
}
|