mirror of
https://github.com/multica-ai/multica.git
synced 2026-07-14 05:39:08 +02:00
* feat(auth): migrate auth token to HttpOnly cookie & implement WebSocket Origin whitelist Security improvements from the MUL-566 audit report: 1. Auth token is now set as an HttpOnly, SameSite=Lax cookie on login, preventing XSS-based token theft. Cookie-based auth includes CSRF protection via double-submit cookie pattern. The Authorization header path is preserved for Electron desktop app and CLI/PAT clients. 2. WebSocket upgrader now validates the Origin header against a configurable allowlist (ALLOWED_ORIGINS env var), rejecting connections from unauthorized origins. Backend: new auth cookie helpers, middleware reads cookie as fallback, WS handler accepts cookie auth, Origin whitelist, logout endpoint. Frontend: CSRF token in API headers, cookie-aware auth store and WS client, web app opts into cookieAuth mode while desktop keeps tokens. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(auth): address PR review — Strict cookies, HMAC-bound CSRF, origin sync 1. SameSite=Lax → SameSite=Strict per spec requirement 2. CSRF token now HMAC-signed with auth token (nonce.signature format), preventing subdomain cookie injection attacks 3. allowedWSOrigins uses atomic.Value to eliminate data race 4. Removed magic "cookie" sentinel string in WSProvider — pass null token and guard with boolean check instead 5. Removed dead delete uploadHeaders["Content-Type"] in API client Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
199 lines
5.6 KiB
Go
199 lines
5.6 KiB
Go
package middleware
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/golang-jwt/jwt/v5"
|
|
"github.com/multica-ai/multica/server/internal/auth"
|
|
)
|
|
|
|
func generateToken(claims jwt.MapClaims, secret []byte) string {
|
|
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
|
s, _ := token.SignedString(secret)
|
|
return s
|
|
}
|
|
|
|
func validClaims() jwt.MapClaims {
|
|
return jwt.MapClaims{
|
|
"sub": "test-user-id",
|
|
"email": "test@multica.ai",
|
|
"exp": time.Now().Add(time.Hour).Unix(),
|
|
}
|
|
}
|
|
|
|
// authMiddleware returns the Auth middleware with nil queries (JWT-only tests).
|
|
func authMiddleware(next http.Handler) http.Handler {
|
|
return Auth(nil)(next)
|
|
}
|
|
|
|
func TestAuth_MissingHeader(t *testing.T) {
|
|
handler := authMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
t.Fatal("next handler should not be called")
|
|
}))
|
|
|
|
req := httptest.NewRequest("GET", "/api/me", nil)
|
|
w := httptest.NewRecorder()
|
|
handler.ServeHTTP(w, req)
|
|
|
|
if w.Code != http.StatusUnauthorized {
|
|
t.Fatalf("expected 401, got %d", w.Code)
|
|
}
|
|
if body := w.Body.String(); body != `{"error":"missing authorization"}`+"\n" {
|
|
t.Fatalf("unexpected body: %s", body)
|
|
}
|
|
}
|
|
|
|
func TestAuth_NoBearerPrefix(t *testing.T) {
|
|
handler := authMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
t.Fatal("next handler should not be called")
|
|
}))
|
|
|
|
req := httptest.NewRequest("GET", "/api/me", nil)
|
|
req.Header.Set("Authorization", "Token some-token")
|
|
w := httptest.NewRecorder()
|
|
handler.ServeHTTP(w, req)
|
|
|
|
if w.Code != http.StatusUnauthorized {
|
|
t.Fatalf("expected 401, got %d", w.Code)
|
|
}
|
|
// Non-Bearer Authorization header with no cookie falls through to "missing authorization".
|
|
if body := w.Body.String(); body != `{"error":"missing authorization"}`+"\n" {
|
|
t.Fatalf("unexpected body: %s", body)
|
|
}
|
|
}
|
|
|
|
func TestAuth_InvalidToken(t *testing.T) {
|
|
handler := authMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
t.Fatal("next handler should not be called")
|
|
}))
|
|
|
|
req := httptest.NewRequest("GET", "/api/me", nil)
|
|
req.Header.Set("Authorization", "Bearer not-a-valid-jwt")
|
|
w := httptest.NewRecorder()
|
|
handler.ServeHTTP(w, req)
|
|
|
|
if w.Code != http.StatusUnauthorized {
|
|
t.Fatalf("expected 401, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuth_ExpiredToken(t *testing.T) {
|
|
handler := authMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
t.Fatal("next handler should not be called")
|
|
}))
|
|
|
|
claims := validClaims()
|
|
claims["exp"] = time.Now().Add(-time.Hour).Unix()
|
|
token := generateToken(claims, auth.JWTSecret())
|
|
|
|
req := httptest.NewRequest("GET", "/api/me", nil)
|
|
req.Header.Set("Authorization", "Bearer "+token)
|
|
w := httptest.NewRecorder()
|
|
handler.ServeHTTP(w, req)
|
|
|
|
if w.Code != http.StatusUnauthorized {
|
|
t.Fatalf("expected 401, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuth_WrongSecret(t *testing.T) {
|
|
handler := authMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
t.Fatal("next handler should not be called")
|
|
}))
|
|
|
|
token := generateToken(validClaims(), []byte("wrong-secret"))
|
|
|
|
req := httptest.NewRequest("GET", "/api/me", nil)
|
|
req.Header.Set("Authorization", "Bearer "+token)
|
|
w := httptest.NewRecorder()
|
|
handler.ServeHTTP(w, req)
|
|
|
|
if w.Code != http.StatusUnauthorized {
|
|
t.Fatalf("expected 401, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuth_WrongSigningMethod(t *testing.T) {
|
|
handler := authMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
t.Fatal("next handler should not be called")
|
|
}))
|
|
|
|
// Use "none" signing method
|
|
token := jwt.NewWithClaims(jwt.SigningMethodNone, validClaims())
|
|
s, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)
|
|
|
|
req := httptest.NewRequest("GET", "/api/me", nil)
|
|
req.Header.Set("Authorization", "Bearer "+s)
|
|
w := httptest.NewRecorder()
|
|
handler.ServeHTTP(w, req)
|
|
|
|
if w.Code != http.StatusUnauthorized {
|
|
t.Fatalf("expected 401, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuth_ValidToken(t *testing.T) {
|
|
var gotUserID, gotEmail string
|
|
handler := authMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
gotUserID = r.Header.Get("X-User-ID")
|
|
gotEmail = r.Header.Get("X-User-Email")
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
|
|
token := generateToken(validClaims(), auth.JWTSecret())
|
|
|
|
req := httptest.NewRequest("GET", "/api/me", nil)
|
|
req.Header.Set("Authorization", "Bearer "+token)
|
|
w := httptest.NewRecorder()
|
|
handler.ServeHTTP(w, req)
|
|
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("expected 200, got %d", w.Code)
|
|
}
|
|
if gotUserID != "test-user-id" {
|
|
t.Fatalf("expected X-User-ID 'test-user-id', got '%s'", gotUserID)
|
|
}
|
|
if gotEmail != "test@multica.ai" {
|
|
t.Fatalf("expected X-User-Email 'test@multica.ai', got '%s'", gotEmail)
|
|
}
|
|
}
|
|
|
|
func TestAuth_MissingClaims(t *testing.T) {
|
|
handler := authMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
t.Fatal("next handler should not be called")
|
|
}))
|
|
|
|
// Token with no sub or email claims, only exp
|
|
claims := jwt.MapClaims{
|
|
"exp": time.Now().Add(time.Hour).Unix(),
|
|
}
|
|
token := generateToken(claims, auth.JWTSecret())
|
|
|
|
req := httptest.NewRequest("GET", "/api/me", nil)
|
|
req.Header.Set("Authorization", "Bearer "+token)
|
|
w := httptest.NewRecorder()
|
|
handler.ServeHTTP(w, req)
|
|
|
|
if w.Code != http.StatusUnauthorized {
|
|
t.Fatalf("expected 401, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestAuth_InvalidPAT(t *testing.T) {
|
|
handler := authMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
t.Fatal("next handler should not be called")
|
|
}))
|
|
|
|
req := httptest.NewRequest("GET", "/api/me", nil)
|
|
req.Header.Set("Authorization", "Bearer mul_invalid_token_here")
|
|
w := httptest.NewRecorder()
|
|
handler.ServeHTTP(w, req)
|
|
|
|
if w.Code != http.StatusUnauthorized {
|
|
t.Fatalf("expected 401, got %d", w.Code)
|
|
}
|
|
}
|