feat(auth): migrate JWT storage from localStorage to httpOnly cookies

Eliminates XSS token theft risk by storing session JWTs in an httpOnly cookie (trek_session) instead of localStorage, making them inaccessible to JavaScript entirely. - Add cookie-parser middleware and setAuthCookie/clearAuthCookie helpers - Set trek_session cookie on login, register, demo-login, MFA verify, OIDC exchange - Auth middleware reads cookie first, falls back to Authorization: Bearer (MCP unchanged) - Add POST /api/auth/logout to clear the cookie server-side - Remove all localStorage auth_token reads/writes from client - Axios uses withCredentials; raw fetch calls use credentials: include - WebSocket ws-token exchange uses credentials: include (no JWT param) - authStore initialises isLoading: true so ProtectedRoute waits for /api/auth/me Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-21 06:11:45 +00:00 · 2026-04-01 11:02:45 +02:00
parent 9292acb979
commit add0b17e04
14 changed files with 115 additions and 68 deletions
@@ -17,7 +17,6 @@ interface AvatarResponse {

 interface AuthState {
  user: User | null
-  token: string | null
  isAuthenticated: boolean
  isLoading: boolean
  error: string | null
@@ -49,9 +48,8 @@ interface AuthState {

 export const useAuthStore = create<AuthState>((set, get) => ({
  user: null,
-  token: localStorage.getItem('auth_token') || null,
-  isAuthenticated: !!localStorage.getItem('auth_token'),
-  isLoading: false,
+  isAuthenticated: false,
+  isLoading: true,
  error: null,
  demoMode: localStorage.getItem('demo_mode') === 'true',
  hasMapsKey: false,
@@ -67,15 +65,13 @@ export const useAuthStore = create<AuthState>((set, get) => ({
        set({ isLoading: false, error: null })
        return { mfa_required: true as const, mfa_token: data.mfa_token }
      }
-      localStorage.setItem('auth_token', data.token)
      set({
        user: data.user,
-        token: data.token,
        isAuthenticated: true,
        isLoading: false,
        error: null,
      })
-      connect(data.token)
+      connect()
      return data as AuthResponse
    } catch (err: unknown) {
      const error = getApiErrorMessage(err, 'Login failed')
@@ -88,15 +84,13 @@ export const useAuthStore = create<AuthState>((set, get) => ({
    set({ isLoading: true, error: null })
    try {
      const data = await authApi.verifyMfaLogin({ mfa_token: mfaToken, code: code.replace(/\s/g, '') })
-      localStorage.setItem('auth_token', data.token)
      set({
        user: data.user,
-        token: data.token,
        isAuthenticated: true,
        isLoading: false,
        error: null,
      })
-      connect(data.token)
+      connect()
      return data as AuthResponse
    } catch (err: unknown) {
      const error = getApiErrorMessage(err, 'Verification failed')
@@ -109,15 +103,13 @@ export const useAuthStore = create<AuthState>((set, get) => ({
    set({ isLoading: true, error: null })
    try {
      const data = await authApi.register({ username, email, password, invite_token })
-      localStorage.setItem('auth_token', data.token)
      set({
        user: data.user,
-        token: data.token,
        isAuthenticated: true,
        isLoading: false,
        error: null,
      })
-      connect(data.token)
+      connect()
      return data
    } catch (err: unknown) {
      const error = getApiErrorMessage(err, 'Registration failed')
@@ -128,7 +120,8 @@ export const useAuthStore = create<AuthState>((set, get) => ({

  logout: () => {
    disconnect()
-    localStorage.removeItem('auth_token')
+    // Tell server to clear the httpOnly cookie
+    fetch('/api/auth/logout', { method: 'POST', credentials: 'include' }).catch(() => {})
    // Clear service worker caches containing sensitive data
    if ('caches' in window) {
      caches.delete('api-data').catch(() => {})
@@ -136,7 +129,6 @@ export const useAuthStore = create<AuthState>((set, get) => ({
    }
    set({
      user: null,
-      token: null,
      isAuthenticated: false,
      error: null,
    })
@@ -144,11 +136,6 @@ export const useAuthStore = create<AuthState>((set, get) => ({

  loadUser: async (opts?: { silent?: boolean }) => {
    const silent = !!opts?.silent
-    const token = get().token
-    if (!token) {
-      if (!silent) set({ isLoading: false })
-      return
-    }
    if (!silent) set({ isLoading: true })
    try {
      const data = await authApi.me()
@@ -157,16 +144,14 @@ export const useAuthStore = create<AuthState>((set, get) => ({
        isAuthenticated: true,
        isLoading: false,
      })
-      connect(token)
+      connect()
    } catch (err: unknown) {
      // Only clear auth state on 401 (invalid/expired token), not on network errors
      const isAuthError = err && typeof err === 'object' && 'response' in err &&
        (err as { response?: { status?: number } }).response?.status === 401
      if (isAuthError) {
-        localStorage.removeItem('auth_token')
        set({
          user: null,
-          token: null,
          isAuthenticated: false,
          isLoading: false,
        })
@@ -233,16 +218,14 @@ export const useAuthStore = create<AuthState>((set, get) => ({
    set({ isLoading: true, error: null })
    try {
      const data = await authApi.demoLogin()
-      localStorage.setItem('auth_token', data.token)
      set({
        user: data.user,
-        token: data.token,
        isAuthenticated: true,
        isLoading: false,
        demoMode: true,
        error: null,
      })
-      connect(data.token)
+      connect()
      return data
    } catch (err: unknown) {
      const error = getApiErrorMessage(err, 'Demo login failed')