feat: Store accessToken in cookies instead of localStorage

client/package-lock.json

@@ -14,6 +14,7 @@
         "i18next": "^21.6.16",
         "i18next-browser-languagedetector": "^6.1.4",
         "initials": "^3.1.2",
+        "js-cookie": "^3.0.1",
         "lodash": "^4.17.20",
         "node-sass": "^7.0.1",
         "prop-types": "^15.8.1",
@@ -13534,6 +13535,14 @@
       "resolved": "https://registry.npmjs.org/js-base64/-/js-base64-2.6.4.tgz",
       "integrity": "sha512-pZe//GGmwJndub7ZghVHz7vjb2LgC1m8B07Au3eYqeqv9emhESByMXxaEgkUkEqJe87oBbSniGYoQNIBklc7IQ=="
     },
+    "node_modules/js-cookie": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-3.0.1.tgz",
+      "integrity": "sha512-+0rgsUXZu4ncpPxRL+lNEptWMOWl9etvPHc/koSRp6MPwpRYAhmk0dUG00J4bxVV3r9uUzfo24wW0knS07SKSw==",
+      "engines": {
+        "node": ">=12"
+      }
+    },
     "node_modules/js-tokens": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",
@@ -33059,6 +33068,11 @@
       "resolved": "https://registry.npmjs.org/js-base64/-/js-base64-2.6.4.tgz",
       "integrity": "sha512-pZe//GGmwJndub7ZghVHz7vjb2LgC1m8B07Au3eYqeqv9emhESByMXxaEgkUkEqJe87oBbSniGYoQNIBklc7IQ=="
     },
+    "js-cookie": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-3.0.1.tgz",
+      "integrity": "sha512-+0rgsUXZu4ncpPxRL+lNEptWMOWl9etvPHc/koSRp6MPwpRYAhmk0dUG00J4bxVV3r9uUzfo24wW0knS07SKSw=="
+    },
     "js-tokens": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",

client/package.json

@@ -71,6 +71,7 @@
     "i18next": "^21.6.16",
     "i18next-browser-languagedetector": "^6.1.4",
     "initials": "^3.1.2",
+    "js-cookie": "^3.0.1",
     "lodash": "^4.17.20",
     "node-sass": "^7.0.1",
     "prop-types": "^15.8.1",

client/src/api/access-tokens.js

@@ -2,7 +2,7 @@ import http from './http';
 
 /* Actions */
 
-const createAccessToken = (data, headers) => http.post('/access-tokens', data, headers);
+const createAccessToken = (data) => http.post('/access-tokens', data);
 
 export default {
   createAccessToken,

client/src/api/actions.js

@@ -9,8 +9,8 @@ export const transformAction = (action) => ({
 
 /* Actions */
 
-const getActions = (cardId, data, headers) =>
+const getActions = (cardId, data) =>
-  socket.get(`/cards/${cardId}/actions`, data, headers).then((body) => ({
+  socket.get(`/cards/${cardId}/actions`, data).then((body) => ({
     ...body,
     items: body.items.map(transformAction),
   }));

client/src/api/attachments.js

@@ -10,20 +10,20 @@ export const transformAttachment = (attachment) => ({
 
 /* Actions */
 
-const createAttachment = (cardId, data, requestId, headers) =>
+const createAttachment = (cardId, data, requestId) =>
-  http.post(`/cards/${cardId}/attachments?requestId=${requestId}`, data, headers).then((body) => ({
+  http.post(`/cards/${cardId}/attachments?requestId=${requestId}`, data).then((body) => ({
     ...body,
     item: transformAttachment(body.item),
   }));
 
-const updateAttachment = (id, data, headers) =>
+const updateAttachment = (id, data) =>
-  socket.patch(`/attachments/${id}`, data, headers).then((body) => ({
+  socket.patch(`/attachments/${id}`, data).then((body) => ({
     ...body,
     item: transformAttachment(body.item),
   }));
 
-const deleteAttachment = (id, headers) =>
+const deleteAttachment = (id) =>
-  socket.delete(`/attachments/${id}`, undefined, headers).then((body) => ({
+  socket.delete(`/attachments/${id}`).then((body) => ({
     ...body,
     item: transformAttachment(body.item),
   }));

client/src/api/board-memberships.js

@@ -2,11 +2,10 @@ import socket from './socket';
 
 /* Actions */
 
-const createBoardMembership = (boardId, data, headers) =>
+const createBoardMembership = (boardId, data) =>
-  socket.post(`/boards/${boardId}/memberships`, data, headers);
+  socket.post(`/boards/${boardId}/memberships`, data);
 
-const deleteBoardMembership = (id, headers) =>
+const deleteBoardMembership = (id) => socket.delete(`/board-memberships/${id}`);
-  socket.delete(`/board-memberships/${id}`, undefined, headers);
 
 export default {
   createBoardMembership,

client/src/api/boards.js

@@ -4,11 +4,10 @@ import { transformAttachment } from './attachments';
 
 /* Actions */
 
-const createBoard = (projectId, data, headers) =>
+const createBoard = (projectId, data) => socket.post(`/projects/${projectId}/boards`, data);
-  socket.post(`/projects/${projectId}/boards`, data, headers);
 
-const getBoard = (id, headers) =>
+const getBoard = (id) =>
-  socket.get(`/boards/${id}`, undefined, headers).then((body) => ({
+  socket.get(`/boards/${id}`).then((body) => ({
     ...body,
     included: {
       ...body.included,
@@ -17,9 +16,9 @@ const getBoard = (id, headers) =>
     },
   }));
 
-const updateBoard = (id, data, headers) => socket.patch(`/boards/${id}`, data, headers);
+const updateBoard = (id, data) => socket.patch(`/boards/${id}`, data);
 
-const deleteBoard = (id, headers) => socket.delete(`/boards/${id}`, undefined, headers);
+const deleteBoard = (id) => socket.delete(`/boards/${id}`);
 
 export default {
   createBoard,

client/src/api/card-labels.js

@@ -2,11 +2,9 @@ import socket from './socket';
 
 /* Actions */
 
-const createCardLabel = (cardId, data, headers) =>
+const createCardLabel = (cardId, data) => socket.post(`/cards/${cardId}/labels`, data);
-  socket.post(`/cards/${cardId}/labels`, data, headers);
 
-const deleteCardLabel = (cardId, labelId, headers) =>
+const deleteCardLabel = (cardId, labelId) => socket.delete(`/cards/${cardId}/labels/${labelId}`);
-  socket.delete(`/cards/${cardId}/labels/${labelId}`, undefined, headers);
 
 export default {
   createCardLabel,

client/src/api/card-memberships.js

@@ -2,11 +2,10 @@ import socket from './socket';
 
 /* Actions */
 
-const createCardMembership = (cardId, data, headers) =>
+const createCardMembership = (cardId, data) => socket.post(`/cards/${cardId}/memberships`, data);
-  socket.post(`/cards/${cardId}/memberships`, data, headers);
 
-const deleteCardMembership = (cardId, userId, headers) =>
+const deleteCardMembership = (cardId, userId) =>
-  socket.delete(`/cards/${cardId}/memberships?userId=${userId}`, undefined, headers);
+  socket.delete(`/cards/${cardId}/memberships?userId=${userId}`);
 
 export default {
   createCardMembership,

client/src/api/cards.js

@@ -35,8 +35,8 @@ export const transformCardData = (data) => ({
 
 /* Actions */
 
-const getCards = (boardId, data, headers) =>
+const getCards = (boardId, data) =>
-  socket.get(`/board/${boardId}/cards`, data, headers).then((body) => ({
+  socket.get(`/board/${boardId}/cards`, data).then((body) => ({
     ...body,
     items: body.items.map(transformCard),
     included: {
@@ -45,26 +45,26 @@ const getCards = (boardId, data, headers) =>
     },
   }));
 
-const createCard = (boardId, data, headers) =>
+const createCard = (boardId, data) =>
-  socket.post(`/boards/${boardId}/cards`, transformCardData(data), headers).then((body) => ({
+  socket.post(`/boards/${boardId}/cards`, transformCardData(data)).then((body) => ({
     ...body,
     item: transformCard(body.item),
   }));
 
-const getCard = (id, headers) =>
+const getCard = (id) =>
-  socket.get(`/cards/${id}`, undefined, headers).then((body) => ({
+  socket.get(`/cards/${id}`).then((body) => ({
     ...body,
     item: transformCard(body.item),
   }));
 
-const updateCard = (id, data, headers) =>
+const updateCard = (id, data) =>
-  socket.patch(`/cards/${id}`, transformCardData(data), headers).then((body) => ({
+  socket.patch(`/cards/${id}`, transformCardData(data)).then((body) => ({
     ...body,
     item: transformCard(body.item),
   }));
 
-const deleteCard = (id, headers) =>
+const deleteCard = (id) =>
-  socket.delete(`/cards/${id}`, undefined, headers).then((body) => ({
+  socket.delete(`/cards/${id}`).then((body) => ({
     ...body,
     item: transformCard(body.item),
   }));

client/src/api/comment-actions.js

@@ -3,20 +3,20 @@ import { transformAction } from './actions';
 
 /* Actions */
 
-const createCommentAction = (cardId, data, headers) =>
+const createCommentAction = (cardId, data) =>
-  socket.post(`/cards/${cardId}/comment-actions`, data, headers).then((body) => ({
+  socket.post(`/cards/${cardId}/comment-actions`, data).then((body) => ({
     ...body,
     item: transformAction(body.item),
   }));
 
-const updateCommentAction = (id, data, headers) =>
+const updateCommentAction = (id, data) =>
-  socket.patch(`/comment-actions/${id}`, data, headers).then((body) => ({
+  socket.patch(`/comment-actions/${id}`, data).then((body) => ({
     ...body,
     item: transformAction(body.item),
   }));
 
-const deleteCommentAction = (id, headers) =>
+const deleteCommentAction = (id) =>
-  socket.delete(`/comment-actions/${id}`, undefined, headers).then((body) => ({
+  socket.delete(`/comment-actions/${id}`).then((body) => ({
     ...body,
     item: transformAction(body.item),
   }));

client/src/api/http.js

@@ -6,7 +6,7 @@ const http = {};
 
 // TODO: add all methods
 ['POST'].forEach((method) => {
-  http[method.toLowerCase()] = (url, data, headers) => {
+  http[method.toLowerCase()] = (url, data) => {
     const formData = Object.keys(data).reduce((result, key) => {
       result.append(key, data[key]);
 
@@ -15,8 +15,8 @@ const http = {};
 
     return fetch(`${Config.SERVER_BASE_URL}/api${url}`, {
       method,
-      headers,
       body: formData,
+      ...Config.FETCH_OPTIONS,
     })
       .then((response) =>
         response.json().then((body) => ({

client/src/api/labels.js

@@ -2,12 +2,11 @@ import socket from './socket';
 
 /* Actions */
 
-const createLabel = (boardId, data, headers) =>
+const createLabel = (boardId, data) => socket.post(`/boards/${boardId}/labels`, data);
-  socket.post(`/boards/${boardId}/labels`, data, headers);
 
-const updateLabel = (id, data, headers) => socket.patch(`/labels/${id}`, data, headers);
+const updateLabel = (id, data) => socket.patch(`/labels/${id}`, data);
 
-const deleteLabel = (id, headers) => socket.delete(`/labels/${id}`, undefined, headers);
+const deleteLabel = (id) => socket.delete(`/labels/${id}`);
 
 export default {
   createLabel,

client/src/api/lists.js

@@ -2,12 +2,11 @@ import socket from './socket';
 
 /* Actions */
 
-const createList = (boardId, data, headers) =>
+const createList = (boardId, data) => socket.post(`/boards/${boardId}/lists`, data);
-  socket.post(`/boards/${boardId}/lists`, data, headers);
 
-const updateList = (id, data, headers) => socket.patch(`/lists/${id}`, data, headers);
+const updateList = (id, data) => socket.patch(`/lists/${id}`, data);
 
-const deleteList = (id, headers) => socket.delete(`/lists/${id}`, undefined, headers);
+const deleteList = (id) => socket.delete(`/lists/${id}`);
 
 export default {
   createList,

client/src/api/notifications.js

@@ -4,8 +4,8 @@ import { transformAction } from './actions';
 
 /* Actions */
 
-const getNotifications = (headers) =>
+const getNotifications = () =>
-  socket.get('/notifications', undefined, headers).then((body) => ({
+  socket.get('/notifications').then((body) => ({
     ...body,
     included: {
       ...body.included,
@@ -14,8 +14,8 @@ const getNotifications = (headers) =>
     },
   }));
 
-const getNotification = (id, headers) =>
+const getNotification = (id) =>
-  socket.get(`/notifications/${id}`, undefined, headers).then((body) => ({
+  socket.get(`/notifications/${id}`).then((body) => ({
     ...body,
     included: {
       ...body.included,
@@ -24,8 +24,7 @@ const getNotification = (id, headers) =>
     },
   }));
 
-const updateNotifications = (ids, data, headers) =>
+const updateNotifications = (ids, data) => socket.patch(`/notifications/${ids.join(',')}`, data);
-  socket.patch(`/notifications/${ids.join(',')}`, data, headers);
 
 export default {
   getNotifications,

client/src/api/project-managers.js

@@ -2,11 +2,10 @@ import socket from './socket';
 
 /* Actions */
 
-const createProjectManager = (projectId, data, headers) =>
+const createProjectManager = (projectId, data) =>
-  socket.post(`/projects/${projectId}/managers`, data, headers);
+  socket.post(`/projects/${projectId}/managers`, data);
 
-const deleteProjectManager = (id, headers) =>
+const deleteProjectManager = (id) => socket.delete(`/project-managers/${id}`);
-  socket.delete(`/project-managers/${id}`, undefined, headers);
 
 export default {
   createProjectManager,

client/src/api/projects.js

@@ -3,18 +3,18 @@ import socket from './socket';
 
 /* Actions */
 
-const getProjects = (headers) => socket.get('/projects', undefined, headers);
+const getProjects = () => socket.get('/projects');
 
-const createProject = (data, headers) => socket.post('/projects', data, headers);
+const createProject = (data) => socket.post('/projects', data);
 
-const getProject = (id, headers) => socket.get(`/projects/${id}`, undefined, headers);
+const getProject = (id) => socket.get(`/projects/${id}`);
 
-const updateProject = (id, data, headers) => socket.patch(`/projects/${id}`, data, headers);
+const updateProject = (id, data) => socket.patch(`/projects/${id}`, data);
 
-const updateProjectBackgroundImage = (id, data, headers) =>
+const updateProjectBackgroundImage = (id, data) =>
-  http.post(`/projects/${id}/background-image`, data, headers);
+  http.post(`/projects/${id}/background-image`, data);
 
-const deleteProject = (id, headers) => socket.delete(`/projects/${id}`, undefined, headers);
+const deleteProject = (id) => socket.delete(`/projects/${id}`);
 
 export default {
   getProjects,

client/src/api/socket.js

@@ -16,13 +16,12 @@ const { socket } = io;
 socket.connect = socket._connect; // eslint-disable-line no-underscore-dangle
 
 ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'].forEach((method) => {
-  socket[method.toLowerCase()] = (url, data, headers) =>
+  socket[method.toLowerCase()] = (url, data) =>
     new Promise((resolve, reject) => {
       socket.request(
         {
           method,
           data,
-          headers,
           url: `/api${url}`,
         },
         (_, { body, error }) => {

client/src/api/tasks.js

@@ -2,11 +2,11 @@ import socket from './socket';
 
 /* Actions */
 
-const createTask = (cardId, data, headers) => socket.post(`/cards/${cardId}/tasks`, data, headers);
+const createTask = (cardId, data) => socket.post(`/cards/${cardId}/tasks`, data);
 
-const updateTask = (id, data, headers) => socket.patch(`/tasks/${id}`, data, headers);
+const updateTask = (id, data) => socket.patch(`/tasks/${id}`, data);
 
-const deleteTask = (id, headers) => socket.delete(`/tasks/${id}`, undefined, headers);
+const deleteTask = (id) => socket.delete(`/tasks/${id}`);
 
 export default {
   createTask,

client/src/api/users.js

@@ -3,27 +3,25 @@ import socket from './socket';
 
 /* Actions */
 
-const getUsers = (headers) => socket.get('/users', undefined, headers);
+const getUsers = () => socket.get('/users');
 
-const createUser = (data, headers) => socket.post('/users', data, headers);
+const createUser = (data) => socket.post('/users', data);
 
-const getUser = (id, headers) => socket.get(`/users/${id}`, undefined, headers);
+const getUser = (id) => socket.get(`/users/${id}`);
 
-const getCurrentUser = (headers) => socket.get('/users/me', undefined, headers);
+const getCurrentUser = () => socket.get('/users/me');
 
-const updateUser = (id, data, headers) => socket.patch(`/users/${id}`, data, headers);
+const updateUser = (id, data) => socket.patch(`/users/${id}`, data);
 
-const updateUserEmail = (id, data, headers) => socket.patch(`/users/${id}/email`, data, headers);
+const updateUserEmail = (id, data) => socket.patch(`/users/${id}/email`, data);
 
-const updateUserPassword = (id, data, headers) =>
+const updateUserPassword = (id, data) => socket.patch(`/users/${id}/password`, data);
-  socket.patch(`/users/${id}/password`, data, headers);
 
-const updateUserUsername = (id, data, headers) =>
+const updateUserUsername = (id, data) => socket.patch(`/users/${id}/username`, data);
-  socket.patch(`/users/${id}/username`, data, headers);
 
-const updateUserAvatar = (id, data, headers) => http.post(`/users/${id}/avatar`, data, headers);
+const updateUserAvatar = (id, data) => http.post(`/users/${id}/avatar`, data);
 
-const deleteUser = (id, headers) => socket.delete(`/users/${id}`, undefined, headers);
+const deleteUser = (id) => socket.delete(`/users/${id}`);
 
 export default {
   getUsers,

client/src/constants/Config.js

@@ -2,12 +2,24 @@ const SERVER_BASE_URL =
   process.env.REACT_APP_SERVER_BASE_URL ||
   (process.env.NODE_ENV === 'production' ? '' : 'http://localhost:1337');
 
-const POSITION_GAP = 65535;
+const FETCH_OPTIONS =
+  process.env.NODE_ENV === 'production'
+    ? undefined
+    : {
+        credentials: 'include',
+      };
 
+const ACCESS_TOKEN_KEY = 'accessToken';
+const ACCESS_TOKEN_EXPIRES = 365;
+
+const POSITION_GAP = 65535;
 const ACTIONS_LIMIT = 10;
 
 export default {
   SERVER_BASE_URL,
+  FETCH_OPTIONS,
+  ACCESS_TOKEN_KEY,
+  ACCESS_TOKEN_EXPIRES,
   POSITION_GAP,
   ACTIONS_LIMIT,
 };

client/src/reducers/auth.js

@@ -1,19 +1,12 @@
-import { getAccessToken } from '../utils/access-token-storage';
 import ActionTypes from '../constants/ActionTypes';
 
 const initialState = {
-  accessToken: getAccessToken(),
   userId: null,
 };
 
 // eslint-disable-next-line default-param-last
 export default (state = initialState, { type, payload }) => {
   switch (type) {
-    case ActionTypes.AUTHENTICATE__SUCCESS:
-      return {
-        ...state,
-        accessToken: payload.accessToken,
-      };
     case ActionTypes.SOCKET_RECONNECT_HANDLE:
     case ActionTypes.CORE_INITIALIZE:
       return {

client/src/sagas/core/request.js

@@ -1,6 +1,5 @@
-import { call, fork, join, put, select, take } from 'redux-saga/effects';
+import { call, fork, join, put, take } from 'redux-saga/effects';
 
-import { accessTokenSelector } from '../../selectors';
 import { logout } from '../../actions';
 import ErrorCodes from '../../constants/ErrorCodes';
 
@@ -13,12 +12,8 @@ function* queueRequest(method, ...args) {
     } catch {} // eslint-disable-line no-empty
   }
 
-  const accessToken = yield select(accessTokenSelector);
-
   try {
-    return yield call(method, ...args, {
+    return yield call(method, ...args);
-      Authorization: `Bearer ${accessToken}`,
-    });
   } catch (error) {
     if (error.code === ErrorCodes.UNAUTHORIZED) {
       yield put(logout()); // TODO: next url

client/src/sagas/index.js

@@ -1,11 +1,11 @@
-import { call, select } from 'redux-saga/effects';
+import { call } from 'redux-saga/effects';
 
 import loginSaga from './login';
 import coreSaga from './core';
-import { accessTokenSelector } from '../selectors';
+import { getAccessToken } from '../utils/access-token-storage';
 
 export default function* rootSaga() {
-  const accessToken = yield select(accessTokenSelector);
+  const accessToken = yield call(getAccessToken);
 
   if (!accessToken) {
     yield call(loginSaga);

client/src/utils/access-token-storage.js

@@ -1,11 +1,26 @@
-const ACCESS_TOKEN_KEY = 'accessToken';
+import Cookies from 'js-cookie';
 
-export const getAccessToken = () => localStorage.getItem(ACCESS_TOKEN_KEY);
+import Config from '../constants/Config';
 
 export const setAccessToken = (accessToken) => {
-  localStorage.setItem(ACCESS_TOKEN_KEY, accessToken);
+  Cookies.set(Config.ACCESS_TOKEN_KEY, accessToken, {
+    expires: Config.ACCESS_TOKEN_EXPIRES,
+  });
+};
+
+export const getAccessToken = () => {
+  // TODO: remove migration
+  const accessToken = localStorage.getItem(Config.ACCESS_TOKEN_KEY);
+  if (accessToken) {
+    localStorage.removeItem(Config.ACCESS_TOKEN_KEY);
+
+    setAccessToken(accessToken);
+    return accessToken;
+  }
+
+  return Cookies.get(Config.ACCESS_TOKEN_KEY);
 };
 
 export const removeAccessToken = () => {
-  localStorage.removeItem(ACCESS_TOKEN_KEY);
+  Cookies.remove(Config.ACCESS_TOKEN_KEY);
 };

server/api/hooks/current-user/index.js

@@ -34,11 +34,16 @@ module.exports = function defineCurrentUserHook(sails) {
       before: {
         '/*': {
           async fn(req, res, next) {
-            const { authorization: authorizationHeader } = req.headers;
+            let accessToken;
-
+            if (req.headers.authorization) {
-            if (authorizationHeader && TOKEN_PATTERN.test(authorizationHeader)) {
+              if (TOKEN_PATTERN.test(req.headers.authorization)) {
-              const accessToken = authorizationHeader.replace(TOKEN_PATTERN, '');
+                accessToken = req.headers.authorization.replace(TOKEN_PATTERN, '');
+              }
+            } else if (req.cookies.accessToken) {
+              accessToken = req.cookies.accessToken;
+            }
 
+            if (accessToken) {
               req.currentUser = await getUser(accessToken);
             }
 

server/config/security.js

@@ -31,7 +31,7 @@ module.exports.security = {
     allRoutes: true,
     allowOrigins: ['http://localhost:3000'],
     allowRequestHeaders: ['Authorization'],
-    allowCredentials: false,
+    allowCredentials: true,
   },
 
   /**