feat(auth): save jwt in cookie [EE-5864] (#10527)

2025-07-25 00:09:40 +02:00 · 2023-11-20 09:35:03 +02:00 · 2023-11-20 09:35:03 +02:00 · 436da01bce
commit 436da01bce
parent ecce501cf3
51 changed files with 679 additions and 312 deletions
--- a/api/http/handler/auth/authenticate.go
+++ b/api/http/handler/auth/authenticate.go
@ -6,6 +6,7 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	httperrors "github.com/portainer/portainer/api/http/errors"
+	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
@ -142,12 +143,15 @@ func (handler *Handler) writeToken(w http.ResponseWriter, user *portainer.User,
 }

 func (handler *Handler) persistAndWriteToken(w http.ResponseWriter, tokenData *portainer.TokenData) *httperror.HandlerError {
-	token, err := handler.JWTService.GenerateToken(tokenData)
+	token, expirationTime, err := handler.JWTService.GenerateToken(tokenData)
 	if err != nil {
 		return httperror.InternalServerError("Unable to generate JWT token", err)
 	}

+	security.AddAuthCookie(w, token, expirationTime)
+
 	return response.JSON(w, &authenticateResponse{JWT: token})
+
 }

 func (handler *Handler) syncUserTeamsWithLDAPGroups(user *portainer.User, settings *portainer.LDAPSettings) error {
--- a/api/http/handler/auth/handler.go
+++ b/api/http/handler/auth/handler.go
@ -18,7 +18,7 @@ type Handler struct {
 	*mux.Router
 	DataStore                   dataservices.DataStore
 	CryptoService               portainer.CryptoService
-	JWTService                  dataservices.JWTService
+	JWTService                  portainer.JWTService
 	LDAPService                 portainer.LDAPService
 	OAuthService                portainer.OAuthService
 	ProxyManager                *proxy.Manager
--- a/api/http/handler/auth/logout.go
+++ b/api/http/handler/auth/logout.go
@ -3,6 +3,7 @@ package auth
 import (
 	"net/http"

+	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/logoutcontext"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/response"
@ -18,12 +19,14 @@ import (
 // @failure 500 "Server error"
 // @router /auth/logout [post]
 func (handler *Handler) logout(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	tokenData := handler.bouncer.JWTAuthLookup(r)
+	tokenData, _ := handler.bouncer.CookieAuthLookup(r)

 	if tokenData != nil {
 		handler.KubernetesTokenCacheManager.RemoveUserFromCache(tokenData.ID)
 		logoutcontext.Cancel(tokenData.Token)
 	}

+	security.RemoveAuthCookie(w)
+
 	return response.Empty(w)
 }
--- a/api/http/handler/customtemplates/customtemplate_git_fetch_test.go
+++ b/api/http/handler/customtemplates/customtemplate_git_fetch_test.go
@ -2,7 +2,6 @@ package customtemplates

 import (
 	"bytes"
-	"fmt"
 	"io"
 	"io/fs"
 	"net/http"
@ -18,6 +17,7 @@ import (
 	gittypes "github.com/portainer/portainer/api/git/types"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
+	"github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"

 	"github.com/segmentio/encoding/json"
@ -76,7 +76,7 @@ func singleAPIRequest(h *Handler, jwt string, is *assert.Assertions, expect stri
 	}

 	req := httptest.NewRequest(http.MethodPut, "/custom_templates/1/git_fetch", bytes.NewBuffer([]byte("{}")))
-	req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", jwt))
+	testhelpers.AddTestSecurityCookie(req, jwt)

 	rr := httptest.NewRecorder()
 	h.ServeHTTP(rr, req)
@ -132,8 +132,8 @@ func Test_customTemplateGitFetch(t *testing.T) {
 	h := NewHandler(requestBouncer, store, fileService, gitService)

 	// generate two standard users' tokens
-	jwt1, _ := jwtService.GenerateToken(&portainer.TokenData{ID: user1.ID, Username: user1.Username, Role: user1.Role})
-	jwt2, _ := jwtService.GenerateToken(&portainer.TokenData{ID: user2.ID, Username: user2.Username, Role: user2.Role})
+	jwt1, _, _ := jwtService.GenerateToken(&portainer.TokenData{ID: user1.ID, Username: user1.Username, Role: user1.Role})
+	jwt2, _, _ := jwtService.GenerateToken(&portainer.TokenData{ID: user2.ID, Username: user2.Username, Role: user2.Role})

 	t.Run("can return the expected file content by a single call from one user", func(t *testing.T) {
 		singleAPIRequest(h, jwt1, is, "abcdefg")
--- a/api/http/handler/endpoints/endpoint_list_test.go
+++ b/api/http/handler/endpoints/endpoint_list_test.go
@ -211,7 +211,7 @@ func buildEndpointListRequest(query string) *http.Request {
 	restrictedCtx := security.StoreRestrictedRequestContext(req, &security.RestrictedRequestContext{UserID: 1, IsAdmin: true})
 	req = req.WithContext(restrictedCtx)

-	req.Header.Add("Authorization", "Bearer dummytoken")
+	testhelpers.AddTestSecurityCookie(req, "Bearer dummytoken")

 	return req
 }
--- a/api/http/handler/helm/handler.go
+++ b/api/http/handler/helm/handler.go
@ -20,14 +20,14 @@ type Handler struct {
 	*mux.Router
 	requestBouncer           security.BouncerService
 	dataStore                dataservices.DataStore
-	jwtService               dataservices.JWTService
+	jwtService               portainer.JWTService
 	kubeClusterAccessService kubernetes.KubeClusterAccessService
 	kubernetesDeployer       portainer.KubernetesDeployer
 	helmPackageManager       libhelm.HelmPackageManager
 }

 // NewHandler creates a handler to manage endpoint group operations.
-func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStore, jwtService dataservices.JWTService, kubernetesDeployer portainer.KubernetesDeployer, helmPackageManager libhelm.HelmPackageManager, kubeClusterAccessService kubernetes.KubeClusterAccessService) *Handler {
+func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStore, jwtService portainer.JWTService, kubernetesDeployer portainer.KubernetesDeployer, helmPackageManager libhelm.HelmPackageManager, kubeClusterAccessService kubernetes.KubeClusterAccessService) *Handler {
 	h := &Handler{
 		Router:                   mux.NewRouter(),
 		requestBouncer:           bouncer,
@ -93,7 +93,7 @@ func (handler *Handler) getHelmClusterAccess(r *http.Request) (*options.Kubernet
 		return nil, httperror.InternalServerError("Unable to retrieve user authentication token", err)
 	}

-	bearerToken, err := handler.jwtService.GenerateToken(tokenData)
+	bearerToken, _, err := handler.jwtService.GenerateToken(tokenData)
 	if err != nil {
 		return nil, httperror.Unauthorized("Unauthorized", err)
 	}
--- a/api/http/handler/helm/helm_delete_test.go
+++ b/api/http/handler/helm/helm_delete_test.go
@ -16,6 +16,7 @@ import (
 	"github.com/portainer/portainer/pkg/libhelm/options"
 	"github.com/stretchr/testify/assert"

+	"github.com/portainer/portainer/api/internal/testhelpers"
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
 )

@ -48,7 +49,7 @@ func Test_helmDelete(t *testing.T) {
 		req := httptest.NewRequest(http.MethodDelete, fmt.Sprintf("/1/kubernetes/helm/%s", options.Name), nil)
 		ctx := security.StoreTokenData(req, &portainer.TokenData{ID: 1, Username: "admin", Role: 1})
 		req = req.WithContext(ctx)
-		req.Header.Add("Authorization", "Bearer dummytoken")
+		testhelpers.AddTestSecurityCookie(req, "Bearer dummytoken")

 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
--- a/api/http/handler/helm/helm_install_test.go
+++ b/api/http/handler/helm/helm_install_test.go
@ -11,6 +11,7 @@ import (
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/exec/exectest"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/testhelpers"
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
@ -52,7 +53,7 @@ func Test_helmInstall(t *testing.T) {
 		req := httptest.NewRequest(http.MethodPost, "/1/kubernetes/helm", bytes.NewBuffer(optdata))
 		ctx := security.StoreTokenData(req, &portainer.TokenData{ID: 1, Username: "admin", Role: 1})
 		req = req.WithContext(ctx)
-		req.Header.Add("Authorization", "Bearer dummytoken")
+		testhelpers.AddTestSecurityCookie(req, "Bearer dummytoken")

 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
--- a/api/http/handler/helm/helm_list_test.go
+++ b/api/http/handler/helm/helm_list_test.go
@ -10,6 +10,7 @@ import (
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/exec/exectest"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/testhelpers"
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
@ -48,7 +49,7 @@ func Test_helmList(t *testing.T) {
 		req := httptest.NewRequest(http.MethodGet, "/1/kubernetes/helm", nil)
 		ctx := security.StoreTokenData(req, &portainer.TokenData{ID: 1, Username: "admin", Role: 1})
 		req = req.WithContext(ctx)
-		req.Header.Add("Authorization", "Bearer dummytoken")
+		testhelpers.AddTestSecurityCookie(req, "Bearer dummytoken")

 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
--- a/api/http/handler/kubernetes/handler.go
+++ b/api/http/handler/kubernetes/handler.go
@ -26,12 +26,12 @@ type Handler struct {
 	authorizationService     *authorization.Service
 	DataStore                dataservices.DataStore
 	KubernetesClientFactory  *cli.ClientFactory
-	JwtService               dataservices.JWTService
+	JwtService               portainer.JWTService
 	kubeClusterAccessService kubernetes.KubeClusterAccessService
 }

 // NewHandler creates a handler to process pre-proxied requests to external APIs.
-func NewHandler(bouncer security.BouncerService, authorizationService *authorization.Service, dataStore dataservices.DataStore, jwtService dataservices.JWTService, kubeClusterAccessService kubernetes.KubeClusterAccessService, kubernetesClientFactory *cli.ClientFactory, kubernetesClient portainer.KubeClient) *Handler {
+func NewHandler(bouncer security.BouncerService, authorizationService *authorization.Service, dataStore dataservices.DataStore, jwtService portainer.JWTService, kubeClusterAccessService kubernetes.KubeClusterAccessService, kubernetesClientFactory *cli.ClientFactory, kubernetesClient portainer.KubeClient) *Handler {
 	h := &Handler{
 		Router:                   mux.NewRouter(),
 		authorizationService:     authorizationService,
@ -120,7 +120,12 @@ func (h *Handler) getProxyKubeClient(r *http.Request) (*cli.KubeClient, *httperr
 		return nil, httperror.BadRequest("Invalid environment identifier route variable", err)
 	}

-	cli, ok := h.KubernetesClientFactory.GetProxyKubeClient(strconv.Itoa(endpointID), r.Header.Get("Authorization"))
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		return nil, httperror.Forbidden("Permission denied to access environment", err)
+	}
+
+	cli, ok := h.KubernetesClientFactory.GetProxyKubeClient(strconv.Itoa(endpointID), tokenData.Username)
 	if !ok {
 		return nil, httperror.InternalServerError("Failed to lookup KubeClient", nil)
 	}
@ -141,8 +146,13 @@ func (handler *Handler) kubeClientMiddleware(next http.Handler) http.Handler {
 			return
 		}

+		tokenData, err := security.RetrieveTokenData(r)
+		if err != nil {
+			httperror.WriteError(w, http.StatusForbidden, "Permission denied to access environment", err)
+		}
+
 		// Check if we have a kubeclient against this auth token already, otherwise generate a new one
-		_, ok := handler.KubernetesClientFactory.GetProxyKubeClient(strconv.Itoa(endpointID), r.Header.Get("Authorization"))
+		_, ok := handler.KubernetesClientFactory.GetProxyKubeClient(strconv.Itoa(endpointID), tokenData.Username)
 		if ok {
 			next.ServeHTTP(w, r)
 			return
@ -164,12 +174,6 @@ func (handler *Handler) kubeClientMiddleware(next http.Handler) http.Handler {
 			return
 		}

-		// Generate a proxied kubeconfig, then create a kubeclient using it.
-		tokenData, err := security.RetrieveTokenData(r)
-		if err != nil {
-			httperror.WriteError(w, http.StatusForbidden, "Permission denied to access environment", err)
-			return
-		}
 		bearerToken, err := handler.JwtService.GenerateTokenForKubeconfig(tokenData)
 		if err != nil {
 			httperror.WriteError(w, http.StatusInternalServerError, "Unable to create JWT token", err)
@ -208,7 +212,7 @@ func (handler *Handler) kubeClientMiddleware(next http.Handler) http.Handler {
 			return
 		}

-		handler.KubernetesClientFactory.SetProxyKubeClient(strconv.Itoa(int(endpoint.ID)), r.Header.Get("Authorization"), kubeCli)
+		handler.KubernetesClientFactory.SetProxyKubeClient(strconv.Itoa(int(endpoint.ID)), tokenData.Username, kubeCli)
 		next.ServeHTTP(w, r)
 	})
 }
--- a/api/http/handler/settings/handler.go
+++ b/api/http/handler/settings/handler.go
@ -23,7 +23,7 @@ type Handler struct {
 	*mux.Router
 	DataStore       dataservices.DataStore
 	FileService     portainer.FileService
-	JWTService      dataservices.JWTService
+	JWTService      portainer.JWTService
 	LDAPService     portainer.LDAPService
 	SnapshotService portainer.SnapshotService
 	demoService     *demo.Service
--- a/api/http/handler/system/version_test.go
+++ b/api/http/handler/system/version_test.go
@ -1,7 +1,6 @@
 package system

 import (
-	"fmt"
 	"io"
 	"net/http"
 	"net/http/httptest"
@ -13,6 +12,7 @@ import (
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/demo"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"

 	"github.com/segmentio/encoding/json"
@ -43,12 +43,12 @@ func Test_getSystemVersion(t *testing.T) {
 	h := NewHandler(requestBouncer, &portainer.Status{}, &demo.Service{}, store, nil)

 	// generate standard and admin user tokens
-	jwt, _ := jwtService.GenerateToken(&portainer.TokenData{ID: adminUser.ID, Username: adminUser.Username, Role: adminUser.Role})
+	jwt, _, _ := jwtService.GenerateToken(&portainer.TokenData{ID: adminUser.ID, Username: adminUser.Username, Role: adminUser.Role})

 	t.Run("Display Edition", func(t *testing.T) {

 		req := httptest.NewRequest(http.MethodGet, "/system/version", nil)
-		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", jwt))
+		testhelpers.AddTestSecurityCookie(req, jwt)

 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
--- a/api/http/handler/teams/team_list_test.go
+++ b/api/http/handler/teams/team_list_test.go
@ -13,6 +13,7 @@ import (
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
+	"github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"

 	"github.com/segmentio/encoding/json"
@ -39,7 +40,7 @@ func Test_teamList(t *testing.T) {
 	h.DataStore = store

 	// generate admin user tokens
-	adminJWT, _ := jwtService.GenerateToken(&portainer.TokenData{ID: adminUser.ID, Username: adminUser.Username, Role: adminUser.Role})
+	adminJWT, _, _ := jwtService.GenerateToken(&portainer.TokenData{ID: adminUser.ID, Username: adminUser.Username, Role: adminUser.Role})

 	// Case 1: the team is given the endpoint access directly
 	// create teams
@ -77,11 +78,11 @@ func Test_teamList(t *testing.T) {
 	err = store.Endpoint().Create(endpointWithTeamAccessPolicy)
 	is.NoError(err, "error creating endpoint")

-	jwt, _ := jwtService.GenerateToken(&portainer.TokenData{ID: userWithEndpointAccessByTeam.ID, Username: userWithEndpointAccessByTeam.Username, Role: userWithEndpointAccessByTeam.Role})
+	jwt, _, _ := jwtService.GenerateToken(&portainer.TokenData{ID: userWithEndpointAccessByTeam.ID, Username: userWithEndpointAccessByTeam.Username, Role: userWithEndpointAccessByTeam.Role})

 	t.Run("admin user can successfully list all teams", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodGet, "/teams", nil)
-		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", adminJWT))
+		testhelpers.AddTestSecurityCookie(req, adminJWT)

 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
@ -102,7 +103,7 @@ func Test_teamList(t *testing.T) {
 		params := url.Values{}
 		params.Add("environmentId", fmt.Sprintf("%d", endpointWithTeamAccessPolicy.ID))
 		req := httptest.NewRequest(http.MethodGet, "/teams?"+params.Encode(), nil)
-		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", adminJWT))
+		testhelpers.AddTestSecurityCookie(req, adminJWT)

 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
@ -124,7 +125,7 @@ func Test_teamList(t *testing.T) {

 	t.Run("standard user only can list team where he belongs to", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodGet, "/teams", nil)
-		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", jwt))
+		testhelpers.AddTestSecurityCookie(req, jwt)

 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
@ -168,7 +169,7 @@ func Test_teamList(t *testing.T) {
 		params := url.Values{}
 		params.Add("environmentId", fmt.Sprintf("%d", endpointUnderGroupWithTeam.ID))
 		req := httptest.NewRequest(http.MethodGet, "/teams?"+params.Encode(), nil)
-		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", adminJWT))
+		testhelpers.AddTestSecurityCookie(req, adminJWT)

 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
--- a/api/http/handler/users/handler.go
+++ b/api/http/handler/users/handler.go
@ -67,6 +67,9 @@ func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimit

 	adminRouter.Handle("/users", httperror.LoggerHandler(h.userCreate)).Methods(http.MethodPost)
 	restrictedRouter.Handle("/users", httperror.LoggerHandler(h.userList)).Methods(http.MethodGet)
+
+	authenticatedRouter.Handle("/users/me", httperror.LoggerHandler(h.userInspectMe)).Methods(http.MethodGet)
+	restrictedRouter.Handle("/users/me", httperror.LoggerHandler(h.userInspectMe)).Methods(http.MethodGet)
 	restrictedRouter.Handle("/users/{id}", httperror.LoggerHandler(h.userInspect)).Methods(http.MethodGet)
 	authenticatedRouter.Handle("/users/{id}", httperror.LoggerHandler(h.userUpdate)).Methods(http.MethodPut)
 	adminRouter.Handle("/users/{id}", httperror.LoggerHandler(h.userDelete)).Methods(http.MethodDelete)
@ -75,6 +78,7 @@ func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimit
 	restrictedRouter.Handle("/users/{id}/tokens/{keyID}", httperror.LoggerHandler(h.userRemoveAccessToken)).Methods(http.MethodDelete)
 	restrictedRouter.Handle("/users/{id}/memberships", httperror.LoggerHandler(h.userMemberships)).Methods(http.MethodGet)
 	authenticatedRouter.Handle("/users/{id}/passwd", rateLimiter.LimitAccess(httperror.LoggerHandler(h.userUpdatePassword))).Methods(http.MethodPut)
+
 	publicRouter.Handle("/users/admin/check", httperror.LoggerHandler(h.adminCheck)).Methods(http.MethodGet)
 	publicRouter.Handle("/users/admin/init", httperror.LoggerHandler(h.adminInit)).Methods(http.MethodPost)

--- a/api/http/handler/users/user_create_access_token.go
+++ b/api/http/handler/users/user_create_access_token.go
@ -55,9 +55,9 @@ type accessTokenResponse struct {
 // @failure 500 "Server error"
 // @router /users/{id}/tokens [post]
 func (handler *Handler) userCreateAccessToken(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	// specifically require JWT auth for this endpoint since API-Key based auth is not supported
-	if jwt := handler.bouncer.JWTAuthLookup(r); jwt == nil {
-		return httperror.Unauthorized("Auth not supported", errors.New("JWT Authentication required"))
+	// specifically require Cookie auth for this endpoint since API-Key based auth is not supported
+	if jwt, _ := handler.bouncer.CookieAuthLookup(r); jwt == nil {
+		return httperror.Unauthorized("Auth not supported", errors.New("Cookie Authentication required"))
 	}

 	var payload userAccessTokenCreatePayload
--- a/api/http/handler/users/user_create_access_token_test.go
+++ b/api/http/handler/users/user_create_access_token_test.go
@ -2,7 +2,6 @@ package users

 import (
 	"bytes"
-	"fmt"
 	"io"
 	"net/http"
 	"net/http/httptest"
@ -13,6 +12,7 @@ import (
 	"github.com/portainer/portainer/api/apikey"
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"

 	"github.com/segmentio/encoding/json"
@ -45,8 +45,8 @@ func Test_userCreateAccessToken(t *testing.T) {
 	h.DataStore = store

 	// generate standard and admin user tokens
-	adminJWT, _ := jwtService.GenerateToken(&portainer.TokenData{ID: adminUser.ID, Username: adminUser.Username, Role: adminUser.Role})
-	jwt, _ := jwtService.GenerateToken(&portainer.TokenData{ID: user.ID, Username: user.Username, Role: user.Role})
+	adminJWT, _, _ := jwtService.GenerateToken(&portainer.TokenData{ID: adminUser.ID, Username: adminUser.Username, Role: adminUser.Role})
+	jwt, _, _ := jwtService.GenerateToken(&portainer.TokenData{ID: user.ID, Username: user.Username, Role: user.Role})

 	t.Run("standard user successfully generates API key", func(t *testing.T) {
 		data := userAccessTokenCreatePayload{Description: "test-token"}
@ -54,7 +54,7 @@ func Test_userCreateAccessToken(t *testing.T) {
 		is.NoError(err)

 		req := httptest.NewRequest(http.MethodPost, "/users/2/tokens", bytes.NewBuffer(payload))
-		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", jwt))
+		testhelpers.AddTestSecurityCookie(req, jwt)

 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
@ -77,7 +77,7 @@ func Test_userCreateAccessToken(t *testing.T) {
 		is.NoError(err)

 		req := httptest.NewRequest(http.MethodPost, "/users/2/tokens", bytes.NewBuffer(payload))
-		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", adminJWT))
+		testhelpers.AddTestSecurityCookie(req, adminJWT)

 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
@ -106,7 +106,7 @@ func Test_userCreateAccessToken(t *testing.T) {

 		body, err := io.ReadAll(rr.Body)
 		is.NoError(err, "ReadAll should not return error")
-		is.Equal(`{"message":"Auth not supported","details":"JWT Authentication required"}`, string(body))
+		is.Equal(`{"message":"Auth not supported","details":"Cookie Authentication required"}`, string(body))
 	})
 }

--- a/api/http/handler/users/user_get_access_tokens_test.go
+++ b/api/http/handler/users/user_get_access_tokens_test.go
@ -1,7 +1,6 @@
 package users

 import (
-	"fmt"
 	"io"
 	"net/http"
 	"net/http/httptest"
@ -12,6 +11,7 @@ import (
 	"github.com/portainer/portainer/api/apikey"
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"

 	"github.com/segmentio/encoding/json"
@ -44,15 +44,15 @@ func Test_userGetAccessTokens(t *testing.T) {
 	h.DataStore = store

 	// generate standard and admin user tokens
-	adminJWT, _ := jwtService.GenerateToken(&portainer.TokenData{ID: adminUser.ID, Username: adminUser.Username, Role: adminUser.Role})
-	jwt, _ := jwtService.GenerateToken(&portainer.TokenData{ID: user.ID, Username: user.Username, Role: user.Role})
+	adminJWT, _, _ := jwtService.GenerateToken(&portainer.TokenData{ID: adminUser.ID, Username: adminUser.Username, Role: adminUser.Role})
+	jwt, _, _ := jwtService.GenerateToken(&portainer.TokenData{ID: user.ID, Username: user.Username, Role: user.Role})

 	t.Run("standard user can successfully retrieve API key", func(t *testing.T) {
 		_, apiKey, err := apiKeyService.GenerateApiKey(*user, "test-get-token")
 		is.NoError(err)

 		req := httptest.NewRequest(http.MethodGet, "/users/2/tokens", nil)
-		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", jwt))
+		testhelpers.AddTestSecurityCookie(req, jwt)

 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
@ -81,7 +81,7 @@ func Test_userGetAccessTokens(t *testing.T) {
 		is.NoError(err)

 		req := httptest.NewRequest(http.MethodGet, "/users/2/tokens", nil)
-		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", adminJWT))
+		testhelpers.AddTestSecurityCookie(req, adminJWT)

 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
--- a/api/http/handler/users/user_inspect_me.go
+++ b/api/http/handler/users/user_inspect_me.go
@ -0,0 +1,49 @@
+package users
+
+import (
+	"net/http"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/http/security"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/response"
+)
+
+type CurrentUserInspectResponse struct {
+	*portainer.User
+	ForceChangePassword bool `json:"forceChangePassword"`
+}
+
+// @id CurrentUserInspect
+// @summary Inspect the current user user
+// @description Retrieve details about the current  user.
+// @description User passwords are filtered out, and should never be accessible.
+// @description **Access policy**: authenticated
+// @tags users
+// @security ApiKeyAuth
+// @security jwt
+// @produce json
+// @success 200 {object} portainer.User "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Permission denied"
+// @failure 404 "User not found"
+// @failure 500 "Server error"
+// @router /users/me [get]
+func (handler *Handler) userInspectMe(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		return httperror.InternalServerError("Unable to retrieve info from request context", err)
+	}
+
+	user, err := handler.DataStore.User().Read(securityContext.UserID)
+	if handler.DataStore.IsErrObjectNotFound(err) {
+		return httperror.NotFound("Unable to find a user with the specified identifier inside the database", err)
+	} else if err != nil {
+		return httperror.InternalServerError("Unable to find a user with the specified identifier inside the database", err)
+	}
+
+	forceChangePassword := !handler.passwordStrengthChecker.Check(user.Password)
+
+	hideFields(user)
+	return response.JSON(w, &CurrentUserInspectResponse{User: user, ForceChangePassword: forceChangePassword})
+}
--- a/api/http/handler/users/user_list_test.go
+++ b/api/http/handler/users/user_list_test.go
@ -15,6 +15,7 @@ import (
 	"github.com/portainer/portainer/api/demo"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
+	"github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"

 	"github.com/segmentio/encoding/json"
@ -43,7 +44,7 @@ func Test_userList(t *testing.T) {
 	h.DataStore = store

 	// generate admin user tokens
-	adminJWT, _ := jwtService.GenerateToken(&portainer.TokenData{ID: adminUser.ID, Username: adminUser.Username, Role: adminUser.Role})
+	adminJWT, _, _ := jwtService.GenerateToken(&portainer.TokenData{ID: adminUser.ID, Username: adminUser.Username, Role: adminUser.Role})

 	// Case 1: the user is given the endpoint access directly
 	userWithEndpointAccess := &portainer.User{ID: 2, Username: "standard-user-with-endpoint-access", Role: portainer.StandardUserRole, PortainerAuthorizations: authorization.DefaultPortainerAuthorizations()}
@ -67,11 +68,11 @@ func Test_userList(t *testing.T) {
 	err = store.Endpoint().Create(endpointWithUserAccessPolicy)
 	is.NoError(err, "error creating endpoint")

-	jwt, _ := jwtService.GenerateToken(&portainer.TokenData{ID: userWithEndpointAccess.ID, Username: userWithEndpointAccess.Username, Role: userWithEndpointAccess.Role})
+	jwt, _, _ := jwtService.GenerateToken(&portainer.TokenData{ID: userWithEndpointAccess.ID, Username: userWithEndpointAccess.Username, Role: userWithEndpointAccess.Role})

 	t.Run("admin user can successfully list all users", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodGet, "/users", nil)
-		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", adminJWT))
+		testhelpers.AddTestSecurityCookie(req, adminJWT)

 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
@ -92,7 +93,7 @@ func Test_userList(t *testing.T) {
 		params := url.Values{}
 		params.Add("environmentId", fmt.Sprintf("%d", endpointWithUserAccessPolicy.ID))
 		req := httptest.NewRequest(http.MethodGet, "/users?"+params.Encode(), nil)
-		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", adminJWT))
+		testhelpers.AddTestSecurityCookie(req, adminJWT)

 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
@ -114,7 +115,7 @@ func Test_userList(t *testing.T) {

 	t.Run("standard user cannot list users", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodGet, "/users", nil)
-		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", jwt))
+		testhelpers.AddTestSecurityCookie(req, jwt)

 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
@ -146,7 +147,7 @@ func Test_userList(t *testing.T) {
 		params := url.Values{}
 		params.Add("environmentId", fmt.Sprintf("%d", endpointUnderGroupWithUser.ID))
 		req := httptest.NewRequest(http.MethodGet, "/users?"+params.Encode(), nil)
-		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", adminJWT))
+		testhelpers.AddTestSecurityCookie(req, adminJWT)

 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
@ -198,7 +199,7 @@ func Test_userList(t *testing.T) {
 		params := url.Values{}
 		params.Add("environmentId", fmt.Sprintf("%d", endpointUnderGroupWithTeam.ID))
 		req := httptest.NewRequest(http.MethodGet, "/users?"+params.Encode(), nil)
-		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", adminJWT))
+		testhelpers.AddTestSecurityCookie(req, adminJWT)

 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
@ -249,7 +250,7 @@ func Test_userList(t *testing.T) {
 		params := url.Values{}
 		params.Add("environmentId", fmt.Sprintf("%d", endpointWithTeamAccessPolicy.ID))
 		req := httptest.NewRequest(http.MethodGet, "/users?"+params.Encode(), nil)
-		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", adminJWT))
+		testhelpers.AddTestSecurityCookie(req, adminJWT)

 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
--- a/api/http/handler/users/user_remove_access_token_test.go
+++ b/api/http/handler/users/user_remove_access_token_test.go
@ -11,6 +11,7 @@ import (
 	"github.com/portainer/portainer/api/apikey"
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
 	"github.com/stretchr/testify/assert"
 )
@ -41,15 +42,16 @@ func Test_userRemoveAccessToken(t *testing.T) {
 	h.DataStore = store

 	// generate standard and admin user tokens
-	adminJWT, _ := jwtService.GenerateToken(&portainer.TokenData{ID: adminUser.ID, Username: adminUser.Username, Role: adminUser.Role})
-	jwt, _ := jwtService.GenerateToken(&portainer.TokenData{ID: user.ID, Username: user.Username, Role: user.Role})
+	adminJWT, _, _ := jwtService.GenerateToken(&portainer.TokenData{ID: adminUser.ID, Username: adminUser.Username, Role: adminUser.Role})
+	jwt, _, _ := jwtService.GenerateToken(&portainer.TokenData{ID: user.ID, Username: user.Username, Role: user.Role})

 	t.Run("standard user can successfully delete API key", func(t *testing.T) {
+		is := assert.New(t)
 		_, apiKey, err := apiKeyService.GenerateApiKey(*user, "test-delete-token")
 		is.NoError(err)

 		req := httptest.NewRequest(http.MethodDelete, fmt.Sprintf("%s/%d", "/users/2/tokens", apiKey.ID), nil)
-		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", jwt))
+		testhelpers.AddTestSecurityCookie(req, jwt)

 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
@ -63,11 +65,12 @@ func Test_userRemoveAccessToken(t *testing.T) {
 	})

 	t.Run("admin can delete a standard user API Key", func(t *testing.T) {
+		is := assert.New(t)
 		_, apiKey, err := apiKeyService.GenerateApiKey(*user, "test-admin-delete-token")
 		is.NoError(err)

 		req := httptest.NewRequest(http.MethodDelete, fmt.Sprintf("%s/%d", "/users/2/tokens", apiKey.ID), nil)
-		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", adminJWT))
+		testhelpers.AddTestSecurityCookie(req, adminJWT)

 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
@ -81,6 +84,7 @@ func Test_userRemoveAccessToken(t *testing.T) {
 	})

 	t.Run("user can delete API Key using api-key auth", func(t *testing.T) {
+		is := assert.New(t)
 		rawAPIKey, apiKey, err := apiKeyService.GenerateApiKey(*user, "test-api-key-auth-deletion")
 		is.NoError(err)