feat(auth): save jwt in cookie [EE-5864] (#10527)

2025-07-24 15:59:41 +02:00 · 2023-11-20 09:35:03 +02:00 · 2023-11-20 09:35:03 +02:00 · 436da01bce
commit 436da01bce
parent ecce501cf3
51 changed files with 679 additions and 312 deletions
--- a/api/http/handler/auth/authenticate.go
+++ b/api/http/handler/auth/authenticate.go
@ -6,6 +6,7 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	httperrors "github.com/portainer/portainer/api/http/errors"
+	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
@ -142,12 +143,15 @@ func (handler *Handler) writeToken(w http.ResponseWriter, user *portainer.User,
 }

 func (handler *Handler) persistAndWriteToken(w http.ResponseWriter, tokenData *portainer.TokenData) *httperror.HandlerError {
-	token, err := handler.JWTService.GenerateToken(tokenData)
+	token, expirationTime, err := handler.JWTService.GenerateToken(tokenData)
 	if err != nil {
 		return httperror.InternalServerError("Unable to generate JWT token", err)
 	}

+	security.AddAuthCookie(w, token, expirationTime)
+
 	return response.JSON(w, &authenticateResponse{JWT: token})
+
 }

 func (handler *Handler) syncUserTeamsWithLDAPGroups(user *portainer.User, settings *portainer.LDAPSettings) error {
--- a/api/http/handler/auth/handler.go
+++ b/api/http/handler/auth/handler.go
@ -18,7 +18,7 @@ type Handler struct {
 	*mux.Router
 	DataStore                   dataservices.DataStore
 	CryptoService               portainer.CryptoService
-	JWTService                  dataservices.JWTService
+	JWTService                  portainer.JWTService
 	LDAPService                 portainer.LDAPService
 	OAuthService                portainer.OAuthService
 	ProxyManager                *proxy.Manager
--- a/api/http/handler/auth/logout.go
+++ b/api/http/handler/auth/logout.go
@ -3,6 +3,7 @@ package auth
 import (
 	"net/http"

+	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/logoutcontext"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/response"
@ -18,12 +19,14 @@ import (
 // @failure 500 "Server error"
 // @router /auth/logout [post]
 func (handler *Handler) logout(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	tokenData := handler.bouncer.JWTAuthLookup(r)
+	tokenData, _ := handler.bouncer.CookieAuthLookup(r)

 	if tokenData != nil {
 		handler.KubernetesTokenCacheManager.RemoveUserFromCache(tokenData.ID)
 		logoutcontext.Cancel(tokenData.Token)
 	}

+	security.RemoveAuthCookie(w)
+
 	return response.Empty(w)
 }