feat(security)!: use http-only cookie #2174
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request implements a significant security enhancement by migrating JWT authentication from client-side storage to HTTP-only cookies, along with comprehensive CSRF protection. The changes consolidate authentication logic from GraphQL mutations to REST API endpoints, remove deprecated code, and improve overall security posture.
Key Changes:
- JWT cookie name updated from
jwt2tojwt-v3with proper__Host-prefix for enhanced security - New REST API endpoints for JWT management (GET, POST, PUT, DELETE at
/api/model/jwt) - CSRF protection implementation with dedicated cookie and token validation
- Removal of legacy GraphQL-based authentication mutations and client-side JWT handling
Reviewed changes
Copilot reviewed 40 out of 45 changed files in this pull request and generated 20 comments.
Show a summary per file
| File | Description |
|---|---|
src/shared/utils/constants.ts |
Updated JWT cookie name to jwt-v3 with __Host- prefix for secure cookies |
src/shared/utils/networking.ts |
Added getIsSecure utility function for protocol checking |
src/shared/utils/jwt.ts |
Added getJwtPublicKey utility for JWT validation |
src/server/utils/jwt.ts |
Refactored JWT cookie handling, made setJwtCookie private, updated security settings |
src/server/api/model/jwt.{get,post,put,delete}.ts |
New REST endpoints for JWT lifecycle management |
src/app/composables/jwt.ts |
New authentication and JWT management composables |
src/app/utils/jwt.ts |
JWT utility functions for client-side operations |
src/app/components/form/FormSessionCreate.vue |
Updated to use new REST API-based authentication |
src/app/app.vue |
JWT initialization and update logic using new endpoints |
src/config/modules/security.ts |
Added CSRF configuration with HTTP-only cookies |
src/config/modules/cookieControl.ts |
Added CSRF cookie to cookie control configuration |
tests/e2e/utils/constants.ts |
Updated cookie consent value to include security cookie |
| Generated GraphQL files | Removed legacy authentication mutations, added new JWT mutations |
Comments suppressed due to low confidence (1)
src/app/components/form/FormSessionCreate.vue:77
- The $csrfFetch utility is used here but doesn't appear to be defined in the codebase changes. Verify that this is properly provided by the @nuxt/security module or another plugin. If it's not auto-imported, add proper type definitions and ensure it's available in the Nuxt app context.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dargmuesli
force-pushed
the
feat/security/cookie
branch
2 times, most recently
from
48565c6 to
1ddf0d2
Compare
dargmuesli
force-pushed
the
feat/security/cookie
branch
2 times, most recently
from
37389ad to
b6120fe
Compare
dargmuesli
force-pushed
the
feat/security/cookie
branch
10 times, most recently
from
e3aa248 to
2f63378
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 79 out of 85 changed files in this pull request and generated 10 comments.
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dargmuesli
force-pushed
the
feat/security/cookie
branch
from
2f63378 to
f441aa0
Compare
|
🎉 This PR is included in version 14.0.0-beta.3 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
2 participants
📚 Description
This pull request introduces a significant refactor and simplification of authentication and networking logic across the app, with a focus on moving away from GraphQL mutations for JWT/session management to direct REST API calls using custom fetch utilities. It also consolidates authentication logic, removes deprecated code, and improves error handling and code clarity in several components.
📝 Checklist