feat: impl cookie-based auth tokens exchange

implement access/refresh token exchange via cookies as well as automatic access token refresh
2026-02-03 01:11:16 +00:00 · 2025-12-04 00:26:20 +00:00
parent d4c4e84fbf
commit 57167d5715
7 changed files with 179 additions and 30 deletions
--- a/apps/backend/internal/drexa/config.go
+++ b/apps/backend/internal/drexa/config.go
@@ -27,6 +27,7 @@ type Config struct {
 	Database DatabaseConfig `yaml:"database"`
 	JWT      JWTConfig      `yaml:"jwt"`
 	Storage  StorageConfig  `yaml:"storage"`
+	Cookie   CookieConfig   `yaml:"cookie"`
 }

 type ServerConfig struct {
@@ -52,6 +53,13 @@ type StorageConfig struct {
 	Bucket   string         `yaml:"bucket"`
 }

+// CookieConfig controls auth cookie behavior.
+// Domain is optional - only needed for cross-subdomain setups (e.g., "app.com" for web.app.com + api.app.com).
+// Secure flag is derived from the request protocol automatically.
+type CookieConfig struct {
+	Domain string `yaml:"domain"`
+}
+
 // ConfigFromFile loads configuration from a YAML file.
 // JWT secret key is loaded from JWT_SECRET_KEY env var (base64 encoded),
 // falling back to the file path specified in jwt.secret_key_path.
--- a/apps/backend/internal/drexa/server.go
+++ b/apps/backend/internal/drexa/server.go
@@ -36,6 +36,11 @@ func NewServer(c Config) (*Server, error) {
 	app := fiber.New(fiber.Config{
 		ErrorHandler:      httperr.ErrorHandler,
 		StreamRequestBody: true,
+		// Trust proxy headers (X-Forwarded-Proto, X-Forwarded-For) for proper
+		// protocol detection behind reverse proxies, tunnels (ngrok, cloudflare), etc.
+		EnableTrustedProxyCheck: true,
+		TrustedProxies:          []string{"127.0.0.1", "::1"},
+		ProxyHeader:             fiber.HeaderXForwardedFor,
 	})
 	app.Use(logger.New())

@@ -85,10 +90,14 @@ func NewServer(c Config) (*Server, error) {
 	uploadService := upload.NewService(vfs, blobStore)
 	accountService := account.NewService(userService, vfs)

-	authMiddleware := auth.NewBearerAuthMiddleware(authService, db)
+	cookieConfig := auth.CookieConfig{
+		Domain: c.Cookie.Domain,
+	}
+
+	authMiddleware := auth.NewAuthMiddleware(authService, db, cookieConfig)

 	api := app.Group("/api")
-	auth.NewHTTPHandler(authService, db).RegisterRoutes(api)
+	auth.NewHTTPHandler(authService, db, cookieConfig).RegisterRoutes(api)

 	accountRouter := account.NewHTTPHandler(accountService, authService, db, authMiddleware).RegisterRoutes(api)
 	upload.NewHTTPHandler(uploadService, db).RegisterRoutes(accountRouter)