Feature #1399

Use Cookies for Authentication

Added by Pavan Rikhi 12 months ago. Updated about 1 month ago.

Status:ClosedStart date:
Priority:HighDue date:
Assignee:Pavan Rikhi% Done:

100%

Category:SecuritySpent time:-
Target version:v0.9.0 - Admin
Easy Pickings:

Description

Storing the api key in localstorage isn't too safe since other scripts can inspect the values. We should store it in cookies instead. We'll have to show the cookie warning for EU countries, but we'd have to anyways since google analytics is storing cookies for us already.

There is a servant-auth-cookie package we can use, along with a short guide on setting everything up:
https://github.com/zohl/servant-auth-cookie/wiki/Getting-started

https://www.stackbuilders.com/tutorials/haskell/servant-auth/


Related issues

Precedes SESE Website - Feature #1158: Use Session Storage for Temporary Logins Closed

Associated revisions

Revision b56d0a4f
Added by Pavan Rikhi about 2 months ago

[#1399] Add Initial Cookie Authentication Architecture

Modify the server's Auth module, adding a new functions & type instances
for using Cookie Authentication for routes via the servant-auth-cookie
package. Session settings are available for permanent & temporary
logins. The `addSessionCookie` function sets the cookie value and the
`withCookie` function pulls the `AuthToken` from an existing cookie or
throws a 403 error.

The Config type has new fields for the secret key used to encrypt
cookies, as well as the entropy generator for cookie generation.

The server executable initializes the entropy generator & pulls the
cookie secret from the `COOKIE_SECRET` environmental variable.

Refs #1399

Revision 261df8a0
Added by Pavan Rikhi about 2 months ago

[#1399] Add Additional Authorization Helpers

Add withValidatedCookie & validateCookieAndParameters functions to the
server's Auth module for checking the AuthToken in a Cookie against the
database, and for checking both the AuthToken using the validateToken
function and route parameters using the Validation typeclass.

Refs #1399

Revision 18533bd6
Added by Pavan Rikhi about 2 months ago

[#1399] Migrate API Routes to Cookie Authentication

Change the route declarations in the Customers, Carts, & Checkout route
modules to take a WrappedAuthToken instead of an AuthToken, using either
the withValidatedCookie or validateCookieAndParameters functions to pull
out the AuthToken from the request cookies.

Have the Register, Login, Reset Password, & Anonymous Place Order set a
temporary session cookie when the route processing successful.

Remove the AuthToken from the Authorize route's parameters, pulling it
from the Cookie instead.

In a future commit, the login route will be changed to pick between a
temporary session & permanent session if the user has checked the
"remember me" checkbox. We also need to add a Logout route that removes
the session cookie.

Refs #1399

Revision dedf388e
Added by Pavan Rikhi about 1 month ago

[#1399] Remove Auth Token From Client API Requests

Remove all traces of the authToken from the client code, since that is
now transparently stored in the browser cookies. This includes startup
flags, ports, API requests, & the User type.

Modify the javascript port code to use userId changes in localstorage to
indicate authorization changes from other tabs.

Refs #1399

Revision 42a75ba9
Added by Pavan Rikhi about 1 month ago

[#1399] Add Logout Route to API Server

Add a logout route to the Routes.Customers module which removes the
authorization cookie from the customer's browser session.

Remove the remnants of the AuthToken Header authHandler for the server
context.

Refs #1399

Revision bc4b28fe
Added by Pavan Rikhi about 1 month ago

[#1399] Change Behavior of Logout Link

Modify the logout link on the client so it hits the new logout API
route & clears the authorization data after receiving a successful
response.

Modify the logout link so the page does not change when it is clicked.

Closes #1399

History

#1 Updated by Pavan Rikhi 11 months ago

  • Blocks Feature #1158: Use Session Storage for Temporary Logins added

#2 Updated by Pavan Rikhi 11 months ago

  • Blocks deleted (Feature #1158: Use Session Storage for Temporary Logins)

#3 Updated by Pavan Rikhi 11 months ago

  • Precedes Feature #1158: Use Session Storage for Temporary Logins added

#4 Updated by Pavan Rikhi 11 months ago

  • Priority changed from Normal to High
  • Description updated (diff)

#5 Updated by Pavan Rikhi 10 months ago

  • Description updated (diff)

#6 Updated by Pavan Rikhi about 2 months ago

  • Target version changed from v1.00.00 - Deployment to v0.9.0 - Admin

#8 Updated by Pavan Rikhi about 1 month ago

  • % Done changed from 0 to 100
  • Status changed from New to Closed

Also available in: Atom PDF