fix: auth validation on existing sessions, rely on token only (#1069)

* chore: use http.NoBody

* fix: remove cookie token on logout

* fix: remove token cookie on middleware and redirect

* fix: frontend sets cookie token if authenticated

* refactor: remove session-id, rely on token only

* docs: make swagger

* fix: redirect

* fix: archive route handler

* fix: properly unset cookie

Author: fmartingr

docs/swagger/docs.go

@@ -439,13 +439,8 @@ const docTemplate = `{
             "type": "object",
             "properties": {
                 "expires": {
-                    "description": "Deprecated, used only for legacy APIs",
                     "type": "integer"
                 },
-                "session": {
-                    "description": "Deprecated, used only for legacy APIs",
-                    "type": "string"
-                },
                 "token": {
                     "type": "string"
                 }

docs/swagger/swagger.json

@@ -428,13 +428,8 @@
             "type": "object",
             "properties": {
                 "expires": {
-                    "description": "Deprecated, used only for legacy APIs",
                     "type": "integer"
                 },
-                "session": {
-                    "description": "Deprecated, used only for legacy APIs",
-                    "type": "string"
-                },
                 "token": {
                     "type": "string"
                 }

docs/swagger/swagger.yaml

@@ -27,11 +27,7 @@ definitions:
   api_v1.loginResponseMessage:
     properties:
       expires:
-        description: Deprecated, used only for legacy APIs
         type: integer
-      session:
-        description: Deprecated, used only for legacy APIs
-        type: string
       token:
         type: string
     type: object

internal/http/handlers/api/v1/accounts_test.go

@@ -357,9 +357,7 @@ func TestHandleUpdateAccount(t *testing.T) {
 
 		// Verify we can login with new password
 		loginBody := `{"username": "shiori", "password": "newpass"}`
-		w = testutil.PerformRequest(deps, func(deps model.Dependencies, c model.WebContext) {
-			HandleLogin(deps, c, noopLegacyLoginHandler)
-		}, "POST", "/login", testutil.WithBody(loginBody))
+		w = testutil.PerformRequest(deps, HandleLogin, "POST", "/login", testutil.WithBody(loginBody))
 		require.Equal(t, http.StatusOK, w.Code)
 	})
 
@@ -480,9 +478,7 @@ func TestHandleUpdateAccount(t *testing.T) {
 
 		// Verify password change
 		loginBody := `{"username": "updated", "password": "newpass"}`
-		w = testutil.PerformRequest(deps, func(deps model.Dependencies, c model.WebContext) {
-			HandleLogin(deps, c, noopLegacyLoginHandler)
-		}, "POST", "/login", testutil.WithBody(loginBody))
+		w = testutil.PerformRequest(deps, HandleLogin, "POST", "/login", testutil.WithBody(loginBody))
 		require.Equal(t, http.StatusOK, w.Code)
 	})
 }

internal/http/handlers/api/v1/auth.go

@@ -29,8 +29,7 @@ func (p *loginRequestPayload) IsValid() error {
 
 type loginResponseMessage struct {
 	Token      string `json:"token"`
-	SessionID  string `json:"session"` // Deprecated, used only for legacy APIs
-	Expiration int64  `json:"expires"` // Deprecated, used only for legacy APIs
+	Expiration int64  `json:"expires"`
 }
 
 // @Summary	Login to an account using username and password
@@ -41,7 +40,7 @@ type loginResponseMessage struct {
 // @Success	200		{object}	loginResponseMessage	"Login successful"
 // @Failure	400		{object}	nil						"Invalid login data"
 // @Router		/api/v1/auth/login [post]
-func HandleLogin(deps model.Dependencies, c model.WebContext, legacyLoginHandler model.LegacyLoginHandler) {
+func HandleLogin(deps model.Dependencies, c model.WebContext) {
 	var payload loginRequestPayload
 	if err := json.NewDecoder(c.Request().Body).Decode(&payload); err != nil {
 		response.SendError(c, http.StatusBadRequest, "Invalid JSON payload", nil)
@@ -72,16 +71,8 @@ func HandleLogin(deps model.Dependencies, c model.WebContext, legacyLoginHandler
 		return
 	}
 
-	sessionID, err := legacyLoginHandler(account, expiration)
-	if err != nil {
-		deps.Logger().WithError(err).Error("failed execute legacy login handler")
-		response.SendInternalServerError(c)
-		return
-	}
-
 	response.Send(c, http.StatusOK, loginResponseMessage{
 		Token:      token,
-		SessionID:  sessionID,
 		Expiration: expirationTime.Unix(),
 	})
 }
@@ -215,5 +206,12 @@ func HandleLogout(deps model.Dependencies, c model.WebContext) {
 	if err := middleware.RequireLoggedInUser(deps, c); err != nil {
 		return
 	}
+
+	// Remove token cookie
+	c.Request().AddCookie(&http.Cookie{
+		Name:  "token",
+		Value: "",
+	})
+
 	response.Send(c, http.StatusOK, nil)
 }

internal/http/handlers/api/v1/auth_test.go

@@ -4,18 +4,13 @@ import (
 	"context"
 	"net/http"
 	"testing"
-	"time"
 
 	"github.com/go-shiori/shiori/internal/model"
 	"github.com/go-shiori/shiori/internal/testutil"
 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/require"
 )
 
-func noopLegacyLoginHandler(_ *model.AccountDTO, _ time.Duration) (string, error) {
-	return "test-session", nil
-}
-
 func TestHandleLogin(t *testing.T) {
 	logger := logrus.New()
 	// _, deps := testutil.GetTestConfigurationAndDependencies(t, context.Background(), logger)
@@ -24,39 +19,31 @@ func TestHandleLogin(t *testing.T) {
 		ctx := context.Background()
 		_, deps := testutil.GetTestConfigurationAndDependencies(t, ctx, logger)
 		body := `{"username":}`
-		w := testutil.PerformRequest(deps, func(deps model.Dependencies, c model.WebContext) {
-			HandleLogin(deps, c, noopLegacyLoginHandler)
-		}, "POST", "/login", testutil.WithBody(body))
+		w := testutil.PerformRequest(deps, HandleLogin, "POST", "/login", testutil.WithBody(body))
 		require.Equal(t, http.StatusBadRequest, w.Code)
 	})
 
 	t.Run("missing username", func(t *testing.T) {
 		ctx := context.Background()
 		_, deps := testutil.GetTestConfigurationAndDependencies(t, ctx, logger)
 		body := `{"password": "test"}`
-		w := testutil.PerformRequest(deps, func(deps model.Dependencies, c model.WebContext) {
-			HandleLogin(deps, c, noopLegacyLoginHandler)
-		}, "POST", "/login", testutil.WithBody(body))
+		w := testutil.PerformRequest(deps, HandleLogin, "POST", "/login", testutil.WithBody(body))
 		require.Equal(t, http.StatusBadRequest, w.Code)
 	})
 
 	t.Run("missing password", func(t *testing.T) {
 		ctx := context.Background()
 		_, deps := testutil.GetTestConfigurationAndDependencies(t, ctx, logger)
 		body := `{"username": "test"}`
-		w := testutil.PerformRequest(deps, func(deps model.Dependencies, c model.WebContext) {
-			HandleLogin(deps, c, noopLegacyLoginHandler)
-		}, "POST", "/login", testutil.WithBody(body))
+		w := testutil.PerformRequest(deps, HandleLogin, "POST", "/login", testutil.WithBody(body))
 		require.Equal(t, http.StatusBadRequest, w.Code)
 	})
 
 	t.Run("invalid credentials", func(t *testing.T) {
 		ctx := context.Background()
 		_, deps := testutil.GetTestConfigurationAndDependencies(t, ctx, logger)
 		body := `{"username": "test", "password": "wrong"}`
-		w := testutil.PerformRequest(deps, func(deps model.Dependencies, c model.WebContext) {
-			HandleLogin(deps, c, noopLegacyLoginHandler)
-		}, "POST", "/login", testutil.WithBody(body))
+		w := testutil.PerformRequest(deps, HandleLogin, "POST", "/login", testutil.WithBody(body))
 		require.Equal(t, http.StatusBadRequest, w.Code)
 	})
 
@@ -74,16 +61,13 @@ func TestHandleLogin(t *testing.T) {
 			"password": "test",
 			"remember_me": true
 		}`
-		w := testutil.PerformRequest(deps, func(deps model.Dependencies, c model.WebContext) {
-			HandleLogin(deps, c, noopLegacyLoginHandler)
-		}, "POST", "/login", testutil.WithBody(body))
+		w := testutil.PerformRequest(deps, HandleLogin, "POST", "/login", testutil.WithBody(body))
 		require.Equal(t, http.StatusOK, w.Code)
 
 		response, err := testutil.NewTestResponseFromReader(w.Body)
 		require.NoError(t, err)
 		response.AssertOk(t)
 		response.AssertMessageContains(t, "token")
-		response.AssertMessageContains(t, "session")
 		response.AssertMessageContains(t, "expires")
 	})
 }

internal/http/handlers/bookmark.go

@@ -5,7 +5,6 @@ import (
 	"html/template"
 	"net/http"
 	"strconv"
-	"strings"
 
 	"github.com/go-shiori/shiori/internal/http/response"
 	"github.com/go-shiori/shiori/internal/model"
@@ -92,8 +91,7 @@ func HandleBookmarkArchiveFile(deps model.Dependencies, c model.WebContext) {
 		return
 	}
 
-	// Get resource path from URL
-	resourcePath := strings.TrimPrefix(c.Request().URL.Path, fmt.Sprintf("/bookmark/%d/archive/file/", bookmark.ID))
+	resourcePath := c.Request().PathValue("path")
 
 	archive, err := deps.Domains().Archiver().GetBookmarkArchive(bookmark)
 	if err != nil {

internal/http/handlers/legacy.go

@@ -50,15 +50,18 @@ func (h *LegacyHandler) HandleLogin(account *model.AccountDTO, expTime time.Dura
 	}
 
 	strSessionID := sessionID.String()
-	h.legacyHandler.SessionCache.Set(strSessionID, account, expTime)
 
 	return strSessionID, nil
 }
 
 // HandleLogout handles the legacy logout endpoint
 func (h *LegacyHandler) HandleLogout(deps model.Dependencies, c model.WebContext) {
-	sessionID := h.legacyHandler.GetSessionID(c.Request())
-	h.legacyHandler.SessionCache.Delete(sessionID)
+	// TODO: Leave cookie handling to API consumer or middleware?
+	// Remove token cookie
+	c.Request().AddCookie(&http.Cookie{
+		Name:  "token",
+		Value: "",
+	})
 }
 
 // HandleGetTags handles GET /api/tags

internal/http/handlers/legacy_test.go

@@ -36,30 +36,6 @@ func TestLegacyHandler(t *testing.T) {
 		sessionID, err := handler.HandleLogin(account, time.Hour)
 		require.NoError(t, err)
 		require.NotEmpty(t, sessionID)
-
-		// Verify session is stored
-		val, found := handler.legacyHandler.SessionCache.Get(sessionID)
-		require.True(t, found)
-		require.Equal(t, account, val)
-	})
-
-	t.Run("HandleLogout", func(t *testing.T) {
-		// Setup session
-		account := &model.AccountDTO{ID: 1}
-		sessionID, _ := handler.HandleLogin(account, time.Hour)
-
-		// Create request with session cookie
-		c, _ := testutil.NewTestWebContext()
-		c.Request().AddCookie(&http.Cookie{
-			Name:  "session-id",
-			Value: sessionID,
-		})
-
-		handler.HandleLogout(deps, c)
-
-		// Verify session is removed
-		_, found := handler.legacyHandler.SessionCache.Get(sessionID)
-		require.False(t, found)
 	})
 
 	t.Run("HandleGetTags", func(t *testing.T) {
@@ -79,7 +55,7 @@ func TestLegacyHandler(t *testing.T) {
 	})
 
 	t.Run("convertParams", func(t *testing.T) {
-		r, _ := http.NewRequest(http.MethodGet, "/api/bookmarks?page=1&tags=test,dev", nil)
+		r, _ := http.NewRequest(http.MethodGet, "/api/bookmarks?page=1&tags=test,dev", http.NoBody)
 		params := handler.convertParams(r)
 
 		require.Len(t, params, 2)

internal/http/middleware/auth.go

@@ -32,8 +32,14 @@ func (m *AuthMiddleware) OnRequest(deps model.Dependencies, c model.WebContext)
 
 	account, err := deps.Domains().Auth().CheckToken(c.Request().Context(), token)
 	if err != nil {
-		deps.Logger().WithError(err).Error("Failed to check token")
-		return err
+		// If we fail to check token, remove the token cookie and redirect to login
+		deps.Logger().WithError(err).WithField("request_id", c.GetRequestID()).Error("Failed to check token")
+		http.SetCookie(c.ResponseWriter(), &http.Cookie{
+			Name:   "token",
+			Value:  "",
+			MaxAge: -1,
+		})
+		return nil
 	}
 
 	c.SetAccount(account)