fix: harden dashboard RBAC and cookie auth flows
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m17s
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m17s
Restrict Docker/Files writes to admins, move terminal websocket auth to cookie-first with temporary query fallback, and migrate refresh-token handling to httpOnly cookies for safer session persistence. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -14,7 +14,7 @@
|
||||
import InfoEngine from "./routes/InfoEngine.svelte";
|
||||
import Login from "./routes/Login.svelte";
|
||||
import { onMount } from "svelte";
|
||||
import { getToken, checkAuth, setToken, setRefreshToken, currentUser, setCurrentUser, getPreferences, savePreferences } from "./lib/api.js";
|
||||
import { getToken, checkAuth, setToken, currentUser, setCurrentUser, getPreferences, savePreferences, tryRefreshSession, logout as logoutSession } from "./lib/api.js";
|
||||
|
||||
const KNOWN_PAGES = new Set([
|
||||
"dashboard",
|
||||
@@ -106,11 +106,10 @@
|
||||
|
||||
// Try proxy auth first (Authelia forward-auth sets Remote-User header)
|
||||
try {
|
||||
const proxyRes = await fetch("/api/auth/proxy");
|
||||
const proxyRes = await fetch("/api/auth/proxy", { credentials: "same-origin" });
|
||||
if (proxyRes.ok) {
|
||||
const data = await proxyRes.json();
|
||||
setToken(data.access_token);
|
||||
setRefreshToken(data.refresh_token);
|
||||
authorized = true;
|
||||
await fetchUserInfo();
|
||||
const requestedPage = getRequestedPage();
|
||||
@@ -123,11 +122,13 @@
|
||||
}
|
||||
|
||||
// Regular token auth check
|
||||
const token = getToken();
|
||||
if (!token) {
|
||||
if (!getToken()) {
|
||||
const refreshed = await tryRefreshSession();
|
||||
if (!refreshed) {
|
||||
loading = false;
|
||||
authorized = false;
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
try {
|
||||
@@ -160,9 +161,13 @@
|
||||
}
|
||||
}
|
||||
|
||||
function logout() {
|
||||
async function logout() {
|
||||
try {
|
||||
await logoutSession();
|
||||
} catch (e) {
|
||||
console.error("Logout failed:", e);
|
||||
}
|
||||
setToken("");
|
||||
setRefreshToken("");
|
||||
window.location.reload();
|
||||
}
|
||||
</script>
|
||||
|
||||
Reference in New Issue
Block a user