fix: harden dashboard RBAC and cookie auth flows
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m17s

Restrict Docker/Files writes to admins, move terminal websocket auth to cookie-first with temporary query fallback, and migrate refresh-token handling to httpOnly cookies for safer session persistence.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Gan, Jimmy
2026-03-09 23:44:23 +08:00
parent e72665c466
commit 4201917e17
11 changed files with 185 additions and 115 deletions
+12 -7
View File
@@ -14,7 +14,7 @@
import InfoEngine from "./routes/InfoEngine.svelte";
import Login from "./routes/Login.svelte";
import { onMount } from "svelte";
import { getToken, checkAuth, setToken, setRefreshToken, currentUser, setCurrentUser, getPreferences, savePreferences } from "./lib/api.js";
import { getToken, checkAuth, setToken, currentUser, setCurrentUser, getPreferences, savePreferences, tryRefreshSession, logout as logoutSession } from "./lib/api.js";
const KNOWN_PAGES = new Set([
"dashboard",
@@ -106,11 +106,10 @@
// Try proxy auth first (Authelia forward-auth sets Remote-User header)
try {
const proxyRes = await fetch("/api/auth/proxy");
const proxyRes = await fetch("/api/auth/proxy", { credentials: "same-origin" });
if (proxyRes.ok) {
const data = await proxyRes.json();
setToken(data.access_token);
setRefreshToken(data.refresh_token);
authorized = true;
await fetchUserInfo();
const requestedPage = getRequestedPage();
@@ -123,11 +122,13 @@
}
// Regular token auth check
const token = getToken();
if (!token) {
if (!getToken()) {
const refreshed = await tryRefreshSession();
if (!refreshed) {
loading = false;
authorized = false;
return;
}
}
try {
@@ -160,9 +161,13 @@
}
}
function logout() {
async function logout() {
try {
await logoutSession();
} catch (e) {
console.error("Logout failed:", e);
}
setToken("");
setRefreshToken("");
window.location.reload();
}
</script>