feat(server): cookie lifecycle & CSRF enforcement (#749)#1117
Merged
Conversation
theothersideofgod
force-pushed
the
feat/cookie-lifecycle-csrf-749
branch
2 times, most recently
from
fa376a0 to
e5e066b
Compare
- Add SESSION_COOKIE_NAME and DEVICE_TOKEN_COOKIE_NAME constants - Add getSessionCookieConfig() with rememberMe support - Add getDeviceTokenCookieConfig() for 90-day device tokens - Add cookie serialization helpers (set/clear) - Add parseCookieValue() and request token extractors Closes #749 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add @constructive-io/csrf dependency - Wire csrfSetToken middleware (httpOnly=false for SPA access) - Wire csrfProtect middleware on /graphql endpoint - Skip CSRF for Bearer token auth (not vulnerable) - Skip CSRF for anonymous requests (no session cookie) - Add integration tests for CSRF skip conditions Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add rememberMeDuration field to AuthSettings interface - Query remember_me_duration from app_settings_auth table - Used by cookie config when rememberMe=true in sign-in Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Implement grafserv middleware plugin to set/clear auth cookies - Intercept signIn/signUp/SSO/MFA mutations to set session cookie - Intercept signOut/revokeSession to clear cookies - Handle device token cookies for trusted device tracking - Parse grafserv BufferResult and inject Set-Cookie headers - Support both camelCase and snake_case token fields - Support nested result objects Includes comprehensive tests: - Auth failure scenarios (errors, null data, invalid token types) - Cookie clearing completeness (session + device token) - Environment-based security attributes - Grafserv Buffer parsing and header merging Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add AuthCookiePlugin to graphile preset plugins array - Remove Express middleware approach (doesn't work with grafserv) - Add CSRF middleware after authenticate, before graphile - Update server.ts middleware order Middleware chain: cors → api → authenticate → captcha → csrf → graphile (with AuthCookiePlugin) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add CSRF error detection to error handler so CSRF validation failures return proper 403 Forbidden status instead of generic 500. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add cookie-parser middleware to support CSRF double-submit pattern - Parse GraphQL body from grafserv's getBody() buffer in AuthCookiePlugin - Set cookies directly on Express response to ensure proper HTTP headers - Fix NaN maxAge by handling unparseable authSettings values The AuthCookiePlugin now correctly intercepts auth mutations and sets session cookies via the Express response, ensuring multiple Set-Cookie headers are sent separately as required by HTTP spec. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Read constructive_device_token cookie in auth middleware - Attach to req.deviceToken for downstream access - Pass as jwt.claims.device_token to DB procedures - Enables trusted device recognition in sign-in flows Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Test device token cookie parsing in auth middleware - Test device token context passing in graphile preset - Covers edge cases: missing cookie, URL encoding, special chars Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
theothersideofgod
force-pushed
the
feat/cookie-lifecycle-csrf-749
branch
from
3f7ab3d to
9b0e35f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implement complete cookie authentication lifecycle and CSRF protection (Issue #749 — Phase 1 of #735)
Architecture
CSRF Protection
Commits
7f9b7a4960efce2f1f37bd133c29e393e6bb1a0c73b1190bcc3310d29b0e35fTotal test coverage: ~1700 lines
Files Changed
Core Implementation
middleware/cookie.tsplugins/auth-cookie-plugin.tsserver.tsIntegration
middleware/auth.tsmiddleware/graphile.tsmiddleware/api.tsmiddleware/error-handler.tsDependencies
How to Test
Not Included (Future Work)
Closes #749
🤖 Generated with Claude Code