refactor(auth): require bearer token only, drop legacy token header and cookie

Authenticate requests solely from the Authorization: Bearer header on the
server; stop accepting the legacy `token` header and `usertoken` cookie.
The frontend no longer sets auth cookies (only clears legacy ones), omits
credentials on all requests, and drops the redundant `token` header. Project
event SSE now streams over fetch so it can carry the Authorization header,
which EventSource cannot.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-07-09 01:09:39 +08:00
parent 263748af4a
commit a39e18950c
5 changed files with 179 additions and 64 deletions
+3 -3
View File
@@ -86,7 +86,7 @@ Development response includes an email preview so the frontend can render the sa
}
```
Returns an authenticated session with `accessToken`, `refreshToken`, and the user profile. Project creation, generation, upload, save, and deletion require this login token.
Returns an authenticated session with `accessToken`, `refreshToken`, and the user profile. Project creation, generation, upload, save, and deletion require `Authorization: Bearer <accessToken>`.
`POST /api/auth/global/google-login`
@@ -124,7 +124,7 @@ After binding succeeds, later QR logins use only `code` and `state`.
## Account
All account endpoints require the bearer token returned by login. Account profile state is owned by the auth module and persisted in PostgreSQL or the configured in-memory store.
All account endpoints require `Authorization: Bearer <accessToken>`. Cookie auth and the legacy `token` header are not used. Account profile state is owned by the auth module and persisted in PostgreSQL or the configured in-memory store.
`GET /api/account/profile`
@@ -151,7 +151,7 @@ Removes non-current devices when a future server-side session registry exists. I
`POST /api/account/logout`
Records a logout request server-side and returns `{"removed": 0}`. The frontend then clears its local access token and cookies.
Records a logout request server-side and returns `{"removed": 0}`. The frontend then clears its locally stored session.
## Projects