refactor(auth): require bearer token only, drop legacy token header and cookie
Authenticate requests solely from the Authorization: Bearer header on the server; stop accepting the legacy `token` header and `usertoken` cookie. The frontend no longer sets auth cookies (only clears legacy ones), omits credentials on all requests, and drops the redundant `token` header. Project event SSE now streams over fetch so it can carry the Authorization header, which EventSource cannot. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -34,20 +34,7 @@ func UserContextMiddleware(authenticator bearerAuthenticator) func(http.HandlerF
|
||||
}
|
||||
|
||||
func userIDFromRequestAuth(ctx context.Context, r *http.Request, authenticator bearerAuthenticator) (string, bool) {
|
||||
if tokenUserID, ok := authenticator.UserIDFromBearer(ctx, r.Header.Get("Authorization")); ok {
|
||||
return tokenUserID, true
|
||||
}
|
||||
if token := strings.TrimSpace(r.Header.Get("token")); token != "" {
|
||||
if tokenUserID, ok := authenticator.UserIDFromBearer(ctx, "Bearer "+token); ok {
|
||||
return tokenUserID, true
|
||||
}
|
||||
}
|
||||
if cookie, err := r.Cookie("usertoken"); err == nil && strings.TrimSpace(cookie.Value) != "" {
|
||||
if tokenUserID, ok := authenticator.UserIDFromBearer(ctx, "Bearer "+cookie.Value); ok {
|
||||
return tokenUserID, true
|
||||
}
|
||||
}
|
||||
return "", false
|
||||
return authenticator.UserIDFromBearer(ctx, r.Header.Get("Authorization"))
|
||||
}
|
||||
|
||||
func requiresAuthenticatedUser(r *http.Request) bool {
|
||||
|
||||
Reference in New Issue
Block a user