security: M-2 HttpOnly-Cookie + M-4 TrustedHost-Warning + M-5 TOTP-Lockout + M-7 zentraler get_client_ip()
M-2: Refresh-Token als HttpOnly SameSite=Strict Cookie - auth.py: _set_refresh_cookie/_delete_refresh_cookie Helpers - Alle Auth-Endpoints (login, totp/login, refresh, logout) nutzen Cookie - schemas/auth.py: refresh_token in Request/Response optional - AuthContext.tsx: kein refresh_token in localStorage - api/client.ts: credentials:include, kein Token-Body beim Refresh M-4: TrustedHostMiddleware Warning in Production - main.py: Startup-Warning wenn is_production + kein ALLOWED_HOSTS M-5: TOTP-Fehlversuche Redis-Lockout - auth.py: _check/_record/_clear_totp_lockout; 5 Versuche → 15 min Sperre M-7: Zentraler get_client_ip()-Helper - core/dependencies.py: get_client_ip() mit X-Real-IP → X-Forwarded-For → client.host - hours_payouts.py, absences.py, busylight.py: request.client.host ersetzt Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -4,29 +4,25 @@ const BASE_URL = '/api/v1'
|
||||
let _refreshing: Promise<string | null> | null = null
|
||||
|
||||
async function refreshAccessToken(): Promise<string | null> {
|
||||
const refreshToken = localStorage.getItem('refresh_token')
|
||||
if (!refreshToken) return null
|
||||
|
||||
// M-2: Kein refresh_token aus localStorage – Browser schickt HttpOnly-Cookie automatisch mit
|
||||
try {
|
||||
const res = await fetch(`${BASE_URL}/auth/refresh`, {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ refresh_token: refreshToken }),
|
||||
credentials: 'include', // HttpOnly-Cookie mitschicken
|
||||
})
|
||||
if (!res.ok) {
|
||||
// Refresh fehlgeschlagen → ausloggen
|
||||
localStorage.removeItem('access_token')
|
||||
localStorage.removeItem('refresh_token')
|
||||
window.location.href = '/login'
|
||||
return null
|
||||
}
|
||||
const data = await res.json()
|
||||
localStorage.setItem('access_token', data.access_token)
|
||||
if (data.refresh_token) localStorage.setItem('refresh_token', data.refresh_token)
|
||||
// refresh_token kommt nicht mehr im Body (HttpOnly-Cookie)
|
||||
return data.access_token
|
||||
} catch {
|
||||
localStorage.removeItem('access_token')
|
||||
localStorage.removeItem('refresh_token')
|
||||
window.location.href = '/login'
|
||||
return null
|
||||
}
|
||||
@@ -40,7 +36,8 @@ async function request<T>(path: string, options: RequestInit = {}): Promise<T> {
|
||||
}
|
||||
if (token) headers['Authorization'] = `Bearer ${token}`
|
||||
|
||||
const res = await fetch(`${BASE_URL}${path}`, { ...options, headers })
|
||||
// credentials: 'include' damit der HttpOnly-Cookie (refresh_token) bei Auth-Requests mitgeschickt wird
|
||||
const res = await fetch(`${BASE_URL}${path}`, { ...options, headers, credentials: 'include' })
|
||||
|
||||
// 401 → Token-Refresh versuchen, dann Request wiederholen
|
||||
if (res.status === 401 && !path.startsWith('/auth/')) {
|
||||
@@ -52,7 +49,7 @@ async function request<T>(path: string, options: RequestInit = {}): Promise<T> {
|
||||
|
||||
// Request mit neuem Token wiederholen
|
||||
const retryHeaders = { ...headers, Authorization: `Bearer ${newToken}` }
|
||||
const retry = await fetch(`${BASE_URL}${path}`, { ...options, headers: retryHeaders })
|
||||
const retry = await fetch(`${BASE_URL}${path}`, { ...options, headers: retryHeaders, credentials: 'include' })
|
||||
if (!retry.ok) {
|
||||
const err = await retry.json().catch(() => ({ detail: retry.statusText }))
|
||||
const msg = typeof err.detail === 'string'
|
||||
@@ -85,7 +82,7 @@ async function requestForm<T>(path: string, form: FormData): Promise<T> {
|
||||
const headers: Record<string, string> = {}
|
||||
if (token) headers['Authorization'] = `Bearer ${token}`
|
||||
// No Content-Type header – browser sets multipart boundary automatically
|
||||
const res = await fetch(`${BASE_URL}${path}`, { method: 'POST', body: form, headers })
|
||||
const res = await fetch(`${BASE_URL}${path}`, { method: 'POST', body: form, headers, credentials: 'include' })
|
||||
if (!res.ok) {
|
||||
const err = await res.json().catch(() => ({ detail: res.statusText }))
|
||||
const msg = typeof err.detail === 'string'
|
||||
|
||||
@@ -17,19 +17,25 @@ export function AuthProvider({ children }: { children: ReactNode }) {
|
||||
const navigate = useNavigate()
|
||||
|
||||
async function login(email: string, password: string) {
|
||||
const data = await api.post<{ access_token: string; refresh_token: string }>(
|
||||
// refresh_token kommt nicht mehr im Body – nur noch als HttpOnly-Cookie
|
||||
const data = await api.post<{ access_token: string; refresh_token?: string | null }>(
|
||||
'/auth/login',
|
||||
{ email, password },
|
||||
)
|
||||
localStorage.setItem('access_token', data.access_token)
|
||||
localStorage.setItem('refresh_token', data.refresh_token)
|
||||
// refresh_token NICHT mehr in localStorage speichern (M-2: HttpOnly-Cookie)
|
||||
setToken(data.access_token)
|
||||
navigate('/dashboard')
|
||||
}
|
||||
|
||||
function logout() {
|
||||
async function logout() {
|
||||
// Cookie wird vom Backend gelöscht; kein refresh_token aus localStorage nötig
|
||||
try {
|
||||
await api.post('/auth/logout', {})
|
||||
} catch {
|
||||
// Logout-Fehler ignorieren – lokal trotzdem ausloggen
|
||||
}
|
||||
localStorage.removeItem('access_token')
|
||||
localStorage.removeItem('refresh_token')
|
||||
setToken(null)
|
||||
navigate('/login')
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user