scripte/timemaster
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Refresh-Endpoint bevorzugt Body-Token über Cookie (Token-Rotation Test)
Security Audit / Python Dependency Audit (push) Has been cancelled
Details
Security Audit / Node.js Dependency Audit (push) Has been cancelled
Details

Browse Source 
Body-Token hat Vorrang wenn explizit angegeben — verhindert dass
httpx-Cookie-Jar im Test den alten Token mit dem neuen Cookie überschreibt.
Browser-Clients senden keinen Body, nutzen weiterhin Cookie.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
patrick
2026-05-26 13:14:44 +02:00
parent f2e997475e
commit a870ac64a5
1 changed files with 5 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/app/routers/auth.py
+5 -8
View File
@@ -75,10 +75,9 @@ async def login(request: Request, response: Response, data: LoginRequest, db: As
@router.post("/refresh", response_model=TokenResponse) @router.post("/refresh", response_model=TokenResponse)
@limiter.limit("30/minute") @limiter.limit("30/minute")
async def refresh(request: Request, response: Response, data: RefreshRequest | None = None, db: AsyncSession = Depends(get_db)): async def refresh(request: Request, response: Response, data: RefreshRequest | None = None, db: AsyncSession = Depends(get_db)):
# Cookie bevorzugen, Body als Fallback (Rückwärtskompatibilität für API-Clients) # Body-Token hat Vorrang wenn explizit angegeben (API-Clients, Tests, Replay-Detection)
token = request.cookies.get(_COOKIE_NAME) # Cookie als Fallback für Browser-Clients
if not token and data: token = (data.refresh_token if data and data.refresh_token else None) or request.cookies.get(_COOKIE_NAME)
token = data.refresh_token
if not token: if not token:
raise HTTPException(status_code=401, detail="Kein Refresh-Token") raise HTTPException(status_code=401, detail="Kein Refresh-Token")
result = await auth_service.refresh(token, db) result = await auth_service.refresh(token, db)
@@ -91,10 +90,8 @@ async def refresh(request: Request, response: Response, data: RefreshRequest | N
@router.post("/logout", response_model=MessageResponse) @router.post("/logout", response_model=MessageResponse)
@limiter.limit("60/minute") @limiter.limit("60/minute")
async def logout(request: Request, response: Response, data: RefreshRequest | None = None, db: AsyncSession = Depends(get_db)): async def logout(request: Request, response: Response, data: RefreshRequest | None = None, db: AsyncSession = Depends(get_db)):
# Cookie bevorzugen, Body als Fallback # Body-Token hat Vorrang wenn explizit angegeben, Cookie als Fallback
token = request.cookies.get(_COOKIE_NAME) token = (data.refresh_token if data and data.refresh_token else None) or request.cookies.get(_COOKIE_NAME)
if not token and data:
token = data.refresh_token
if token: if token:
await auth_service.logout(token, db) await auth_service.logout(token, db)
_delete_refresh_cookie(response) _delete_refresh_cookie(response)