feat(server): cookie lifecycle & CSRF enforcement (#749)#1117
Open
theothersideofgod wants to merge 9 commits intomainfrom
Open
feat(server): cookie lifecycle & CSRF enforcement (#749)#1117theothersideofgod wants to merge 9 commits intomainfrom
theothersideofgod wants to merge 9 commits intomainfrom
Conversation
theothersideofgod
force-pushed
the
feat/cookie-lifecycle-csrf-749
branch
2 times, most recently
from
fa376a0 to
e5e066b
Compare
- Add SESSION_COOKIE_NAME and DEVICE_TOKEN_COOKIE_NAME constants - Add getSessionCookieConfig() with rememberMe support - Add getDeviceTokenCookieConfig() for 90-day device tokens - Add cookie serialization helpers (set/clear) - Add parseCookieValue() and request token extractors Closes #749 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add @constructive-io/csrf dependency - Wire csrfSetToken middleware (httpOnly=false for SPA access) - Wire csrfProtect middleware on /graphql endpoint - Skip CSRF for Bearer token auth (not vulnerable) - Skip CSRF for anonymous requests (no session cookie) - Add integration tests for CSRF skip conditions Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add rememberMeDuration field to AuthSettings interface - Query remember_me_duration from app_settings_auth table - Used by cookie config when rememberMe=true in sign-in Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Implement grafserv middleware plugin to set/clear auth cookies - Intercept signIn/signUp/SSO/MFA mutations to set session cookie - Intercept signOut/revokeSession to clear cookies - Handle device token cookies for trusted device tracking - Parse grafserv BufferResult and inject Set-Cookie headers - Support both camelCase and snake_case token fields - Support nested result objects Includes comprehensive tests: - Auth failure scenarios (errors, null data, invalid token types) - Cookie clearing completeness (session + device token) - Environment-based security attributes - Grafserv Buffer parsing and header merging Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add AuthCookiePlugin to graphile preset plugins array - Remove Express middleware approach (doesn't work with grafserv) - Add CSRF middleware after authenticate, before graphile - Update server.ts middleware order Middleware chain: cors → api → authenticate → captcha → csrf → graphile (with AuthCookiePlugin) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add CSRF error detection to error handler so CSRF validation failures return proper 403 Forbidden status instead of generic 500. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add cookie-parser middleware to support CSRF double-submit pattern - Parse GraphQL body from grafserv's getBody() buffer in AuthCookiePlugin - Set cookies directly on Express response to ensure proper HTTP headers - Fix NaN maxAge by handling unparseable authSettings values The AuthCookiePlugin now correctly intercepts auth mutations and sets session cookies via the Express response, ensuring multiple Set-Cookie headers are sent separately as required by HTTP spec. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Read constructive_device_token cookie in auth middleware - Attach to req.deviceToken for downstream access - Pass as jwt.claims.device_token to DB procedures - Enables trusted device recognition in sign-in flows Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Test device token cookie parsing in auth middleware - Test device token context passing in graphile preset - Covers edge cases: missing cookie, URL encoding, special chars Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
theothersideofgod
force-pushed
the
feat/cookie-lifecycle-csrf-749
branch
from
3f7ab3d to
9b0e35f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
constructive_sessioncookie on auth mutation success, clear on sign-outconstructive_device_tokenfor trusted device trackingrememberMeDurationfor extended session cookiesImplementation
Uses grafserv plugin instead of Express middleware because grafserv bypasses
res.json()andres.cookie().Files
middleware/cookie.tsplugins/auth-cookie-plugin.tsserver.tsmiddleware/graphile.tstypes.ts+api.tsrememberMeDurationTests
85 tests covering:
Closes #749
🤖 Generated with Claude Code