Skip to content

Support session/cookie based auth, see #1108

Agate requested to merge 1108-session-auth into develop

Initially, I wanted to use oauth for the web app UI, but it's not possible: to validate an oauth login, you must be authenticated, so there is a loop here ;) See #1108 (closed).

Since in 99% of cases the webapp is on the same domain as the API, it's way easier and more secure to use session/cookie based auth.

This MR does that by:

  • Adding the necessary logic for cookie based login/logout on the API
  • Update the front-end to use the new session-based auth
  • Implement CSRF checks and header passing (because cookie based auth is vulnerable to this kind of attacks)
  • (unrelated) more consistent URL schemes, everything that is auth/user related is now under /api/v1/users

For the remaining 1% cases, where we won't be able to use cookie based auth because the front-end is served on another domain, we can use OAuth (to be implemented): the front-end will be considered as a separate oauth app and use OAuth for everything.

Edited by Agate

Merge request reports