Support session/cookie based auth, see #1108 (!1126) · Merge requests · funkwhale / funkwhale

Agate requested to merge 1108-session-auth into develop May 18, 2020

Initially, I wanted to use oauth for the web app UI, but it's not possible: to validate an oauth login, you must be authenticated, so there is a loop here ;) See #1108 (closed).

Since in 99% of cases the webapp is on the same domain as the API, it's way easier and more secure to use session/cookie based auth.

This MR does that by:

Adding the necessary logic for cookie based login/logout on the API
Update the front-end to use the new session-based auth
Implement CSRF checks and header passing (because cookie based auth is vulnerable to this kind of attacks)
(unrelated) more consistent URL schemes, everything that is auth/user related is now under /api/v1/users

For the remaining 1% cases, where we won't be able to use cookie based auth because the front-end is served on another domain, we can use OAuth (to be implemented): the front-end will be considered as a separate oauth app and use OAuth for everything.

Edited May 18, 2020 by Agate

Support session/cookie based auth, see #1108

Merge request reports