refactor: move auth token to HttpOnly cookie, fix CORS and artefacts

Backend:
- Set JWT as HttpOnly cookie on login, add cookie fallback in auth middleware
- Add /auth/logout endpoint to clear cookie
- Fix CORS to echo origin with Allow-Credentials for withCredentials requests
- Make SPA static serving optional via SERVE_SPA config flag

Frontend:
- Remove manual token management; rely on HttpOnly cookie + withCredentials
- Simplify auth-slice to authenticated boolean flag
- Fix Artefact interface to match backend fields (sha256Hash, fileName, fileSize)
- Fix artefact upload endpoint and send version in FormData
- Use KiB/MiB for file size display
- Move Redux hooks from store/hooks to hooks/store
This commit is contained in:
2026-07-07 15:57:26 +08:00
parent 163f5641e5
commit 442a1e2f9f
18 changed files with 307 additions and 209 deletions
+12 -1
View File
@@ -28,5 +28,16 @@ func (h *Handler) Login(c *gin.Context) {
return
}
c.JSON(http.StatusOK, resp)
// Set JWT as HttpOnly cookie so the frontend doesn't need to manage it.
// The browser sends it automatically on every request.
maxAge := h.svc.ExpiryHrs() * 3600
c.SetCookie("pipely_token", resp.Token, maxAge, "/", "", false, true)
c.JSON(http.StatusOK, gin.H{"message": "Login successful"})
}
func (h *Handler) Logout(c *gin.Context) {
// Clear the auth cookie by setting MaxAge=-1
c.SetCookie("pipely_token", "", -1, "/", "", false, true)
c.JSON(http.StatusOK, gin.H{"message": "Logged out"})
}
+4
View File
@@ -33,6 +33,10 @@ func NewService(db *gorm.DB, secret []byte, expiryHrs int) *Service {
}
}
func (s *Service) ExpiryHrs() int {
return int(s.expiry.Hours())
}
func (s *Service) Login(username, password string) (*model.LoginResponse, error) {
user, err := database.GetAdminUserByUsername(s.db, username)
if err != nil {