AdonisJS Framework
Replies: 1 comment
-
|
auth_controller async register({ request, response, auth }: HttpContext) {
const payload = await request.validateUsing(registerValidator)
const user = await User.create({
id: randomUUID(),
username: payload.username,
email: payload.email,
password: payload.password,
is_admin: payload.is_admin,
})
const token = await auth.use('api').createToken(user)
return response
.cookie('token', token.value?.release(), { sameSite: 'none' })
.created({ message: 'Utilisateur créé & authentifié' })
}
async login({ request, response, auth }: HttpContext) {
const payload = await request.validateUsing(loginValidator)
const user = await User.verifyCredentials(payload.email, payload.password)
const token = await auth.use('api').createToken(user)
return response
.cookie('token', token.value?.release(), { sameSite: 'none' })
.ok({ message: 'Connecté' })
}
async logout({ response, auth }: HttpContext) {
try {
await auth.authenticate()
await auth.use('api').invalidateToken()
response.clearCookie('token')
return response.ok({ message: 'Successfully logged out' })
} catch (error) {
return response.unauthorized({ message: 'Logging out error', error })
}
}auth.service.ts async send(
url: string,
body?: LoginCredentials | SignupCredentials
): Promise<ApiResponse> {
try {
const options: RequestInit = {
signal: AbortSignal.timeout(10000),
method: 'POST',
mode: 'cors',
credentials: 'include',
headers: {
'Content-Type': 'application/json',
},
};
if (body) {
options.body = JSON.stringify(body);
}
const response = await fetch(url, options);
if (!response.ok) {
return {
error: {
message: response.statusText,
code: response.status,
},
data: null,
};
}
const data = await response.json();
return { data, error: null, code: response.status };
} catch (error: unknown) {
return {
error: {
message: this.#extractErrorMessage(error),
code: 0,
},
data: null,
};
}
}token_middleware import type { HttpContext } from '@adonisjs/core/http'
import type { NextFn } from '@adonisjs/core/types/http'
export default class TokenMiddleware {
async handle(ctx: HttpContext, next: NextFn) {
/**
* Middleware logic goes here (before the next call)
*/
const cookieToken = ctx.request.cookie('token')
if (cookieToken && !ctx.request.header('Authorization')) {
ctx.request.request.headers.authorization = `Bearer ${cookieToken}`
}
/**
* Call next method in the pipeline and return its output
*/
const output = await next()
return output
}
}I managed to solve my issue by plugging a middleware that checks and adds an Authorization header from request cookie, so it can invalidateToken whitin db. I don't know if my solution if a good one but here it is. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I am struggling with deleting access_tokens from db after login, here is a piece of my code
On frontend, I use this fetch call options :
I send all of my cookies in HttpOnly, secure and Samesite='none' because as far as I know, allowing cookie manipulations make a website vulnerable to XSS attacks (I don't know if it is that strict, still in college). From what I understood, I have to add Authorization bearer to my fetch options but how could I grab the token and put it without compromising security ?
Thank you for any advices
Beta Was this translation helpful? Give feedback.
All reactions