refactor: replace localStorage with HTTP-only cookies for auth tokens (#24365)

Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Signed-off-by: lyzno1 <yuanyouhuilyz@gmail.com> Signed-off-by: kenwoodjw <blackxin55+@gmail.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Yunlu Wen <wylswz@163.com> Co-authored-by: Joel <iamjoel007@gmail.com> Co-authored-by: GareArc <chen4851@purdue.edu> Co-authored-by: NFish <douxc512@gmail.com> Co-authored-by: Davide Delbianco <davide.delbianco@outlook.com> Co-authored-by: minglu7 <1347866672@qq.com> Co-authored-by: Ponder <ruan.lj@foxmail.com> Co-authored-by: crazywoola <100913391+crazywoola@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: heyszt <270985384@qq.com> Co-authored-by: Asuka Minato <i@asukaminato.eu.org> Co-authored-by: Guangdong Liu <liugddx@gmail.com> Co-authored-by: Eric Guo <eric.guocz@gmail.com> Co-authored-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Co-authored-by: XlKsyt <caixuesen@outlook.com> Co-authored-by: Dhruv Gorasiya <80987415+DhruvGorasiya@users.noreply.github.com> Co-authored-by: crazywoola <427733928@qq.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: lyzno1 <92089059+lyzno1@users.noreply.github.com> Co-authored-by: hj24 <mambahj24@gmail.com> Co-authored-by: GuanMu <ballmanjq@gmail.com> Co-authored-by: 非法操作 <hjlarry@163.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Tonlo <123lzs123@gmail.com> Co-authored-by: Yusuke Yamada <yamachu.dev@gmail.com> Co-authored-by: Novice <novice12185727@gmail.com> Co-authored-by: kenwoodjw <blackxin55+@gmail.com> Co-authored-by: Ademílson Tonato <ademilsonft@outlook.com> Co-authored-by: znn <jubinkumarsoni@gmail.com> Co-authored-by: yangzheli <43645580+yangzheli@users.noreply.github.com>
2025-10-19 21:29:04 +08:00
parent 141ca8904a
commit 9a5f214623
60 changed files with 879 additions and 533 deletions
--- a/api/tests/unit_tests/controllers/console/auth/test_oauth.py
+++ b/api/tests/unit_tests/controllers/console/auth/test_oauth.py
@@ -179,9 +179,7 @@ class TestOAuthCallback:

        oauth_setup["provider"].get_access_token.assert_called_once_with("test_code")
        oauth_setup["provider"].get_user_info.assert_called_once_with("access_token")
-        mock_redirect.assert_called_once_with(
-            "http://localhost:3000?access_token=jwt_access_token&refresh_token=jwt_refresh_token"
-        )
+        mock_redirect.assert_called_once_with("http://localhost:3000")

    @pytest.mark.parametrize(
        ("exception", "expected_error"),
@@ -224,8 +222,8 @@ class TestOAuthCallback:
            # CLOSED status: Currently NOT handled, will proceed to login (security issue)
            # This documents actual behavior. See test_defensive_check_for_closed_account_status for details
            (
-                AccountStatus.CLOSED,
-                "http://localhost:3000?access_token=jwt_access_token&refresh_token=jwt_refresh_token",
+                AccountStatus.CLOSED.value,
+                "http://localhost:3000",
            ),
        ],
    )
@@ -268,6 +266,7 @@ class TestOAuthCallback:
        mock_token_pair = MagicMock()
        mock_token_pair.access_token = "jwt_access_token"
        mock_token_pair.refresh_token = "jwt_refresh_token"
+        mock_token_pair.csrf_token = "csrf_token"
        mock_account_service.login.return_value = mock_token_pair

        with app.test_request_context("/auth/oauth/github/callback?code=test_code"):
@@ -299,6 +298,12 @@ class TestOAuthCallback:
        mock_account.status = AccountStatus.PENDING
        mock_generate_account.return_value = mock_account

+        mock_token_pair = MagicMock()
+        mock_token_pair.access_token = "jwt_access_token"
+        mock_token_pair.refresh_token = "jwt_refresh_token"
+        mock_token_pair.csrf_token = "csrf_token"
+        mock_account_service.login.return_value = mock_token_pair
+
        with app.test_request_context("/auth/oauth/github/callback?code=test_code"):
            resource.get("github")

@@ -361,6 +366,7 @@ class TestOAuthCallback:
        mock_token_pair = MagicMock()
        mock_token_pair.access_token = "jwt_access_token"
        mock_token_pair.refresh_token = "jwt_refresh_token"
+        mock_token_pair.csrf_token = "csrf_token"
        mock_account_service.login.return_value = mock_token_pair

        # Execute OAuth callback
@@ -368,9 +374,7 @@ class TestOAuthCallback:
            resource.get("github")

        # Verify current behavior: login succeeds (this is NOT ideal)
-        mock_redirect.assert_called_once_with(
-            "http://localhost:3000?access_token=jwt_access_token&refresh_token=jwt_refresh_token"
-        )
+        mock_redirect.assert_called_once_with("http://localhost:3000")
        mock_account_service.login.assert_called_once()

        # Document expected behavior in comments: