refactor: replace localStorage with HTTP-only cookies for auth tokens (#24365)

Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Signed-off-by: lyzno1 <yuanyouhuilyz@gmail.com> Signed-off-by: kenwoodjw <blackxin55+@gmail.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Yunlu Wen <wylswz@163.com> Co-authored-by: Joel <iamjoel007@gmail.com> Co-authored-by: GareArc <chen4851@purdue.edu> Co-authored-by: NFish <douxc512@gmail.com> Co-authored-by: Davide Delbianco <davide.delbianco@outlook.com> Co-authored-by: minglu7 <1347866672@qq.com> Co-authored-by: Ponder <ruan.lj@foxmail.com> Co-authored-by: crazywoola <100913391+crazywoola@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: heyszt <270985384@qq.com> Co-authored-by: Asuka Minato <i@asukaminato.eu.org> Co-authored-by: Guangdong Liu <liugddx@gmail.com> Co-authored-by: Eric Guo <eric.guocz@gmail.com> Co-authored-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Co-authored-by: XlKsyt <caixuesen@outlook.com> Co-authored-by: Dhruv Gorasiya <80987415+DhruvGorasiya@users.noreply.github.com> Co-authored-by: crazywoola <427733928@qq.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: lyzno1 <92089059+lyzno1@users.noreply.github.com> Co-authored-by: hj24 <mambahj24@gmail.com> Co-authored-by: GuanMu <ballmanjq@gmail.com> Co-authored-by: 非法操作 <hjlarry@163.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Tonlo <123lzs123@gmail.com> Co-authored-by: Yusuke Yamada <yamachu.dev@gmail.com> Co-authored-by: Novice <novice12185727@gmail.com> Co-authored-by: kenwoodjw <blackxin55+@gmail.com> Co-authored-by: Ademílson Tonato <ademilsonft@outlook.com> Co-authored-by: znn <jubinkumarsoni@gmail.com> Co-authored-by: yangzheli <43645580+yangzheli@users.noreply.github.com>
2025-10-19 21:29:04 +08:00
parent 141ca8904a
commit 9a5f214623
60 changed files with 879 additions and 533 deletions
--- a/api/tests/unit_tests/libs/test_external_api.py
+++ b/api/tests/unit_tests/libs/test_external_api.py
@@ -2,7 +2,9 @@ from flask import Blueprint, Flask
 from flask_restx import Resource
 from werkzeug.exceptions import BadRequest, Unauthorized

+from constants import COOKIE_NAME_ACCESS_TOKEN, COOKIE_NAME_CSRF_TOKEN, COOKIE_NAME_REFRESH_TOKEN
 from core.errors.error import AppInvokeQuotaExceededError
+from libs.exception import BaseHTTPException
 from libs.external_api import ExternalApi


@@ -120,3 +122,66 @@ def test_external_api_param_mapping_and_quota_and_exc_info_none():
        assert res.status_code in (400, 429)
    finally:
        ext.sys.exc_info = orig_exc_info  # type: ignore[assignment]
+
+
+def test_unauthorized_and_force_logout_clears_cookies():
+    """Test that UnauthorizedAndForceLogout error clears auth cookies"""
+
+    class UnauthorizedAndForceLogout(BaseHTTPException):
+        error_code = "unauthorized_and_force_logout"
+        description = "Unauthorized and force logout."
+        code = 401
+
+    app = Flask(__name__)
+    bp = Blueprint("test", __name__)
+    api = ExternalApi(bp)
+
+    @api.route("/force-logout")
+    class ForceLogout(Resource):  # type: ignore
+        def get(self):  # type: ignore
+            raise UnauthorizedAndForceLogout()
+
+    app.register_blueprint(bp, url_prefix="/api")
+    client = app.test_client()
+
+    # Set cookies first
+    client.set_cookie(COOKIE_NAME_ACCESS_TOKEN, "test_access_token")
+    client.set_cookie(COOKIE_NAME_CSRF_TOKEN, "test_csrf_token")
+    client.set_cookie(COOKIE_NAME_REFRESH_TOKEN, "test_refresh_token")
+
+    # Make request that should trigger cookie clearing
+    res = client.get("/api/force-logout")
+
+    # Verify response
+    assert res.status_code == 401
+    data = res.get_json()
+    assert data["code"] == "unauthorized_and_force_logout"
+    assert data["status"] == 401
+    assert "WWW-Authenticate" in res.headers
+
+    # Verify Set-Cookie headers are present to clear cookies
+    set_cookie_headers = res.headers.getlist("Set-Cookie")
+    assert len(set_cookie_headers) == 3, f"Expected 3 Set-Cookie headers, got {len(set_cookie_headers)}"
+
+    # Verify each cookie is being cleared (empty value and expired)
+    cookie_names_found = set()
+    for cookie_header in set_cookie_headers:
+        # Check for cookie names
+        if COOKIE_NAME_ACCESS_TOKEN in cookie_header:
+            cookie_names_found.add(COOKIE_NAME_ACCESS_TOKEN)
+            assert '""' in cookie_header or "=" in cookie_header  # Empty value
+            assert "Expires=Thu, 01 Jan 1970" in cookie_header  # Expired
+        elif COOKIE_NAME_CSRF_TOKEN in cookie_header:
+            cookie_names_found.add(COOKIE_NAME_CSRF_TOKEN)
+            assert '""' in cookie_header or "=" in cookie_header
+            assert "Expires=Thu, 01 Jan 1970" in cookie_header
+        elif COOKIE_NAME_REFRESH_TOKEN in cookie_header:
+            cookie_names_found.add(COOKIE_NAME_REFRESH_TOKEN)
+            assert '""' in cookie_header or "=" in cookie_header
+            assert "Expires=Thu, 01 Jan 1970" in cookie_header
+
+    # Verify all three cookies are present
+    assert len(cookie_names_found) == 3
+    assert COOKIE_NAME_ACCESS_TOKEN in cookie_names_found
+    assert COOKIE_NAME_CSRF_TOKEN in cookie_names_found
+    assert COOKIE_NAME_REFRESH_TOKEN in cookie_names_found