Fix user authentication.

* Use X-JWT header for sending authentication info both from server to client and from client to server. * Send token in body of login response. * Also use Set-Cookie: JWT=… so that calls that are not issued directly by Dougal (e.g. Deck.gl layers with a URL `data` property) work without having to jump through hoops. Closes #321
2025-12-06 10:57:07 +00:00 · 2025-08-06 10:21:37 +02:00
parent 17b9d60715
commit be5c6f1fa3
9 changed files with 107 additions and 66 deletions
--- a/lib/www/server/api/middleware/user/login.js
+++ b/lib/www/server/api/middleware/user/login.js
@@ -6,8 +6,10 @@ async function login (req, res, next) {
 		const {user, password} = req.body;
 		const payload = await jwt.checkValidCredentials({user, password});
 		if (payload) {
-			jwt.issue(payload, req, res);
-			res.status(204).send();
+			const token = jwt.issue(payload, req, res);
+			res.set("X-JWT", token);
+			res.set("Set-Cookie", `JWT=${token}`); // For good measure
+			res.status(200).send({token});
 			next();
 			return;
 		} else {
--- a/lib/www/server/lib/jwt.js
+++ b/lib/www/server/lib/jwt.js
@@ -43,7 +43,8 @@ function issue (payload, req, res) {
 	}

 	if (res) {
-		res.cookie("JWT", token, {maxAge: cfg.jwt.options.expiresIn*1000 || 0});
+		res.set("X-JWT", token);
+		res.set("Set-Cookie", `JWT=${token}`); // For good measure
 	}

 	return token;
@@ -51,5 +52,6 @@ function issue (payload, req, res) {

 module.exports = {
 	checkValidCredentials,
-	issue
+	issue,
+	decode: JWT.decode
 };