Move to login with token and not session cookie

[gkorland]

No description provided.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch login

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
queryweaver	Ready	Preview	Comment	Aug 26, 2025 10:21am

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

To fix this issue, refactor the code so that the user's browser never receives the raw API token. Instead, store in the cookie a randomly generated session ID (not the token itself). On the server, maintain a mapping from session ID to the user's API token (and, if necessary, metadata).

Specifically:

• On login, generate a secure session ID (use secrets.token_urlsafe() for the ID as well).
• Store the mapping {session_id: api_token} server-side. (Since you can’t see the server-side store here, insert a TODO or a placeholder, e.g., a call to a notional function store_session_token(session_id, api_token)).
• Set only the session_id (not the api_token) in the cookie.
• On subsequent requests, retrieve the session ID from the cookie and look up the real API token using this mapping.
• Make sure to update any subsequent code that relies on api_token from the cookie (here, just update setting the cookie).

Necessary changes:

• Replace setting api_token in the redirect.set_cookie() call with setting a server-managed session ID.
• Add a placeholder for storing the session ID and API token mapping (since you do not have access to the actual server-side storage logic).
• Add import if adding any new library (not needed here, since you already import secrets).
• Leave a TODO/comment for the session mapping where persistent storage would be handled.

[gkorland]

which data sensitive data? we don't store the password

General approach:
Always avoid storing sensitive tokens directly in client cookies. Instead, generate a random session identifier on the server, map it (in a database or in-memory cache) to the sensitive token server-side, and set only the opaque session identifier as a cookie. When the client returns with this session ID, the server fetches the sensitive token as needed.

Detailed fix:
In api/routes/auth.py, after generating the api_token, also generate a random session ID (using a secure random generator). Store a mapping from this session ID to the api_token server-side (in-memory dict, Redis cache, database, etc.—must be persistent if the server can be restarted). Set only the session ID in the cookie. Later, code retrieving the token (not shown in this snippet) should look up the token by the session ID.

What needs to be changed:

• After generating api_token, generate a session_id.
• Store {session_id: api_token} in an in-memory dictionary or preferred storage.
• Set session_id (not api_token) as the cookie value.

Additional needs:

• A storage for the mapping, e.g., a dictionary attached to app.state (for demo/fix purposes), or a simple process-wide global dict.
• Update the cookie setter to store the session ID instead.
• (If code to look up the token from the session ID exists elsewhere, it must be updated to perform the lookup; for the scope of this fix, we limit ourselves only to changing what's shown.)

---

[gkorland]

we don't store password

[Copilot]

Pull Request Overview

This PR transitions the authentication system from session-based cookies to token-based authentication. The key change involves storing user authentication tokens in the database and using HTTP-only cookies to manage session state instead of server-side sessions.

Key changes:

• Replaces session-based authentication with API tokens stored in the database
• Changes user graph namespacing from underscore (_) to pipe (|) separator
• Migrates JavaScript functionality from inline scripts to TypeScript modules

Reviewed Changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
api/routes/auth.py	Major authentication system overhaul - token generation, cookie management, and simplified OAuth flows
api/auth/user_management.py	Database-based token validation replacing session validation with new token management functions
api/auth/oauth_handlers.py	Simplified OAuth callback handlers to use unified token-based approach
api/routes/graphs.py	Updated graph namespacing from underscore to pipe separator for user isolation
api/loaders/*.py	Updated database loaders to use new pipe separator for graph naming
app/ts/modules/left_toolbar.ts	New TypeScript module extracting left toolbar functionality from inline scripts
app/ts/app.ts	Integration of new left toolbar module into main application
app/templates/components/left_toolbar.j2	Removed inline JavaScript in favor of TypeScript module