[EPIC] httpOnly Cookie Authentication MigrationΒ #217
Description
π― Vision
Migrate Sanctum authentication to hybrid approach supporting both httpOnly cookie-based (Web/PWA) and Bearer token authentication (Native mobile) for enhanced security and platform flexibility.
β STATUS: COMPLETE (100%)
Backend implementation: β
Fully Complete (25.11.2025)
Frontend implementation: β
Fully Complete (25.11.2025)
π Sub-Issues & Work Plan
Backend Implementation Phases
- Backend PR-2: CSRF Token Endpoint & Security HardeningΒ #210 Phase 1: CSRF Token Endpoint & Security Hardening β Complete (23.11.2025)
- Phase 2: Sanctum Stateful Configuration & CORS UpdatesΒ #218 Phase 2: Sanctum Stateful Configuration & CORS Updates β Complete (25.11.2025)
- Phase 3: Integration Testing & DocumentationΒ #219 Phase 3: Integration Testing & Documentation β Complete (25.11.2025)
Frontend Implementation (SecPal/frontend)
Frontend Epic: SecPal/frontend#208 β Complete (23.11.2025)
- frontend#210 localStorage Removal & httpOnly Cookie Migration β Complete
- frontend#211 CSRF Token Handling & Request Interceptor β Complete
- frontend#212 Integration Testing & Documentation β Complete
- frontend#227 CSRF Integration for secretApi β Complete
Note: Issues frontend#224, #225, #226 were created after implementation was complete under Epic #208 and have been closed as duplicates.
π― Success Criteria
- β
CSRF Protection:
/sanctum/csrf-cookieendpoint accessible - β httpOnly Cookies: Session cookies configured securely
- β
Sanctum Stateful: Frontend domain whitelisted in
SANCTUM_STATEFUL_DOMAINS - β
CORS Configured:
supports_credentials: truefor authenticated requests - β
Session Driver: Using
databasedriver with secure settings - β
Documentation: API docs (
docs/guides/sanctum-spa-auth.md) and production deployment guide complete - β All Tests Pass: 38 backend tests, 87 assertions + 28 frontend integration tests
- β Hybrid Authentication: Cookie-based (Web) + Bearer tokens (Mobile) documented
π Security Improvements
Before (Token-based):
- β Token stored in localStorage (XSS-vulnerable)
- β Token accessible via JavaScript
- β Manual token management required
- β No built-in expiration enforcement
After (httpOnly Cookies for Web/PWA):
- β Token in httpOnly cookie (XSS-protected)
- β Browser handles token automatically
- β CSRF protection via Sanctum
- β Server-side expiration control
- β Secure + SameSite flags
Maintained (Bearer Tokens for Native Apps):
- β Simple API integration for mobile
- β No CORS complexity
- β Platform secure storage (Keychain/Keystore)
- β Future-proof for Android/iOS apps
π Technical Architecture
Hybrid Authentication Strategy
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β Client Type β Auth Method β
βββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Web SPA (Vite) β httpOnly Cookies β
β
β PWA (Browser) β httpOnly Cookies β
β
β Android App (Native) β Bearer Token β
β
β iOS App (Native) β Bearer Token β
β
β Desktop App (Tauri) β Bearer Token β
β
β CLI / Scripts β Bearer Token β
β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
Single Guard Configuration:
// routes/api.php - Accepts BOTH authentication methods
Route::middleware(['auth:sanctum'])->group(function () {
// Works with Cookie-based (Web/PWA) OR Bearer token (Mobile/API)
});Configuration Changes
Sanctum Configuration:
// config/sanctum.php
'stateful' => explode(',', env(
'SANCTUM_STATEFUL_DOMAINS',
'localhost,localhost:5173,127.0.0.1,127.0.0.1:5173,::1'
)),CORS Configuration:
// config/cors.php
'supports_credentials' => true,
'allowed_origins' => explode(',', env('CORS_ALLOWED_ORIGINS', 'http://localhost:5173')),Session Configuration:
// config/session.php
'driver' => env('SESSION_DRIVER', 'database'),
'http_only' => true,
'secure' => env('SESSION_SECURE_COOKIE', false), // true in production
'same_site' => 'lax',API Flow (Web/PWA - Cookie-based)
1. Frontend: GET /sanctum/csrf-cookie
Response: Set-Cookie: XSRF-TOKEN=...
2. Frontend: POST /v1/auth/token (credentials: 'include')
Headers: X-XSRF-TOKEN: <token>
Response: Set-Cookie: secpal-session=... (httpOnly)
Body: { user: {...}, token: "..." }
3. Frontend: Subsequent requests include cookies automatically
Headers: Cookie: secpal-session=...
X-XSRF-TOKEN: <token>
API Flow (Mobile - Token-based)
1. Mobile App: POST /v1/auth/token
Headers: Content-Type: application/json
Body: { email, password }
Response: { user: {...}, token: "1|abc123..." }
2. Store token in secure storage (Keychain/Keystore)
3. Subsequent requests:
Headers: Authorization: Bearer 1|abc123...
π Related Issues
Frontend (SecPal/frontend):
- frontend#205 β Complete - Duplicate Epic (closed, work done under Backend PR-3: Tests & API Documentation UpdateΒ #208)
- frontend#208 β Complete - Epic: httpOnly Cookie Authentication Migration
- frontend#210 β Complete - localStorage Removal
- frontend#211 β Complete - CSRF Token Handling
- frontend#212 β Complete - Integration Testing & Documentation
- frontend#227 β Complete - CSRF Integration for secretApi
Backend (this repo):
- Backend PR-2: CSRF Token Endpoint & Security HardeningΒ #210 β Complete - CSRF Token Endpoint & Security Hardening
- Phase 2: Sanctum Stateful Configuration & CORS UpdatesΒ #218 β Complete - Sanctum Stateful Configuration & CORS Updates
- Phase 3: Integration Testing & DocumentationΒ #219 β Complete - Integration Testing & Documentation
π Implementation Timeline
Phase 1 (Complete): CSRF Token Endpoint - Issue #210 β
Done (23.11.2025)
Phase 2 (Complete): Sanctum Stateful Configuration - #218 β
Done (25.11.2025)
Phase 3 (Complete): Integration Testing & Documentation - #219 β
Done (25.11.2025)
Backend Status: β
Complete (100%)
Frontend Status: β
Complete (100%)
Total Effort: 4 days (cross-repo)
Completion Date: 25 November 2025
β Completed Deliverables
Documentation
- β
docs/guides/sanctum-spa-auth.md(571 lines) - Complete SPA authentication guide - β
docs/guides/production-deployment.md(600+ lines) - Production deployment guide - β
Frontend:
docs/authentication-migration.md(600+ lines) - Developer migration guide
Tests
- β Backend: 38 tests, 87 assertions (all passing)
- β Frontend: 28 integration tests (all passing)
- β Total: 677 frontend tests passing
Configuration
- β
config/sanctum.php- Stateful domains configured - β
config/cors.php- Credentials support enabled - β
config/session.php- httpOnly, SameSite=lax configured - β
.env.example- Fully documented with all variables
Quality Assurance
- β Backend: PHPStan Level Max: 0 errors
- β Backend: Laravel Pint PSR-12: 0 violations
- β Frontend: TypeScript strict mode: Clean
- β Frontend: ESLint: Clean
- β CHANGELOG.md updated (both repos)
π Testing Strategy
Backend:
- Feature test: CSRF token endpoint accessible β
- Feature test: Session configuration correct β
- Feature test: Sanctum stateful domains configured β
- Feature test: CORS credentials support β
- Integration test: Login with credentials flow β
- Integration test: Authenticated requests work β
- Integration test: CSRF validation enforced β
- Integration test: Logout clears session β
- Integration test: Cross-origin requests work β
- Security test: httpOnly flag set correctly β
- Security test: Secure flag set in production β
- Integration test: Concurrent device sessions β
- Integration test: CORS preflight requests β
Frontend:
- Integration test: Login flow with CSRF and cookies β
- Integration test: Authenticated requests with cookies β
- Integration test: Logout clears session β
- Integration test: No token in localStorage β
- Integration test: CSRF token in mutating requests β
- Integration test: 419 retry with fresh token β
π References
- Laravel Sanctum SPA Authentication
- Production Deployment Guide
- Sanctum SPA Auth Guide
- OWASP: Session Management
- MDN: Set-Cookie httpOnly
Type: Epic
Priority: High (Security Feature)
Target Milestone: v0.3.0
Backend Status: β
Complete (100%)
Frontend Status: β
Complete (100%)
Completion Date: 25 November 2025