fix: session cookie not being created on http sites by kmendell · Pull Request #112 · getarcaneapp/arcane

kmendell · 2025-05-05T15:08:09Z

Fixes: #108
Fixes: #118
Fixes: #117 for the logout button and handler

Summary by CodeRabbit

New Features
- Introduced integrated session management for authentication, including automatic session handling and expiration based on application settings.
- Added a dedicated logout route that securely destroys user sessions and redirects to the login page.
Refactor
- Streamlined login and authentication logic to use the new session management system, improving reliability and error handling.
- Updated environment flag handling for development and testing modes to use framework-native methods.
- Enhanced environment variable usage for data paths and session security, clarifying production and test modes.
Bug Fixes
- Enhanced session and cookie security with improved detection of secure connections and stricter cookie settings.
Documentation
- Expanded and clarified environment variable documentation for Docker configuration, including session security and best practices.
- Updated Docker Compose examples to reflect new environment variables and user configuration.
UI
- Added a logout button to the sidebar navigation for easy user sign-out.

coderabbitai · 2025-05-05T15:08:16Z

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The changes introduce a new session management system using svelte-kit-cookie-session, refactoring authentication and session handling throughout the application. A session handler is implemented and integrated into the server hooks, replacing manual cookie and session management with a more structured approach. Type definitions are updated to reflect the new session API. The login and logout server logic is refactored to use the new session system, with improved error handling and logging. Environment constants are updated for better integration with SvelteKit. Additional environment variable handling and documentation are enhanced. A logout button is added to the UI.

Changes

File(s)	Change Summary
`package.json`	Added `svelte-kit-cookie-session` dependency version `^4.1.1`.
`src/app.d.ts`	Updated `App.Locals.session` type from optional `UserSession
`src/hooks.server.ts`	Refactored request handling: split into `sessionHandler` and `authHandler`, composed with `sequence`. Authentication and session validation now use the new session API; session destruction replaces manual cookie deletion.
`src/lib/constants.ts`	Changed `isDev` to use SvelteKit's `dev` flag; set `isTest` to `false` instead of checking an environment variable.
`src/lib/services/session-handler.ts`	New module: Implements and exports `sessionHandler` using `svelte-kit-cookie-session`, with dynamic session timeout and secret configuration.
`src/lib/services/session-service.ts`	Removed legacy session service handling manual encrypted sessions and persistence.
`src/lib/services/paths-service.ts`	Modified environment variable handling for base data path using SvelteKit private env and `APP_ENV` variable to select production, test, or dev paths.
`src/routes/auth/login/+page.server.ts`	Refactored login logic to use `locals.session` API for session management. Removed manual cookie handling and external session creation. Enhanced logging and error handling; redirect logic updated to use session data.
`src/routes/auth/logout/+page.server.ts`	New file: Implements logout logic. Exports `load` function for redirecting to login and `actions` with a default action that destroys the session and redirects to login.
`.env.example`	Added example environment variables: `APP_ENV` and `PUBLIC_SESSION_SECRET` placeholders.
`docker-compose.yml`	Updated service to run as root user; removed `PUID` and `PGID`; added `APP_ENV`, `DOCKER_GID`, and `PUBLIC_SESSION_SECRET` environment variables; added commented `PUBLIC_ALLOW_INSECURE_COOKIES`.
`docs/docs/getting-started/configuration.md`	Expanded and restructured environment variable documentation: added details on `APP_ENV`, `DOCKER_GID`, session security variables, and best practices including HTTPS recommendation.
`docs/docs/getting-started/quickstart.md`	Updated Docker Compose instructions: run container as root, remove `PUID`/`PGID`, add `APP_ENV`, `PUBLIC_SESSION_SECRET`, and optional `PUBLIC_ALLOW_INSECURE_COOKIES`; added detailed environment variable explanations and warnings.
`src/lib/components/navbar.svelte`	Added logout button with `LogOut` icon at sidebar bottom; button submits POST to `/auth/logout`; styling adapts to sidebar collapsed state.
`src/lib/services/session-service.ts` (deleted)	Removed legacy session management service handling encrypted sessions with in-memory and disk persistence, session creation, retrieval, deletion, and expiry purging.

Sequence Diagram(s)

sequenceDiagram
    participant Browser
    participant Server
    participant sessionHandler
    participant authHandler

    Browser->>Server: HTTP Request
    Server->>sessionHandler: Process session (parse/set cookies, etc.)
    sessionHandler-->>Server: Attach session to event.locals
    Server->>authHandler: Check authentication, fetch user, enforce permissions
    authHandler-->>Server: Continue or redirect based on session/user
    Server-->>Browser: Response (page, redirect, etc.)

sequenceDiagram
    participant User
    participant LoginPage
    participant Server
    participant sessionHandler

    User->>LoginPage: Submit login form
    LoginPage->>Server: POST /auth/login
    Server->>sessionHandler: Initialize session
    Server->>Server: Authenticate user credentials
    alt Success
        Server->>sessionHandler: Set session data (userId, etc.)
        Server-->>LoginPage: Redirect to dashboard or onboarding
    else Failure
        Server-->>LoginPage: Return error message
    end

sequenceDiagram
    participant User
    participant LogoutPage
    participant Server
    participant sessionHandler

    User->>LogoutPage: Visit /auth/logout or submit logout action
    LogoutPage->>Server: Request to logout
    Server->>sessionHandler: Destroy session
    Server-->>LogoutPage: Redirect to login

Assessment against linked issues

Objective	Addressed	Explanation
Allow login to work locally without HTTPS by permitting insecure cookies via configuration (#108)	✅	Added `PUBLIC_ALLOW_INSECURE_COOKIES` env var and logic to allow insecure cookies in dev/local environments.
Fix login failure issue with no errors and no successful login (#118)	✅	Refactored login to use `locals.session` API with proper session management and error handling.
Add a secure logout option with a logout button (#117)	✅	Added logout page with session destruction and redirect; added logout button in navbar UI.

Possibly related PRs

feat: user authentication #86: Related refactoring of authentication and session handling in src/hooks.server.ts with user and session types and auth handler, overlapping with session management changes here.
refactor: api, tables, and ui cleanup and refactor code, add e2e tests #96: Refactors API interactions and UI components, related to session and authentication flows though focused on API usage rather than session management.

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Generate unit testing code for this file.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
- @coderabbitai generate unit testing code for this file.
- @coderabbitai modularize this function.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read src/utils.ts and generate unit testing code.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
- @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

@coderabbitai pause to pause the reviews on a PR.
@coderabbitai resume to resume the paused reviews.
@coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
@coderabbitai full review to do a full review from scratch and review all the files again.
@coderabbitai summary to regenerate the summary of the PR.
@coderabbitai generate docstrings to generate docstrings for this PR.
@coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
@coderabbitai resolve resolve all the CodeRabbit review comments.
@coderabbitai configuration to show the current CodeRabbit configuration for the repository.
@coderabbitai help to get help.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

src/hooks.server.ts

-		event.locals.user = await getUserByUsername(session.username);
+		try {
+			event.locals.user = await getUserByUsername(session.username);
+		} catch (error) {


coderabbitai

Actionable comments posted: 8

🔭 Outside diff range comments (1)

src/hooks.server.ts (1)
34-37: 🧹 Nitpick (assertive)

Add trailing slash to public /img path

/img matches exactly that path only. Static assets are usually served from /img/.... A missing slash will block legitimate requests.
-const publicPaths = ['/auth/login', '/img'];
+const publicPaths = ['/auth/login', '/img/'];

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a3ec54a and 3cb5a2f.

⛔ Files ignored due to path filters (1)

package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (8)

package.json (1 hunks)
src/app.d.ts (1 hunks)
src/hooks.server.ts (4 hunks)
src/lib/constants.ts (1 hunks)
src/lib/services/session-handler.ts (1 hunks)
src/lib/services/session-service.ts (2 hunks)
src/routes/auth/login/+page.server.ts (2 hunks)
src/routes/auth/logout/+page.server.ts (1 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (3)

src/lib/services/session-service.ts (1)

src/lib/types/settings.type.ts (1)

Settings (19-30)

src/routes/auth/logout/+page.server.ts (1)

src/routes/auth/login/+page.server.ts (2)

load (6-24)

actions (26-87)

src/hooks.server.ts (2)

src/lib/services/user-service.ts (1)

getUserByUsername (16-40)

src/lib/services/session-handler.ts (1)

sessionHandler (23-32)

🪛 GitHub Check: ESLint

src/hooks.server.ts

[failure] 56-56: Disallow unused variables
'error' is defined but never used.

🔇 Additional comments (2)

src/lib/constants.ts (1)

1-7: Good simplification of environment detection

Nice refactoring to use SvelteKit's built-in dev flag instead of manually checking environment variables. This approach is more idiomatic and reliable.

Verify that hardcoding isTest to false won't affect any test-specific behavior in your application, especially since your package.json still contains test scripts that set APP_ENV=TEST.
package.json (1)

69-69:
Details

❓ Verification inconclusive

Appropriate dependency for session management

Adding svelte-kit-cookie-session is a good choice for implementing structured session management, which aligns with the PR's goal to fix session cookies on HTTP sites.

Please verify that version 4.1.1 is compatible with your SvelteKit version (^2.20.8). You can run this command to check for any compatibility issues:

🏁 Script executed:
#!/bin/bash
# Check for compatibility issues between svelte-kit-cookie-session and your SvelteKit version
npm ls @sveltejs/kit svelte-kit-cookie-session
Length of output: 93
Verify svelte-kit-cookie-session compatibility with SvelteKit

Adding svelte-kit-cookie-session@4.1.1 is appropriate for structured session management and aligns with the PR’s goal. However, npm ls did not report any compatibility info, so please manually confirm that this version supports your SvelteKit (^2.20.8) by inspecting its peer dependencies:
# Check which @sveltejs/kit versions this package expects
npm view svelte-kit-cookie-session@4.1.1 peerDependencies
Ensure the output includes a matching @sveltejs/kit range that covers your installed version.

src/app.d.ts

src/routes/auth/logout/+page.server.ts

src/lib/services/session-handler.ts

coderabbitai · 2025-05-05T17:27:03Z

src/lib/services/session-service.ts

+	const sessionTimeout = settings.auth?.sessionTimeout || 60; // minutes
+
+	// More reliable HTTPS detection
+	const isSecureConnection = request.url.includes('https:') || request.headers?.get('x-forwarded-proto') === 'https';
+
+	// Log what's happening
+	console.log(`Setting session cookie with secure=${isSecureConnection}`);
+
+	cookies.set('session_id', sessionId, {
+		path: '/',
+		httpOnly: true,
+		secure: isSecureConnection, // Only use secure when actually on HTTPS
+		maxAge: sessionTimeout * 60,
+		sameSite: 'lax' // Change to lax for better compatibility
+	});


🛠️ Refactor suggestion

⚠️ Potential issue

Normalise timeout value & harden HTTPS detection

Default timeout is 60 min here but 1440 min (24 h) elsewhere (createSession, getSession). Divergent expiries will confuse users and break “remember me” expectations.

request.url.includes('https:') may yield false-positives (e.g. /proxy/https://…).

Console logs leak potentially sensitive information; prefer a structured logger or remove entirely.

-const sessionTimeout = settings.auth?.sessionTimeout || 60; // minutes +const sessionTimeout = + settings.auth?.sessionTimeout ?? + 1440; // minutes – keep in sync with createSession() -const isSecureConnection = - request.url.includes('https:') || - request.headers?.get('x-forwarded-proto') === 'https'; +const isSecureConnection = + new URL(request.url).protocol === 'https:' || + request.headers?.get('x-forwarded-proto') === 'https'; -// Log what's happening -console.log(`Setting session cookie with secure=${isSecureConnection}`); +// Optional: use a proper logger here

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

const sessionTimeout = settings.auth?.sessionTimeout || 60; // minutes

// More reliable HTTPS detection

const isSecureConnection = request.url.includes('https:') || request.headers?.get('x-forwarded-proto') === 'https';

// Log what's happening

console.log(`Setting session cookie with secure=${isSecureConnection}`);

cookies.set('session_id', sessionId, {

path: '/',

httpOnly: true,

secure: isSecureConnection, // Only use secure when actually on HTTPS

maxAge: sessionTimeout * 60,

sameSite: 'lax' // Change to lax for better compatibility

});

const sessionTimeout =

settings.auth?.sessionTimeout ??

1440; // minutes – keep in sync with createSession()

// More reliable HTTPS detection

const isSecureConnection =

new URL(request.url).protocol === 'https:' ||

request.headers?.get('x-forwarded-proto') === 'https';

// Optional: use a proper logger here

cookies.set('session_id', sessionId, {

path: '/',

httpOnly: true,

secure: isSecureConnection, // Only use secure when actually on HTTPS

maxAge: sessionTimeout * 60,

sameSite: 'lax' // Change to lax for better compatibility

});

🤖 Prompt for AI Agents (early access)

In src/lib/services/session-service.ts around lines 194 to 208, unify the session timeout default value with the 1440 minutes used elsewhere to avoid inconsistent expiries. Replace the HTTPS detection logic by removing the unreliable request.url.includes('https:') check and rely solely on the 'x-forwarded-proto' header or other secure indicators. Remove the console.log statement to prevent leaking sensitive information or replace it with a structured logger if logging is necessary.

src/hooks.server.ts

src/routes/auth/login/+page.server.ts

src/lib/services/session-handler.ts

cloudflare-workers-and-pages · 2025-05-06T03:19:30Z

Deploying arcane with Cloudflare Pages

Latest commit:	`550cad2`
Status:	⚡️ Build in progress...

View logs

kmendell · 2025-05-06T05:54:19Z

@coderabbitai review

coderabbitai · 2025-05-06T05:54:25Z

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

coderabbitai

Actionable comments posted: 5

♻️ Duplicate comments (2)

src/routes/auth/login/+page.server.ts (2)
60-64: ⚠️ Potential issue

Replace return-object redirect with throw redirect()

In SvelteKit actions a plain object is serialised as JSON; the browser never navigates.
You already import redirect, so swap to the idiomatic pattern:
-			return {
-				status: 302,
-				location: redirectTo
-			};
+			throw redirect(302, redirectTo);
Leaving this unchanged will leave the user on the login page after a “successful” login.

37-45: 🧹 Nitpick (assertive)

Remove or gate debug console.log statements that leak PII

console.log(\User not found: ${username}`)` and the “Password verification failed” log both reveal usernames. Combined with the redirect log at line 60 they may expose sensitive info and crowd production logs.

Guard them behind if (DEV) or switch to a structured logger with log-level control:
-				console.log(`User not found: ${username}`);
+				if (import.meta.env.DEV) console.debug(`User not found: ${username}`);
Repeat for the other occurrences.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3cb5a2f and 138e957.

⛔ Files ignored due to path filters (1)

package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (10)

.env.example (1 hunks)
docker-compose.yml (1 hunks)
docs/docs/getting-started/configuration.md (1 hunks)
docs/docs/getting-started/quickstart.md (2 hunks)
package.json (1 hunks)
src/lib/components/navbar.svelte (2 hunks)
src/lib/services/paths-service.ts (1 hunks)
src/lib/services/session-handler.ts (1 hunks)
src/lib/services/session-service.ts (0 hunks)
src/routes/auth/login/+page.server.ts (2 hunks)

💤 Files with no reviewable changes (1)

src/lib/services/session-service.ts

🧰 Additional context used

🧬 Code Graph Analysis (1)

src/lib/services/paths-service.ts (1)

src/lib/constants.ts (2)

isTest (7-7)

isDev (4-4)

🪛 LanguageTool

docs/docs/getting-started/quickstart.md

[uncategorized] ~52-~52: Loose punctuation mark.
Context: ...ns (Important):** - APP_ENV: This should be set to production when...