feat: add cookie-parser and authentication middleware support

- Integrated cookie-parser for handling cookies in the application.
- Added COOKIE_AUTH_ENABLED and COOKIE_AUTH_NONCE configuration options to manage cookie-based authentication.
- Implemented checkAuthCookieMiddleware to validate authentication cookies.

Author: kastov

package-lock.json

@@ -79,6 +79,7 @@
     "class-transformer": "^0.5.1",
     "compression": "^1.8.0",
     "consola": "^3.4.2",
+    "cookie-parser": "^1.4.7",
     "country-code-emoji": "^2.3.0",
     "dayjs": "^1.11.13",
     "enhanced-ms": "^4.1.0",
@@ -108,6 +109,7 @@
     "swagger-themes": "^1.4.3",
     "systeminformation": "^5.25.11",
     "table": "^6.9.0",
+    "ufo": "^1.6.1",
     "winston": "^3.17.0",
     "xbytes": "^1.9.1",
     "yaml": "^2.7.1",
@@ -117,6 +119,7 @@
     "@nestjs/cli": "11.0.7",
     "@nestjs/schematics": "11.0.5",
     "@types/compression": "^1.7.5",
+    "@types/cookie-parser": "^1.4.8",
     "@types/cors": "^2.8.18",
     "@types/express": "^5.0.1",
     "@types/js-yaml": "^4.0.9",
@@ -144,4 +147,4 @@
     "typescript": "~5.8.3",
     "typescript-eslint": "^8.32.1"
   }
-}
+}

package.json

@@ -90,6 +90,18 @@ export const configSchema = z
         ),
         HWID_MAX_DEVICES_ANNOUNCE: z.optional(z.string()),
         PROVIDER_ID: z.optional(z.string()),
+
+        COOKIE_AUTH_ENABLED: z
+            .string()
+            .default('false')
+            .transform((val) => val === 'true'),
+        COOKIE_AUTH_NONCE: z.optional(
+            z
+                .string()
+                .regex(/^[a-zA-Z0-9]+$/, 'Nonce can only contain letters and numbers')
+                .max(64, 'Nonce must be less than 64 characters')
+                .min(6, 'Nonce must be at least 6 characters'),
+        ),
     })
     .superRefine((data, ctx) => {
         if (data.WEBHOOK_ENABLED === 'true') {
@@ -214,6 +226,16 @@ export const configSchema = z
                 });
             }
         }
+
+        if (data.COOKIE_AUTH_ENABLED) {
+            if (!data.COOKIE_AUTH_NONCE) {
+                ctx.addIssue({
+                    code: z.ZodIssueCode.custom,
+                    message: 'COOKIE_AUTH_NONCE is required when COOKIE_AUTH_ENABLED is true',
+                    path: ['COOKIE_AUTH_NONCE'],
+                });
+            }
+        }
     });
 
 export type ConfigSchema = z.infer<typeof configSchema>;

src/common/config/app-config/config.schema.ts

@@ -0,0 +1,74 @@
+import { NextFunction, Request, Response } from 'express';
+import * as jwt from 'jsonwebtoken';
+import { nanoid } from 'nanoid';
+import { getQuery } from 'ufo';
+
+import { Logger } from '@nestjs/common';
+
+const logger = new Logger('CookieAuth');
+
+export function checkAuthCookieMiddleware(authJwtSecret: string, nonce: string) {
+    return (req: Request, res: Response, next: NextFunction) => {
+        const query = getQuery(req.originalUrl);
+
+        if (query.nonce && query.nonce === nonce) {
+            const token = signJwt(authJwtSecret);
+
+            res.cookie('nonce', token, {
+                httpOnly: true,
+                secure: true,
+                maxAge: 2_592_000_000, // 30 days
+                sameSite: 'strict',
+            });
+
+            logger.warn(`Nonce access granted. Request: ${req.originalUrl}. IP: ${req.ip}`);
+
+            return next();
+        }
+
+        if ('nonce' in req.cookies) {
+            const isVerified = verifyJwt(req.cookies.nonce, authJwtSecret);
+
+            if (!isVerified) {
+                logger.error(`Cookie mismatch. Request: ${req.originalUrl}. IP: ${req.ip}`);
+
+                res.socket?.destroy();
+
+                return;
+            }
+
+            return next();
+        }
+
+        res.socket?.destroy();
+
+        logger.error(`Cookie not found. Request: ${req.originalUrl}. IP: ${req.ip}`);
+
+        return;
+    };
+}
+
+function signJwt(authJwtSecret: string) {
+    return jwt.sign({ sessionId: nanoid(48) }, authJwtSecret, {
+        expiresIn: '2592000s',
+        issuer: 'Remnawave',
+    });
+}
+
+function verifyJwt(token: string, authJwtSecret: string): boolean {
+    try {
+        const decoded = jwt.verify(token, authJwtSecret, {
+            issuer: 'Remnawave',
+        });
+
+        if (typeof decoded === 'object' && 'sessionId' in decoded) {
+            return true;
+        }
+
+        return false;
+    } catch (error) {
+        logger.error(`Cookie mismatch: ${error}`);
+
+        return false;
+    }
+}

src/common/middlewares/check-auth-cookie.middleware.ts

@@ -1,3 +1,4 @@
 export * from './basic-auth.middleware';
+export * from './check-auth-cookie.middleware';
 export * from './get-real-ip';
 export * from './proxy-check.middleware';

src/common/middlewares/index.ts

@@ -1,5 +1,6 @@
 import { utilities as nestWinstonModuleUtilities, WinstonModule } from 'nest-winston';
 import { patchNestJsSwagger, ZodValidationPipe } from 'nestjs-zod';
+import cookieParser from 'cookie-parser';
 import { createLogger } from 'winston';
 import compression from 'compression';
 import * as winston from 'winston';
@@ -13,11 +14,10 @@ import { ROOT } from '@contract/api';
 import { ConfigService } from '@nestjs/config';
 import { NestFactory } from '@nestjs/core';
 
+import { proxyCheckMiddleware, checkAuthCookieMiddleware, getRealIp } from '@common/middlewares';
 import { getDocs, isDevelopment, isProduction } from '@common/utils/startup-app';
 // import { ProxyCheckGuard } from '@common/guards/proxy-check/proxy-check.guard';
 import { getStartMessage } from '@common/utils/startup-app/get-start-message';
-import { getRealIp } from '@common/middlewares/get-real-ip';
-import { proxyCheckMiddleware } from '@common/middlewares';
 import { AxiosService } from '@common/axios';
 
 import { AppModule } from './app.module';
@@ -110,6 +110,16 @@ async function bootstrap(): Promise<void> {
 
     app.use(proxyCheckMiddleware);
 
+    if (config.getOrThrow<boolean>('COOKIE_AUTH_ENABLED')) {
+        app.use(cookieParser());
+        app.use(
+            checkAuthCookieMiddleware(
+                config.getOrThrow<string>('JWT_AUTH_SECRET'),
+                config.getOrThrow<string>('COOKIE_AUTH_NONCE'),
+            ),
+        );
+    }
+
     app.setGlobalPrefix(ROOT);
 
     await getDocs(app, config);