Skip to content

feat(frontend): enforce auth through httpOnly cookies #10201

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 29 commits into
base: dev
Choose a base branch
from
Draft

feat(frontend): enforce auth through httpOnly cookies #10201

wants to merge 29 commits into from
+874 βˆ’288

Conversation

0ubbe
Copy link
Contributor

@0ubbe 0ubbe commented Jun 20, 2025
edited
Loading

Changes πŸ—οΈ

Implemented httpOnly cookies πŸͺ for secure session management πŸ’†πŸ½

  • πŸ™πŸ½ Moved all API requests to server-side execution for maximum XSS protection

    • All authentication now happens server-side with httpOnly cookies (no JWT tokens exposed to client)
    • Created proxyApiRequest() and proxyFileUpload() server actions to handle all communication with API
    • Updated BackendAPI._request() to always use proxy approach for consistent security

  • 🚧 Exception: WebSocket authentication requires client-side token exposure

    • Added getWebSocketToken() server action to securely provide tokens only for WebSocket connections
    • Maintains secure architecture while we keep the real-time features

  • 🧹 Abstracted implementation details into reusable helper functions

    • Reduced proxy actions from 157 lines to 48 lines (70% reduction)
    • Added flexible content-type support ( JSON, form-urlencoded, custom )
    • Enhanced error handling for graceful logout scenarios

  • πŸ“™ Renamed /reset_password page to /reset-password

    • couldn't resist sorry... snake case URLs get me

Checklist πŸ“‹

For code changes:

  • I have clearly listed my changes in the PR description
  • I have made a test plan
  • I have tested my changes according to the test plan:
    • Verify all API requests work through server-side proxy
    • Confirm httpOnly cookies prevent client-side JWT access
    • Test WebSocket connections work with server-provided tokens
    • Verify logout scenarios don't throw authentication errors
    • Check file uploads work securely through proxy
    • Validate zero breaking changes for existing BackendAPI calls

ntindle and others added 28 commits June 5, 2025 16:00
@ntindle
feat: use expected trusted sources for each
e8657ed
@ntindle
fix: don't allow open redirects
41ebd5f
@ntindle
fix: DoS attack prevention
08c56a3
@ntindle
fix: prevent invalid json uploads
692c6de
@ntindle
fix(backend): don't trust external orgins
10efb17
@Swiftyos
Merge branch 'dev' into fix/untrusted-origins
82f6687
@ntindle
Merge branch 'dev' into fix/untrusted-origins
bf26b8f
@ntindle
fix: formatting + crypto comparisons
0955cfb
@ntindle
fix: remove logging of secret things
9b221ff
@ntindle
fix: lockfile
ade66f3
@ntindle
fix: don't let other poeple look at our cookies
34184f7
@ntindle
fix: correct header + don't trust anyone!
7985da3
@ntindle
Merge branch 'fix/untrusted-origins' into fix/cookie-config
fc975e9
@ntindle
Merge branch 'dev' into fix/cookie-config
8f1ebfc
@ntindle
Merge branch 'dev' into fix/cookie-config
2f11dad
@0ubbe
chore: working cookie settings
add32b8
@0ubbe
Merge 'dev' into 'fix/cookie-config'
13e5f6b
@ntindle
Merge branch 'dev' into fix/cookie-config
f147137
@ntindle
Merge branch 'dev' into fix/cookie-config
46da6a1
@ntindle
fix(frontend): specify path for lax
db3d62e
@0ubbe
Merge branch 'dev' into fix/cookie-config
49b2257
@0ubbe
chore: wip
4550799
@0ubbe
Merge 'dev' into 'fix/enforce-httponly-cookies'
c91372b
@0ubbe
chore: refactors
5c75217
@0ubbe
chore: tidy up
fe85568
@0ubbe
chore: more tidy
bb1f660
@0ubbe
chore: improvements
25334e0
@0ubbe
chore: handle race conditions
ff080b3
@github-project-automation github-project-automation bot moved this to πŸ†• Needs initial review in AutoGPT development kanban Jun 20, 2025
@netlify Netlify
Copy link

netlify bot commented Jun 20, 2025
edited
Loading

βœ… Deploy Preview for auto-gpt-docs-dev canceled.

Name Link
πŸ”¨ Latest commit a57deb9
πŸ” Latest deploy log https://app.netlify.com/projects/auto-gpt-docs-dev/deploys/685555fd5a69940008071c11

@netlify Netlify
Copy link

netlify bot commented Jun 20, 2025
edited
Loading

βœ… Deploy Preview for auto-gpt-docs canceled.

Name Link
πŸ”¨ Latest commit a57deb9
πŸ” Latest deploy log https://app.netlify.com/projects/auto-gpt-docs/deploys/685555fd4ebd4500082a9ecd

@github-actions github-actions bot added the platform/frontend AutoGPT Platform - Front end label Jun 20, 2025
@deepsource-io deepsource.io
Copy link

deepsource-io bot commented Jun 20, 2025
edited
Loading

Here's the code health analysis summary for commits 91ea322..a57deb9. View details on DeepSourceΒ β†—.

Analysis Summary

AnalyzerStatusSummaryLink
DeepSource JavaScript LogoJavaScriptβœ…Β Success
❗ 14 occurences introduced
🎯 13 occurences resolved
View CheckΒ β†—
DeepSource Python LogoPythonβœ…Β SuccessView CheckΒ β†—
πŸ’‘ If you’re a repository administrator, you can configure the quality gates from the settings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
platform/frontend AutoGPT Platform - Front end size/xl
Projects
AutoGPT development kanban
Status: πŸ†• Needs initial review
Frontend
Status: No status
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@0ubbe @ntindle @Swiftyos