Alan-Jowett / CoPilot-For-Consensus / 20559755733 / 4
78%
main: 78%

DEFAULT BRANCH: main
Ran
Files 2
Run time 0s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 90.173%. Remained the same
20559755733.4

push

github

web-flow 
Move auth tokens from localStorage to httpOnly cookies (#621)

* Initial plan

* Migrate UI to cookie-based authentication (remove localStorage XSS risk)

- Updated AuthContext to use /auth/userinfo endpoint for auth state
- Removed all localStorage token storage from UI (AuthContext, api.ts, Callback, main.tsx)
- Updated api.ts to use credentials: 'include' for cookie-based auth
- Updated auth service /userinfo endpoint to accept tokens from cookies
- Updated nginx gateway to extract JWT from cookies and pass to backend services
- Auth tokens now stored in httpOnly cookies only (not accessible to JavaScript)

Co-authored-by: Alan-Jowett <20480683+Alan-Jowett@users.noreply.github.com>

* Add COOKIE_SECURE config and authentication security documentation

- Fixed Login.tsx to use isAuthenticated instead of token
- Added COOKIE_SECURE environment variable to auth service config
- Created comprehensive AUTHENTICATION.md documentation
- Documented cookie-based auth flow, security features, and migration notes
- Verified no auth tokens stored in localStorage/sessionStorage

Co-authored-by: Alan-Jowett <20480683+Alan-Jowett@users.noreply.github.com>

* Add comprehensive testing documentation and test cases

- Created test_userinfo_cookie.py for automated testing of /userinfo endpoint
- Created TESTING.md with detailed manual testing guide
- Documented 10 test scenarios covering login, API calls, logout, CSRF, etc.
- Includes security checklist for verification
- Tests verify cookie-based auth, XSS protection, and CSRF mitigation

Co-authored-by: Alan-Jowett <20480683+Alan-Jowett@users.noreply.github.com>

* Address code review feedback

- Fixed Callback.tsx: removed unused checkAuth dependency
- Enhanced AuthContext loading UX with spinner during auth check
- Improved logout error logging with specific error messages
- Fixed security issue: use generic 'Authentication required' error message
- Added CSS animation for loading spinner
- UI builds successfully... (continued)

156 of 173 relevant lines covered (90.17%)

0.9 hits per line

Source Files on job embedding - 20559755733.4