Refactor authentication handling and improve API client security

- Updated OAuth endpoints for Challonge and Discord in platforms configuration. - Implemented session and CSRF cookie initialization in main application entry. - Enhanced Challonge API client to avoid sending sensitive API keys from the browser. - Modified tournament querying to handle new state definitions and improved error handling. - Updated UI components to reflect server-side storage of authentication tokens. - Improved user experience in API Key Manager and Authentication Hub with clearer messaging. - Refactored client credentials management to support asynchronous operations. - Adjusted API client tests to validate new request configurations. - Updated Vite configuration to support session and CSRF handling through proxies.
2026-02-03 12:50:11 -05:00
parent 161b758a1b
commit 700c1cbbbe
39 changed files with 2434 additions and 999 deletions
--- a/code/websites/pokedex.online/server/utils/cookie-options.js
+++ b/code/websites/pokedex.online/server/utils/cookie-options.js
@@ -0,0 +1,77 @@
+import crypto from 'node:crypto';
+
+const ONE_DAY_SECONDS = 60 * 60 * 24;
+const SEVEN_DAYS_SECONDS = ONE_DAY_SECONDS * 7;
+
+export const COOKIE_NAMES = {
+  sid: 'pdx_sid',
+  csrf: 'pdx_csrf'
+};
+
+export function getCookieSecurityConfig(config) {
+  const deploymentTarget = config?.deploymentTarget || process.env.DEPLOYMENT_TARGET;
+  const nodeEnv = config?.nodeEnv || process.env.NODE_ENV;
+
+  const isProdTarget = deploymentTarget === 'production' || nodeEnv === 'production';
+
+  return {
+    secure: isProdTarget,
+    sameSite: 'lax'
+  };
+}
+
+export function getSidCookieOptions(config) {
+  const { secure, sameSite } = getCookieSecurityConfig(config);
+
+  return {
+    httpOnly: true,
+    secure,
+    sameSite,
+    path: '/',
+    maxAge: SEVEN_DAYS_SECONDS * 1000
+  };
+}
+
+// Legacy cookie options used before widening cookie scope to '/'.
+// Clearing these prevents browsers from sending multiple cookies with the same
+// name but different paths (e.g. '/api' and '/'), which can cause session
+// split-brain.
+export function getLegacySidCookieOptions(config) {
+  const { secure, sameSite } = getCookieSecurityConfig(config);
+
+  return {
+    httpOnly: true,
+    secure,
+    sameSite,
+    path: '/api',
+    maxAge: SEVEN_DAYS_SECONDS * 1000
+  };
+}
+
+export function getCsrfCookieOptions(config) {
+  const { secure, sameSite } = getCookieSecurityConfig(config);
+
+  return {
+    httpOnly: false,
+    secure,
+    sameSite,
+    path: '/',
+    maxAge: ONE_DAY_SECONDS * 1000
+  };
+}
+
+export function getLegacyCsrfCookieOptions(config) {
+  const { secure, sameSite } = getCookieSecurityConfig(config);
+
+  return {
+    httpOnly: false,
+    secure,
+    sameSite,
+    path: '/api',
+    maxAge: ONE_DAY_SECONDS * 1000
+  };
+}
+
+export function generateToken(bytes = 24) {
+  return crypto.randomBytes(bytes).toString('base64url');
+}