CenterForOpenScience · chiku-samugari · Jul 10, 2025 · Jul 10, 2025 · Jul 10, 2025
diff --git a/angular.json b/angular.json
@@ -80,6 +80,7 @@
               "namedChunks": true
             },
             "development": {
+              "baseHref": "/angular_osf/assets/",
               "optimization": false,
               "extractLicenses": false,
               "sourceMap": true,
@@ -101,6 +102,8 @@
             },
             "development": {
               "buildTarget": "osf:build:development",
+              "port": 4300,
+              "host": "0.0.0.0",
               "hmr": false
             }
           },

diff --git a/src/app/app.config.ts b/src/app/app.config.ts
@@ -15,7 +15,7 @@ import { STATES } from '@core/constants';
 import { provideTranslation } from '@core/helpers';
 
 import { GlobalErrorHandler } from './core/handlers';
-import { authInterceptor, errorInterceptor } from './core/interceptors';
+import { errorInterceptor, hybridAuthInterceptor } from './core/interceptors';
 import CustomPreset from './core/theme/custom-preset';
 import { routes } from './app.routes';
 
@@ -37,7 +37,7 @@ export const appConfig: ApplicationConfig = {
       },
     }),
     provideAnimations(),
-    provideHttpClient(withInterceptors([authInterceptor, errorInterceptor])),
+    provideHttpClient(withInterceptors([hybridAuthInterceptor, errorInterceptor])),
     importProvidersFrom(TranslateModule.forRoot(provideTranslation())),
     ConfirmationService,
     MessageService,

diff --git a/src/app/core/interceptors/cookie-auth.interceptor.ts b/src/app/core/interceptors/cookie-auth.interceptor.ts
@@ -0,0 +1,37 @@
+import { HttpInterceptorFn } from '@angular/common/http';
+import { inject } from '@angular/core';
+
+import { CookieService } from '../services/cookie.service';
+
+import { environment } from 'src/environments/environment';
+
+export const cookieAuthInterceptor: HttpInterceptorFn = (req, next) => {
+  if (!environment.cookieAuth.enabled) {
+    return next(req);
+  }
+
+  const cookieService = inject(CookieService);
+  const csrfToken = cookieService.getCsrfToken();
+
+  const isOsfApiRequest = req.url.includes(environment.apiDomainUrl) || req.url.includes('localhost:8000');
+
+  if (isOsfApiRequest) {
+    const headers: Record<string, string> = {
+      Accept: 'application/vnd.api+json; version=2.20',
+      'Content-Type': 'application/vnd.api+json',
+    };
+
+    if (csrfToken) {
+      headers['X-CSRFToken'] = csrfToken;
+    }
+
+    const authReq = req.clone({
+      setHeaders: headers,
+      withCredentials: true,
+    });
+
+    return next(authReq);
+  }
+
+  return next(req);
+};
diff --git a/src/app/core/interceptors/hybrid-auth.interceptor.ts b/src/app/core/interceptors/hybrid-auth.interceptor.ts
@@ -0,0 +1,29 @@
+import { HttpInterceptorFn } from '@angular/common/http';
+
+import { cookieAuthInterceptor } from './cookie-auth.interceptor';
+
+import { environment } from 'src/environments/environment';
+
+export const hybridAuthInterceptor: HttpInterceptorFn = (req, next) => {
+  if (environment.cookieAuth.enabled) {
+    return cookieAuthInterceptor(req, next);
+  }
+
+  console.warn('Using fallback token authentication - this should not happen in production!');
+
+  const authToken = 'UlO9O9GNKgVzJD7pUeY53jiQTKJ4U2znXVWNvh0KZQruoENuILx0IIYf9LoDz7Duq72EIm';
+
+  if (authToken) {
+    const authReq = req.clone({
+      setHeaders: {
+        Authorization: `Bearer ${authToken}`,
+        Accept: 'application/vnd.api+json',
+        'Content-Type': 'application/vnd.api+json',
+      },
+    });
+
+    return next(authReq);
+  }
+
+  return next(req);
+};
diff --git a/src/app/core/interceptors/index.ts b/src/app/core/interceptors/index.ts
@@ -1,2 +1,4 @@
 export * from './auth.interceptor';
+export * from './cookie-auth.interceptor';
 export * from './error.interceptor';
+export * from './hybrid-auth.interceptor';
diff --git a/src/app/core/services/cookie.service.ts b/src/app/core/services/cookie.service.ts
@@ -0,0 +1,45 @@
+import { Injectable } from '@angular/core';
+
+import { environment } from 'src/environments/environment';
+
+@Injectable({
+  providedIn: 'root',
+})
+export class CookieService {
+  getCookie(name: string): string | null {
+    try {
+      if (!document.cookie) {
+        return null;
+      }
+
+      const value = `; ${document.cookie}`;
+      const parts = value.split(`; ${name}=`);
+
+      if (parts.length === 2) {
+        const cookieValue = parts.pop()?.split(';').shift();
+        return cookieValue ? decodeURIComponent(cookieValue) : null;
+      }
+
+      return null;
+    } catch (error) {
+      console.warn(`Failed to read cookie '${name}':`, error);
+      return null;
+    }
+  }
+
+  getCsrfToken(): string | null {
+    return this.getCookie(environment.cookieAuth.csrfCookieName);
+  }
+
+  hasSessionCookie(): boolean {
+    return this.getCookie('sessionid') !== null;
+  }
+
+  clearAuthCookies(): void {
+    const cookiesToClear = ['sessionid', 'csrftoken', 'api-csrf'];
+
+    cookiesToClear.forEach((name) => {
+      document.cookie = `${name}=; Max-Age=0; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/`;
+    });
+  }
+}
diff --git a/src/app/core/services/index.ts b/src/app/core/services/index.ts
@@ -1,3 +1,4 @@
+export { CookieService } from './cookie.service';
 export { JsonApiService } from './json-api.service';
 export { RequestAccessService } from './request-access.service';
 export { UserService } from './user.service';
diff --git a/src/app/features/settings/profile-settings/services/profile-settings.api.service.ts b/src/app/features/settings/profile-settings/services/profile-settings.api.service.ts
@@ -15,7 +15,7 @@ export class ProfileSettingsApiService {
 
   patchUserSettings(userId: string, key: keyof ProfileSettingsStateModel, data: ProfileSettingsUpdate) {
     const patchedData = { [key]: data };
-    return this.#jsonApiService.patch<JsonApiResponse<UserGetResponse, null>>(`${environment.apiUrl}users/${userId}/`, {
+    return this.#jsonApiService.patch<JsonApiResponse<UserGetResponse, null>>(`${environment.apiUrl}/users/${userId}/`, {
       data: { type: 'users', id: userId, attributes: patchedData },
     });
   }

diff --git a/src/environments/environment.development.ts b/src/environments/environment.development.ts
@@ -1,13 +1,19 @@
 export const environment = {
   production: false,
-  webUrl: 'https://staging4.osf.io',
-  downloadUrl: 'https://staging4.osf.io/download',
-  apiUrl: 'https://api.staging4.osf.io/v2',
-  apiUrlV1: 'https://staging4.osf.io/api/v1',
-  apiDomainUrl: 'https://api.staging4.osf.io',
+  webUrl: 'http://localhost:8000',
+  downloadUrl: 'http://localhost:8000/download',
+  apiUrl: 'http://localhost:8000/v2',
+  apiUrlV1: 'https//localhost:8000/api/v1',
+  apiDomainUrl: 'http://localhost:8000',
   shareDomainUrl: 'https://staging-share.osf.io/trove',
-  addonsApiUrl: 'https://addons.staging4.osf.io/v1',
-  fileApiUrl: 'https://files.us.staging4.osf.io/v1',
-  baseResourceUri: 'https://staging4.osf.io/',
-  funderApiUrl: 'https://api.crossref.org/',
+  addonsApiUrl: 'http://localhost:8000/v1',
+  fileApiUrl: 'http://localhost:8000/v1',
+  baseResourceUri: 'http://localhost:8000/',
+  funderApiUrl: 'http://api.crossref.org/',
+
+  cookieAuth: {
+    enabled: true,
+    csrfCookieName: 'api-csrf',
+    withCredentials: true,
+  },
 };
diff --git a/src/environments/environment.ts b/src/environments/environment.ts
@@ -10,4 +10,10 @@ export const environment = {
   fileApiUrl: 'https://files.us.staging4.osf.io/v1',
   baseResourceUri: 'https://staging4.osf.io/',
   funderApiUrl: 'https://api.crossref.org/',
+
+  cookieAuth: {
+    enabled: false,
+    csrfCookieName: 'api-csrf',
+    withCredentials: false,
+  },
 };