BFF Authentication Rewrite: Cookie-based sessions with CSRF protection#1579
Merged
lukemarsden merged 12 commits intomainfrom Feb 5, 2026
Merged
BFF Authentication Rewrite: Cookie-based sessions with CSRF protection#1579lukemarsden merged 12 commits intomainfrom
lukemarsden merged 12 commits intomainfrom
Conversation
Comprehensive design document for implementing Backend-For-Frontend (BFF) authentication pattern. Key changes: - Frontend only gets an HttpOnly session cookie (helix_session) - No tokens in JavaScript memory - Backend stores and refreshes OIDC tokens transparently - Works with both regular auth (email/password) and OIDC (Google) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Updated architecture diagram to show CLI/API clients using API keys - Clarified that API keys (hl-xxx) and runner tokens work unchanged - Simplified migration path: clean cutover, users just log in again - Removed backward compatibility section (not needed) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Complete backend implementation for the BFF (Backend-For-Frontend) auth pattern: Session Management: - Add UserSession type with OIDC token storage (api/pkg/types/session.go) - Add SessionManager for session lifecycle (api/pkg/server/session_manager.go) - Add session store methods (api/pkg/store/store_user_sessions.go) - Add TokenTypeSession for regular auth sessions Auth Middleware Updates: - Add session-first authentication in extractMiddleware - Check helix_session cookie before falling back to token auth - Add getUserFromSession method for BFF session validation - Transparent OIDC token refresh via SessionManager Login Endpoint Updates: - Regular login: Creates BFF session instead of returning JWT - OIDC callback: Creates BFF session with OIDC tokens stored - Add /api/v1/auth/session endpoint for frontend session check - Update logout to delete BFF session API keys and runner tokens continue to work unchanged. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Explains how the BFF pattern handles token refresh: - Back-channel refresh using refresh tokens (not front-channel iframe) - Why this is better than Silent Renew (no third-party cookies needed) - Requirements for Google OIDC (OIDC_OFFLINE_ACCESS=true) - Refresh token rotation behavior Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove all token management code (setToken, getTokenHeaders) - Remove TOKEN_REFRESHED_EVENT and handleTokenRefreshHeader - Remove securityWorker from API client singleton - Add axios.defaults.withCredentials = true for automatic cookie sending - Add isAuthError helper to suppress auth error snackbars (handled by redirect) Part of BFF authentication rewrite - frontend should not manage tokens. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- account.tsx: Remove token/tokenUrlEscaped from context, remove TOKEN_REFRESHED_EVENT listener, remove api.setToken() calls - streaming.tsx: Remove useAccount import, remove Authorization header from fetch, use credentials: 'same-origin' instead - useWebsocket.ts: Remove token dependency, cookies sent automatically - useKnowledge.ts: Remove Authorization header, use credentials - Account.tsx, DesignReviewContent.tsx, InteractionInference.tsx, KnowledgeEditor.tsx, FileStore.tsx: Replace account.token checks with account.user (token no longer in context) All frontend files now use BFF pattern - no token management in JS. Session cookie is sent automatically with all same-origin requests. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Backend: - Add helix_csrf cookie (readable by JS) alongside helix_session cookie - Generate cryptographically secure CSRF token on session creation - Add ValidateCSRF() function to compare cookie value with header - Add csrfMiddleware to validate X-CSRF-Token header on POST/PUT/DELETE/PATCH - Exempt auth endpoints (login, logout, OIDC) from CSRF validation - Skip CSRF validation for API key/runner token authenticated requests Frontend: - Add axios interceptor to read helix_csrf cookie and set X-CSRF-Token header - Update streaming.tsx fetch() to include CSRF header Design doc: - Document Double-Submit Cookie Pattern for CSRF protection This implements the standard CSRF mitigation pattern for cookie-based auth: - SameSite=Lax prevents cross-site requests but allows OAuth redirects - Dual-cookie (helix_session + helix_csrf) prevents CSRF attacks - API clients using Authorization header are unaffected Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Backend: - Remove old transparent token refresh via cookies in auth_middleware (now handled by SessionManager for BFF sessions) - Remove X-Token-Refreshed CORS header exposure (frontend no longer uses it) Frontend: - Delete useApi.test.ts (tested old token refresh interceptor which was removed) The BFF pattern moves all token management to the backend via session cookies. API keys and runner tokens still work unchanged via Authorization header. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
nessie993
reviewed
Feb 5, 2026
| "gorm.io/gorm" | ||
| ) | ||
|
|
||
| const ( |
Contributor
There was a problem hiding this comment.
can we please move this to pkg/auth
api/pkg/server/session_manager.go
Outdated
| } | ||
|
|
||
| // NewSessionManager creates a new session manager | ||
| func NewSessionManager(store store.Store, oidcClient authpkg.OIDC, cfg *config.ServerConfig) *SessionManager { |
| ) | ||
|
|
||
| // CreateUserSession creates a new user session | ||
| func (s *PostgresStore) CreateUserSession(ctx context.Context, session *types.UserSession) (*types.UserSession, error) { |
api/pkg/store/store_user_sessions.go
Outdated
| if session.ID == "" { | ||
| session.ID = uuid.New().String() | ||
| } | ||
| if session.CreatedAt.IsZero() { |
api/pkg/store/store_user_sessions.go
Outdated
| // CreateUserSession creates a new user session | ||
| func (s *PostgresStore) CreateUserSession(ctx context.Context, session *types.UserSession) (*types.UserSession, error) { | ||
| if session.ID == "" { | ||
| session.ID = uuid.New().String() |
|
|
||
| // DeleteUserSessionsByUser deletes all sessions for a user (e.g., on logout from all devices) | ||
| func (s *PostgresStore) DeleteUserSessionsByUser(ctx context.Context, userID string) error { | ||
| return s.gdb.WithContext(ctx).Where("user_id = ?", userID).Delete(&types.UserSession{}).Error |
Contributor
There was a problem hiding this comment.
check if user ID is specified
api/pkg/types/session.go
Outdated
| // Similar pattern to OAuthConnection but specifically for user authentication. | ||
| type UserSession struct { | ||
| ID string `json:"id" gorm:"primaryKey;type:uuid"` | ||
| CreatedAt time.Time `json:"created_at" gorm:"autoCreateTime"` |
Contributor
There was a problem hiding this comment.
this gorm thing not needed
api/pkg/types/session.go
Outdated
| // | ||
| // Similar pattern to OAuthConnection but specifically for user authentication. | ||
| type UserSession struct { | ||
| ID string `json:"id" gorm:"primaryKey;type:uuid"` |
api/pkg/types/session.go
Outdated
|
|
||
| // Optional metadata for security/audit | ||
| UserAgent string `json:"user_agent,omitempty" gorm:"type:text"` | ||
| IPAddress string `json:"ip_address,omitempty" gorm:"type:varchar(45)"` |
Contributor
There was a problem hiding this comment.
dont set the varchar here
api/pkg/types/session.go
Outdated
| } | ||
|
|
||
| // BeforeCreate sets default values for new sessions | ||
| func (s *UserSession) BeforeCreate(_ *gorm.DB) error { |
- Add BFF session check to /api/v1/auth/authenticated endpoint - Add BFF session check to /api/v1/auth/user endpoint - Add withCredentials: true to Api client for session cookie sending - Remove dead code: redundant authenticated calls from Layout.tsx/Sidebar.tsx - Add debug logging to session_manager for troubleshooting The frontend was making multiple parallel calls to the authenticated endpoint, causing race conditions. This removes the redundant calls and ensures the account context is the single source of truth for auth. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
chocobar
previously requested changes
Feb 5, 2026
Comment on lines
-548
to
-551
| // OK, set authentication cookies and redirect | ||
| cookieManager.Set(w, accessTokenCookie, token) | ||
| cookieManager.Set(w, refreshTokenCookie, token) | ||
|
|
Collaborator
There was a problem hiding this comment.
IIRC the way this was implemented earlier generated the access/refresh tokens for both regular auth and OIDC auth. In the BFF pattern, still continuing to generate and store tokens for users makes sense. Deviating from this approach leads to an if/else path of regular auth (skip cookies, use custom flow) vs OIDC (write cookies, send cookies in header)
Collaborator
There was a problem hiding this comment.
This is already addressed - both approaches set cookies (but local auth omits tokens)
// Regular auth (line 542)
s.sessionManager.CreateSession(ctx, w, r,
user.ID,
types.AuthProviderRegular,
"", // no OIDC access token
"", // no OIDC refresh token
time.Time{}, // no OIDC token expiry
)
// OIDC auth (line 684)
s.sessionManager.CreateSession(ctx, w, r,
user.ID,
types.AuthProviderOIDC,
oauth2Token.AccessToken,
oauth2Token.RefreshToken,
oauth2Token.Expiry,
)
Collaborator
There was a problem hiding this comment.
Then that leads to 'What if regular auth lives alongside google OIDC in the future?'
Comment on lines
-664
to
+668
| if oauth2Token.RefreshToken != "" { | ||
| cm.Set(w, refreshTokenCookie, oauth2Token.RefreshToken) | ||
| log.Info().Msg("Refresh token received and stored") | ||
| } else { | ||
| // No refresh token - this is expected for providers like Google when | ||
| // OIDC_OFFLINE_ACCESS is not enabled. Without a refresh token, the session | ||
| // will expire when the access token expires (typically 1 hour for Google). | ||
|
|
Collaborator
There was a problem hiding this comment.
Write test here to handle cases where refresh token is not available eg. OIDC_OFFLINE_ACCESS is not enabled.
Collaborator
|
Add test for session expiry (401 on expired, cleanup from DB) |
Collaborator
|
Add test for OIDC token refresh (expiring token triggers refresh, failure handling) |
…ests Addressing nessie993's PR review comments: - Move session_manager.go from pkg/server to pkg/auth - Use ULIDs with uss_ prefix instead of UUIDs for session IDs - Add GenerateUserSessionID() to system/uuid.go - Remove unnecessary gorm annotations from types/session.go - Removed DeletedAt field - Removed autoCreateTime/autoUpdateTime tags - Removed varchar type specification - Removed BeforeCreate/BeforeUpdate hooks - Add input validation to all store methods (user ID, session ID checks) - Add comprehensive test coverage for SessionManager (19 tests) - Add comprehensive test coverage for store_user_sessions.go (13 tests) - Export ClearSessionCookie for use in auth_middleware Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Collaborator
|
It completely ignored the instruction about implementing a prompt=none silent auth flow. But given the complexity, let's put that as a separate task. |
Addresses PR review comment about testing refresh token scenarios: - NoRefreshToken: Session works without refresh token (OIDC_OFFLINE_ACCESS disabled) - RefreshSucceeds: Token refresh works correctly - RefreshFails: Session continues even when refresh fails (graceful degradation) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
GORM was inferring UUID type for the ID column without explicit type annotation, causing "invalid input syntax for type uuid" errors when querying sessions with ULID-prefixed IDs (e.g., uss_01abc...). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
lukemarsden
dismissed
chocobar’s stale review
Review addressed - BFF auth is working after testing login/logout flow
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR implements a Backend-For-Frontend (BFF) authentication pattern, moving all token management from the frontend to the backend. The frontend now uses simple HttpOnly session cookies instead of managing JWTs, refresh tokens, and Authorization headers.
Design Document: design/2026-02-05-bff-auth-rewrite.md
Why This Change?
The current frontend authentication is a hybrid approach that's the worst of both worlds:
Key Changes
Backend:
UserSessiontable for session storage (30-day sessions)SessionManagerhandles session lifecycle and OIDC token refreshhelix_sessionHttpOnly cookiehelix_csrfcookie +X-CSRF-Tokenheader validationFrontend:
localStorage.setItem('token', ...)Authorization: BearerheadersTOKEN_REFRESHED_EVENThandlingSecurity
Migration
Clean cutover - users will need to log in again after deployment. No backward compatibility needed since this only affects browser-based auth. API keys work unchanged.
Test plan
🤖 Generated with Claude Code