Merge pull request #1654 from gentics/hotfix-2.1.x-sup-14730

npomaroli · web-flow · commit b2f0e4c5e281 · 2025-02-12T11:11:09.000+01:00
Make JWT Cookie http only
diff --git a/changelog/src/changelog/entries/2025/02/8146.SUP-14730.bugfix b/changelog/src/changelog/entries/2025/02/8146.SUP-14730.bugfix
@@ -0,0 +1 @@
+Auth: The JWT auth cookie will now have the `HTTPOnly` flag set.
diff --git a/common/src/main/java/com/gentics/mesh/auth/handler/MeshJWTAuthHandler.java b/common/src/main/java/com/gentics/mesh/auth/handler/MeshJWTAuthHandler.java
@@ -149,9 +149,11 @@ private void handleJWTAuth(RoutingContext context, boolean ignoreDecodeErrors) {
 				if (!result.isUsingAPIKey()) {
 					String jwtToken = authProvider.generateToken(authenticatedUser);
 					// Remove the original cookie and set the new one
-					context.removeCookie(SharedKeys.TOKEN_COOKIE_KEY);
-					context.addCookie(Cookie.cookie(SharedKeys.TOKEN_COOKIE_KEY, jwtToken)
-						.setMaxAge(meshOptions.getAuthenticationOptions().getTokenExpirationTime()).setPath("/"));
+					context.response().removeCookie(SharedKeys.TOKEN_COOKIE_KEY);
+					context.response().addCookie(Cookie.cookie(SharedKeys.TOKEN_COOKIE_KEY, jwtToken)
+						.setHttpOnly(true)
+						.setMaxAge(meshOptions.getAuthenticationOptions().getTokenExpirationTime())
+						.setPath("/"));
 				}
 				context.next();
 			} else {
diff --git a/common/src/main/java/com/gentics/mesh/auth/provider/MeshJWTAuthProvider.java b/common/src/main/java/com/gentics/mesh/auth/provider/MeshJWTAuthProvider.java
@@ -297,7 +297,9 @@ private User loadUserByJWT(JsonObject jwt) throws Exception {
 	public void login(InternalActionContext ac, String username, String password, String newPassword) {
 		String token = generateToken(username, password, newPassword);
 		ac.addCookie(Cookie.cookie(SharedKeys.TOKEN_COOKIE_KEY, token)
-			.setMaxAge(meshOptions.getAuthenticationOptions().getTokenExpirationTime()).setPath("/"));
+				.setHttpOnly(true)
+				.setMaxAge(meshOptions.getAuthenticationOptions().getTokenExpirationTime())
+				.setPath("/"));
 		ac.send(new TokenResponse(token).toJson(ac.isMinify(meshOptions.getHttpServerOptions())));
 	}
 
diff --git a/tests/tests-core/src/main/java/com/gentics/mesh/core/user/AuthenticationEndpointTest.java b/tests/tests-core/src/main/java/com/gentics/mesh/core/user/AuthenticationEndpointTest.java
@@ -214,6 +214,7 @@ public void testBasicAuth() throws IOException {
 			.build()).execute();
 		JsonObject responseBody = new JsonObject(response.body().string());
 		assertThat(responseBody.getString("username")).isEqualTo("admin");
+		assertThat(response.header("set-cookie")).contains("HTTPOnly");
 	}
 
 	private String base64(String input) {

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Auth: The JWT auth cookie will now have the `HTTPOnly` flag set.
Original file line number	Diff line number	Diff line change
`@@ -214,6 +214,7 @@ public void testBasicAuth() throws IOException {`
`214`	`214`	`.build()).execute();`
`215`	`215`	`JsonObject responseBody = new JsonObject(response.body().string());`
`216`	`216`	`assertThat(responseBody.getString("username")).isEqualTo("admin");`
	`217`	`+ assertThat(response.header("set-cookie")).contains("HTTPOnly");`
`217`	`218`	`}`
`218`	`219`
`219`	`220`	`private String base64(String input) {`