Merge pull request #952 from karrioapi/fix-drifts

fix: sync platform drifts - HTTP-only cookies, carrier enrichments, and bug fixes

Author: danh91

CHANGELOG.md

@@ -1,3 +1,26 @@
+# Karrio 2026.1.4
+
+## Changes
+
+### Feat
+
+- feat: enrich carrier connectors with services CSV data and configuration annotations
+- feat: add HTTP-only cookie authentication for JWT tokens
+
+### Fix
+
+- fix: various fixes for gateway, pickups, label creation and pricing
+- sec(fix): potential fix for code scanning alert no. 60: construction of a cookie using user-supplied input
+
+### Chore
+
+- chore: upgrade Next.js to 16.1.5
+- chore: fix frontend builds for Next.js 16 compatibility (Turbopack, CSS import ordering, deprecated APIs)
+- chore: add MANIFEST.in files for connector service CSV packaging
+- chore: fix SDK tracking tests for DHL Parcel DE, Hermes and DPD connectors
+
+---
+
 # Karrio 2026.1.3
 
 ## Changes

PRDs/REPOSITORY_MERGE_AND_LICENSE_GATING.md

@@ -1 +1 @@
-2026.1.3
+2026.1.4

apps/api/karrio/server/VERSION

@@ -513,6 +513,15 @@
     "SLIDING_TOKEN_REFRESH_LIFETIME": timedelta(days=1),
 }
 
+# JWT Cookie settings for HTTP-only cookie authentication
+JWT_AUTH_COOKIE = config("JWT_AUTH_COOKIE", default="karrio_access_token")
+JWT_REFRESH_COOKIE = config("JWT_REFRESH_COOKIE", default="karrio_refresh_token")
+JWT_AUTH_COOKIE_SECURE = config(
+    "JWT_AUTH_COOKIE_SECURE", default=USE_HTTPS, cast=bool
+)
+JWT_AUTH_COOKIE_SAMESITE = config("JWT_AUTH_COOKIE_SAMESITE", default="Lax")
+JWT_AUTH_COOKIE_PATH = config("JWT_AUTH_COOKIE_PATH", default="/")
+
 # OAuth2 config
 OIDC_RSA_PRIVATE_KEY = config("OIDC_RSA_PRIVATE_KEY", default="").replace("\\n", "\n")
 OAUTH2_PROVIDER_APPLICATION_MODEL = "oauth2_provider.Application"

apps/api/karrio/server/settings/base.py

@@ -1,7 +1,10 @@
 from django.urls import path
 from django.contrib.auth import get_user_model
 from django.utils.translation import gettext_lazy as _
-from rest_framework import serializers, exceptions
+from django.conf import settings
+from rest_framework import serializers, exceptions, status
+from rest_framework.response import Response
+from rest_framework.permissions import AllowAny
 from rest_framework_simplejwt import views as jwt_views, serializers as jwt
 from two_factor.utils import default_device
 
@@ -11,6 +14,99 @@
 User = get_user_model()
 
 
+# --- Cookie helpers (shared by all JWT views) ---
+
+def get_cookie_config(include_max_age=True):
+    """Build cookie configuration from Django settings."""
+    config = dict(
+        access_cookie_name=getattr(settings, "JWT_AUTH_COOKIE", "karrio_access_token"),
+        refresh_cookie_name=getattr(settings, "JWT_REFRESH_COOKIE", "karrio_refresh_token"),
+        secure=getattr(settings, "JWT_AUTH_COOKIE_SECURE", getattr(settings, "USE_HTTPS", False)),
+        samesite=getattr(settings, "JWT_AUTH_COOKIE_SAMESITE", "Lax"),
+        path=getattr(settings, "JWT_AUTH_COOKIE_PATH", "/"),
+    )
+
+    if include_max_age:
+        jwt_config = getattr(settings, "SIMPLE_JWT", {})
+        access_lifetime = jwt_config.get("ACCESS_TOKEN_LIFETIME")
+        refresh_lifetime = jwt_config.get("REFRESH_TOKEN_LIFETIME")
+        config.update(
+            access_max_age=int(access_lifetime.total_seconds()) if access_lifetime else 1800,
+            refresh_max_age=int(refresh_lifetime.total_seconds()) if refresh_lifetime else 259200,
+        )
+
+    return config
+
+
+def set_auth_cookies(response, access_token, refresh_token):
+    """Set HTTP-only cookies for access and refresh tokens on the response."""
+    config = get_cookie_config()
+
+    response.set_cookie(
+        config["access_cookie_name"],
+        access_token,
+        max_age=config["access_max_age"],
+        httponly=True,
+        secure=config["secure"],
+        samesite=config["samesite"],
+        path=config["path"],
+    )
+    response.set_cookie(
+        config["refresh_cookie_name"],
+        refresh_token,
+        max_age=config["refresh_max_age"],
+        httponly=True,
+        secure=config["secure"],
+        samesite=config["samesite"],
+        path=config["path"],
+    )
+
+
+def clear_auth_cookies(response):
+    """Clear HTTP-only auth cookies by expiring them immediately."""
+    config = get_cookie_config(include_max_age=False)
+
+    for cookie_name in [config["access_cookie_name"], config["refresh_cookie_name"]]:
+        response.set_cookie(
+            cookie_name,
+            "",
+            max_age=0,
+            httponly=True,
+            secure=config["secure"],
+            samesite=config["samesite"],
+            path=config["path"],
+        )
+
+
+def get_refresh_token(request):
+    """Get refresh token from cookie, falling back to request body."""
+    cookie_name = getattr(settings, "JWT_REFRESH_COOKIE", "karrio_refresh_token")
+    refresh_token = (
+        request.COOKIES.get(cookie_name)
+        or request.data.get("refresh")
+    )
+
+    if not refresh_token:
+        raise exceptions.ValidationError(
+            {"refresh": _("Refresh token is required.")}
+        )
+
+    return refresh_token
+
+
+def _build_token_response(access_token, refresh_token):
+    """Build a 201 token pair response with no-cache headers."""
+    response = Response(
+        {"access": access_token, "refresh": refresh_token},
+        status=status.HTTP_201_CREATED,
+    )
+    response["Cache-Control"] = "no-store"
+    response["CDN-Cache-Control"] = "no-store"
+    return response
+
+
+# --- Serializers ---
+
 class AccessToken(serializers.Serializer):
     access = serializers.CharField()
 
@@ -49,7 +145,13 @@ def validate(self, attrs):
 
 class TokenRefreshSerializer(jwt.TokenRefreshSerializer):
     def validate(self, attrs: dict):
-        refresh = jwt.RefreshToken(attrs["refresh"])
+        refresh_token = attrs.get("refresh")
+        if not refresh_token:
+            raise exceptions.ValidationError(
+                {"refresh": _("Refresh token is required.")}
+            )
+
+        refresh = jwt.RefreshToken(refresh_token)
 
         if not refresh["is_verified"]:
             raise exceptions.AuthenticationFailed(
@@ -86,7 +188,13 @@ class VerifiedTokenObtainPairSerializer(jwt.TokenRefreshSerializer):
     )
 
     def validate(self, attrs):
-        refresh = self.token_class(attrs["refresh"])
+        refresh_token = attrs.get("refresh")
+        if not refresh_token:
+            raise exceptions.ValidationError(
+                {"refresh": _("Refresh token is required.")}
+            )
+
+        refresh = self.token_class(refresh_token)
         user = User.objects.get(id=refresh["user_id"])
         refresh["is_verified"] = self._validate_otp(attrs["otp_token"], user)
 
@@ -126,6 +234,8 @@ def _validate_otp(self, otp_token, user) -> bool:
         )
 
 
+# --- Views ---
+
 class TokenObtainPair(jwt_views.TokenObtainPairView):
     serializer_class = TokenObtainPairSerializer
 
@@ -134,13 +244,17 @@ class TokenObtainPair(jwt_views.TokenObtainPairView):
         tags=["Auth"],
         operation_id=f"{ENDPOINT_ID}authenticate",
         summary="Obtain auth token pair",
-        description="Authenticate the user and return a token pair",
+        description="Authenticate the user and return a token pair. Tokens are stored in HTTP-only cookies.",
         responses={201: TokenPair()},
     )
     def post(self, *args, **kwargs):
-        response = super().post(*args, **kwargs)
-        response["Cache-Control"] = "no-store"
-        response["CDN-Cache-Control"] = "no-store"
+        serializer = self.get_serializer(data=self.request.data)
+        serializer.is_valid(raise_exception=True)
+
+        data = serializer.validated_data
+        response = _build_token_response(data["access"], data["refresh"])
+        set_auth_cookies(response, data["access"], data["refresh"])
+
         return response
 
 
@@ -152,13 +266,23 @@ class TokenRefresh(jwt_views.TokenRefreshView):
         tags=["Auth"],
         operation_id=f"{ENDPOINT_ID}refresh_token",
         summary="Refresh auth token",
-        description="Authenticate the user and return a token pair",
+        description="Refresh the authentication token. Tokens are stored in HTTP-only cookies.",
         responses={201: TokenPair()},
     )
     def post(self, *args, **kwargs):
-        response = super().post(*args, **kwargs)
-        response["Cache-Control"] = "no-store"
-        response["CDN-Cache-Control"] = "no-store"
+        refresh_token = get_refresh_token(self.request)
+
+        serializer = self.get_serializer(data={"refresh": refresh_token})
+        serializer.is_valid(raise_exception=True)
+
+        data = serializer.validated_data
+        access = data["access"]
+        refresh = data.get("refresh")
+
+        response = _build_token_response(access, refresh or refresh_token)
+        if refresh is not None:
+            set_auth_cookies(response, access, refresh)
+
         return response
 
 
@@ -187,13 +311,52 @@ class VerifiedTokenPair(jwt_views.TokenVerifyView):
         tags=["Auth"],
         operation_id=f"{ENDPOINT_ID}get_verified_token",
         summary="Get verified JWT token",
-        description="Get a verified JWT token pair by submitting a Two-Factor authentication code.",
+        description="Get a verified JWT token pair by submitting a Two-Factor authentication code. Tokens are stored in HTTP-only cookies.",
         responses={201: TokenPair()},
     )
     def post(self, *args, **kwargs):
-        response = super().post(*args, **kwargs)
+        refresh_token = get_refresh_token(self.request)
+
+        serializer = self.get_serializer(data={
+            "refresh": refresh_token,
+            "otp_token": self.request.data.get("otp_token"),
+        })
+        serializer.is_valid(raise_exception=True)
+
+        data = serializer.validated_data
+        access = data["access"]
+        refresh = data.get("refresh")
+
+        response = _build_token_response(access, refresh or refresh_token)
+        if refresh is not None:
+            set_auth_cookies(response, access, refresh)
+
+        return response
+
+
+class LogoutView(jwt_views.TokenVerifyView):
+    """Logout view that clears HTTP-only auth cookies."""
+    permission_classes = [AllowAny]
+
+    @openapi.extend_schema(
+        auth=[],
+        tags=["Auth"],
+        operation_id=f"{ENDPOINT_ID}logout",
+        summary="Logout",
+        description="Clear authentication cookies and logout the user. Accessible without authentication.",
+        responses={200: openapi.OpenApiTypes.OBJECT},
+    )
+    def post(self, *args, **kwargs):
+        response = Response(
+            {"detail": "Successfully logged out."},
+            status=status.HTTP_200_OK,
+        )
+
+        clear_auth_cookies(response)
+
         response["Cache-Control"] = "no-store"
         response["CDN-Cache-Control"] = "no-store"
+
         return response
 
 
@@ -202,4 +365,5 @@ def post(self, *args, **kwargs):
     path("api/token/refresh", TokenRefresh.as_view(), name="jwt-refresh"),
     path("api/token/verify", TokenVerify.as_view(), name="jwt-verify"),
     path("api/token/verified", VerifiedTokenPair.as_view(), name="verified-jwt-pair"),
+    path("api/logout", LogoutView.as_view(), name="jwt-logout"),
 ]

apps/api/karrio/server/urls/jwt.py

@@ -1,5 +1,6 @@
 /// <reference types="next" />
 /// <reference types="next/image-types/global" />
+import "./.next/types/routes.d.ts";
 
 // NOTE: This file should not be edited
 // see https://nextjs.org/docs/app/api-reference/config/typescript for more information.

apps/dashboard/next-env.d.ts

@@ -82,7 +82,10 @@ const nextConfig = {
     "@karrio/app-store",
   ],
   sassOptions: {
-    includePaths: [path.join("src", "styles")],
+    includePaths: [
+      path.join("src", "styles"),
+      path.resolve(__dirname, "../../node_modules"),
+    ],
   },
   async headers() {
     return [

apps/dashboard/next.config.mjs

@@ -3,7 +3,7 @@
   "version": "1.0.0",
   "scripts": {
     "dev": "next dev --port 3002",
-    "build": "next build",
+    "build": "next build --webpack",
     "start": "next start",
     "lint": "next lint"
   },

apps/dashboard/package.json

@@ -46,7 +46,7 @@ $footer-padding: 1rem 1.5rem;
 $footer-background-color: $white;
 
 // Import only what you need from Bulma
-@import "../../node_modules/bulma/bulma.sass";
+@import "bulma/bulma.sass";
 
 .isolated-card {
   margin: 0px auto;