Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates authentication flow in the workspace backend by issuing a login cookie during registration and adjusting the login submit route middleware.
Changes:
- Issue
LOGIN_TOKENcookie after successful registration. - Remove
InverseVCMmiddleware fromPOST /Login/Submit.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| Backend/Workspace/Routes/Register.js | Adds CreateCookie call to issue LOGIN_TOKEN during registration. |
| Backend/Workspace/Routes/Login.js | Removes InverseVCM from the login submit endpoint. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // 4. Cookie発行 | ||
| CreateCookie({ | ||
| res, | ||
| cookieName: 'LOGIN_TOKEN', | ||
| payload: { userId, address: address }, | ||
| secretKey: process.env.LOGIN_SECRET, | ||
| deadlineHours: 24, // 1日有効 | ||
| httpOnly: true, | ||
| sameSite: 'strict' | ||
| }); |
There was a problem hiding this comment.
CreateCookie is used here but Register.js does not import it (there are no other references in this file). This will throw ReferenceError: CreateCookie is not defined at runtime; add the appropriate import (matching how Login.js imports it from ../Tools/CreateCookie.js).
| // 4. Cookie発行 | ||
| CreateCookie({ | ||
| res, | ||
| cookieName: 'LOGIN_TOKEN', | ||
| payload: { userId, address: address }, | ||
| secretKey: process.env.LOGIN_SECRET, | ||
| deadlineHours: 24, // 1日有効 | ||
| httpOnly: true, | ||
| sameSite: 'strict' | ||
| }); | ||
|
|
There was a problem hiding this comment.
This issues the login cookie before the user record is persisted. If the DB insert fails (or the request errors after cookie issuance), the client can end up holding a valid LOGIN_TOKEN for a userId/address that was never saved. Move cookie issuance to after the DB insert succeeds (and consider clearing any already-set cookie on error paths).
| payload: { userId, address: address }, | ||
| secretKey: process.env.LOGIN_SECRET, | ||
| deadlineHours: 24, // 1日有効 |
There was a problem hiding this comment.
secretKey: process.env.LOGIN_SECRET can be undefined, which causes jwt.sign inside CreateCookie to throw ("secretOrPrivateKey must have a value"). Consider validating LOGIN_SECRET (similar to the existing PEPPER check) and returning a configuration error before attempting to create the cookie.
| cookieName: 'LOGIN_TOKEN', | ||
| payload: { userId, address: address }, | ||
| secretKey: process.env.LOGIN_SECRET, | ||
| deadlineHours: 24, // 1日有効 |
There was a problem hiding this comment.
The inline comment says "1日有効", but CreateCookie currently sets only { httpOnly, sameSite } on the cookie (no maxAge/expires), so the browser cookie itself is session-scoped even though the JWT has a 24h exp. Consider either setting cookie expiration in CreateCookie to match deadlineHours, or adjusting the comment/behavior to avoid confusion.
| deadlineHours: 24, // 1日有効 | |
| deadlineHours: 24, // JWTは1日有効(Cookie自体はセッション有効) |
No description provided.