Merge pull request #124 from modx-pro/dev/new-auth

fix(auth): httpOnly cookie token architecture

Author: biz87

CHANGELOG.md

@@ -56,6 +56,7 @@
 
 #### 🐛 Исправлено
 
+- **httpOnly cookie token architecture (#124):** единый httpOnly cookie `ms3_token` вместо 4 несинхронизированных хранилищ. Middleware injection для обратной совместимости. Корзина сохраняется при логине/регистрации.
 - Исправлены неточности в лексиконах (Issue #21)
 - Удалён `action` из конфигурации меню miniShop3 (#94)
 - Очистка EAV-опций из формы товара
@@ -66,6 +67,10 @@
 - Корректные дефолтные ID статусов заказов с fallback для нулевых значений
 - `getIterator` для msProduct/msCategory — добавлен `class_key` в критерии
 
+#### ⚠️ Breaking changes
+
+- **Register.php response format (#124):** поле `token` изменено с объекта `{token, expires_at}` на строку. `expires_at` вынесен на верхний уровень ответа. Кастомные темы, обращающиеся к `result.object.token.token`, потребуют обновления.
+
 #### 🔧 Изменено
 
 - Удалены избыточные проверки прав в `initialize()` процессоров (#95)

assets/components/minishop3/js/web/core/ApiClient.js

@@ -2,7 +2,7 @@
  * HTTP client for MiniShop3 REST API
  *
  * Simple wrapper over fetch() for backend API interaction.
- * Automatically adds authorization token and handles JSON.
+ * Token is sent automatically via httpOnly cookie (credentials: 'same-origin').
  * Handles token refresh on 401 errors.
  *
  * @example
@@ -38,19 +38,15 @@ class ApiClient {
 
     url.searchParams.set('route', endpoint)
 
-    const token = this.tokenManager.getToken()
-    if (token) {
-      url.searchParams.set('ms3_token', token)
-    }
-
     const headers = {
       Accept: 'application/json',
       'X-Requested-With': 'XMLHttpRequest'
     }
 
     const options = {
       method,
-      headers
+      headers,
+      credentials: 'same-origin'
     }
 
     if (data && (method === 'POST' || method === 'PATCH' || method === 'PUT')) {
@@ -66,10 +62,9 @@ class ApiClient {
       const response = await fetch(url.toString(), options)
       const result = await response.json()
 
-      // Handle token errors: clear invalid token, get new one, and retry
+      // Handle token errors: request new token from server and retry
       if (!isRetry && response.status === 401 && this.isTokenError(result)) {
         console.log('[ApiClient] Token invalid, refreshing and retrying request')
-        this.tokenManager.removeToken()
         await this.tokenManager.fetchNewToken()
         return this.request(method, endpoint, data, true)
       }

assets/components/minishop3/js/web/core/TokenManager.js

@@ -1,24 +1,26 @@
 /**
- * Customer token manager
+ * Customer token manager (httpOnly cookie mode)
  *
- * Manages customer authorization token:
- * - Storage in localStorage
- * - Expiry validation
- * - Automatic token retrieval when missing/expired
+ * Token is stored in httpOnly cookie by the server.
+ * JS cannot read it directly — it's sent automatically with every request.
+ * This class handles initialization and legacy localStorage cleanup.
  *
  * @example
  * const tokenManager = new TokenManager({ tokenName: 'ms3_token' })
  * await tokenManager.ensureToken()
- * const token = tokenManager.getToken()
  */
 class TokenManager {
   /**
    * @param {Object} config - Configuration
-   * @param {string} config.tokenName - Key for storing token in localStorage
+   * @param {string} config.tokenName - Legacy key (for localStorage cleanup)
    */
   constructor (config) {
     this.tokenName = config.tokenName || 'ms3_token'
     this.apiClient = null
+    this.tokenInitialized = false
+
+    // Clean up legacy localStorage on construction
+    this.cleanupLegacyStorage()
   }
 
   /**
@@ -31,78 +33,55 @@ class TokenManager {
   }
 
   /**
-   * Get token from localStorage
+   * Get token — always returns null (httpOnly cookie, not accessible from JS)
    *
-   * @returns {string|null} - Token or null if missing/expired
+   * @returns {null}
    */
   getToken () {
-    const tokenData = this.getTokenData()
-    return tokenData ? tokenData.token : null
+    return null
   }
 
   /**
-   * Get full token data (token + expiry)
+   * Get full token data — always returns null (httpOnly cookie)
    *
-   * @returns {Object|null} - { token: string, expiry: number } or null
+   * @returns {null}
    */
   getTokenData () {
-    const stored = localStorage.getItem(this.tokenName)
-    if (!stored) {
-      return null
-    }
-
-    try {
-      const data = JSON.parse(stored)
-      const now = Date.now()
-
-      if (now > data.expiry) {
-        this.removeToken()
-        return null
-      }
-
-      return data
-    } catch (e) {
-      this.removeToken()
-      return null
-    }
+    return null
   }
 
   /**
-   * Save token to localStorage
+   * Set token — no-op (token is managed by server via httpOnly cookie)
    *
-   * @param {string} token - Token
-   * @param {number} lifetime - Token lifetime in seconds
+   * @param {string} _token - Unused
+   * @param {number} _lifetime - Unused
    */
-  setToken (token, lifetime) {
-    const data = {
-      token,
-      expiry: Date.now() + (lifetime * 1000)
-    }
-    localStorage.setItem(this.tokenName, JSON.stringify(data))
+  setToken (_token, _lifetime) {
+    // No-op: token is in httpOnly cookie, managed by server
   }
 
   /**
-   * Remove token from localStorage
+   * Remove token — cleans up legacy localStorage only
    */
   removeToken () {
-    localStorage.removeItem(this.tokenName)
+    this.cleanupLegacyStorage()
   }
 
   /**
-   * Check for valid token, fetch new if needed
+   * Ensure token cookie exists by requesting from server if needed
    *
    * @returns {Promise<void>}
    */
   async ensureToken () {
-    if (this.getToken()) {
+    if (this.tokenInitialized) {
       return
     }
 
     await this.fetchNewToken()
   }
 
   /**
-   * Fetch new token from server
+   * Fetch new token from server (server sets httpOnly cookie)
    *
    * @returns {Promise<void>}
    */
@@ -118,6 +97,7 @@ class TokenManager {
 
       const response = await fetch(url.toString(), {
         method: 'GET',
+        credentials: 'same-origin',
         headers: {
           Accept: 'application/json',
           'X-Requested-With': 'XMLHttpRequest'
@@ -126,8 +106,8 @@ class TokenManager {
 
       const result = await response.json()
 
-      if (result.success && result.data) {
-        this.setToken(result.data.token, result.data.lifetime)
+      if (result.success) {
+        this.tokenInitialized = true
       } else {
         console.error('TokenManager: Failed to get token', result)
       }
@@ -150,11 +130,22 @@ class TokenManager {
     try {
       const response = await this.apiClient.post('/customer/token/update')
 
-      if (response.success && response.data) {
-        this.setToken(response.data.token, response.data.lifetime)
+      if (response.success) {
+        this.tokenInitialized = true
       }
     } catch (error) {
       console.error('TokenManager: Error refreshing token', error)
     }
   }
+
+  /**
+   * Remove legacy localStorage data
+   */
+  cleanupLegacyStorage () {
+    try {
+      localStorage.removeItem(this.tokenName)
+    } catch (e) {
+      // Ignore storage errors
+    }
+  }
 }

assets/components/minishop3/js/web/modules/auth-forms.js

@@ -98,10 +98,6 @@ class AuthForms {
       if (result.success) {
         this.showMessage('login-messages', this.getLexicon('ms3_customer_login_success'), 'success')
 
-        if (result.object && result.object.token) {
-          this.saveToken(result.object.token)
-        }
-
         setTimeout(() => {
           this.handleRedirect(result.object)
         }, 1000)
@@ -163,7 +159,7 @@ class AuthForms {
         )
 
         if (result.object && result.object.token) {
-          this.saveToken(result.object.token)
+          // Auto-login: redirect to account page
           setTimeout(() => {
             this.handleRedirect(result.object)
           }, 1500)
@@ -208,39 +204,37 @@ class AuthForms {
   }
 
   /**
-   * Save authorization token
+   * Save authorization token — no-op (httpOnly cookie managed by server)
+   * Cleans up legacy localStorage.
    *
-   * @param {string} token - API token
+   * @param {string} _token - Unused
    */
-  saveToken (token) {
-    if (!token) return
-
-    localStorage.setItem('ms3_token', token)
-
-    if (window.ms3 && window.ms3.config) {
-      window.ms3.config.token = token
+  saveToken (_token) {
+    // Clean up legacy localStorage
+    try {
+      localStorage.removeItem('ms3_token')
+    } catch (e) {
+      // Ignore
     }
-
-    console.log('[AuthForms] Token saved, length:', token.length)
   }
 
   /**
-   * Get saved token
+   * Get saved token — returns null (httpOnly cookie, not accessible from JS)
    *
-   * @returns {string|null} - Token or null
+   * @returns {null}
    */
   getToken () {
-    return localStorage.getItem('ms3_token')
+    return null
   }
 
   /**
-   * Remove token (on logout)
+   * Remove token (on logout) — cleans up legacy localStorage
    */
   clearToken () {
-    localStorage.removeItem('ms3_token')
-
-    if (window.ms3 && window.ms3.config) {
-      window.ms3.config.token = null
+    try {
+      localStorage.removeItem('ms3_token')
+    } catch (e) {
+      // Ignore
     }
   }
 
@@ -257,6 +251,7 @@ class AuthForms {
 
     const response = await fetch(url.toString(), {
       method: 'POST',
+      credentials: 'same-origin',
       headers: {
         'Content-Type': 'application/json',
         Accept: 'application/json'

core/components/minishop3/elements/snippets/ms3_cart.php

@@ -27,14 +27,11 @@
 // Load lexicons for template
 $modx->lexicon->load('minishop3:cart');
 
-if (!empty($scriptProperties['customer_token'])) {
-    $token = $scriptProperties['customer_token'];
-} elseif (!empty($_SESSION['ms3']) && !empty($_SESSION['ms3']['customer_token'])) {
-    $token = $_SESSION['ms3']['customer_token'];
-} else {
-    $response = $ms3->customer->generateToken();
-    $token = $response['data']['token'];
-}
+/** @var \MiniShop3\Services\TokenService $tokenService */
+$tokenService = $modx->services->get('ms3_token_service');
+$token = !empty($scriptProperties['customer_token'])
+    ? $scriptProperties['customer_token']
+    : $tokenService->resolveOrCreateToken();
 if (!empty($_GET['msorder'])) {
     return '';
 }

core/components/minishop3/elements/snippets/ms3_customer.php

@@ -6,7 +6,7 @@
 use MiniShop3\Services\Customer\OrdersPageService;
 use ModxPro\PdoTools\Fetch;
 
-/** @var modX $modx */
+/** @var \MODX\Revolution\modX $modx */
 /** @var array $scriptProperties */
 /** @var MiniShop3 $ms3 */
 

core/components/minishop3/elements/snippets/ms3_get_order.php

@@ -56,8 +56,10 @@
     return $modx->lexicon('ms3_err_order_nf');
 }
 $customerId = null;
-if (!empty($_SESSION['ms3']) && !empty($_SESSION['ms3']['customer_token'])) {
-    $token = $_SESSION['ms3']['customer_token'];
+/** @var \MiniShop3\Services\TokenService $tokenService */
+$tokenService = $modx->services->get('ms3_token_service');
+$token = $tokenService->resolveOrCreateToken();
+if (!empty($token)) {
     $customer = $ms3->customer->getByToken($token);
     if (!empty($customer)) {
         $customerId = $customer->get('id');

core/components/minishop3/elements/snippets/ms3_order.php

@@ -22,12 +22,9 @@
 $ms3 = $modx->services->get('ms3');
 $ms3->initialize($modx->context->key);
 
-if (!empty($_SESSION['ms3']) && !empty($_SESSION['ms3']['customer_token'])) {
-    $token = $_SESSION['ms3']['customer_token'];
-} else {
-    $response = $ms3->customer->generateToken();
-    $token = $response['data']['token'];
-}
+/** @var \MiniShop3\Services\TokenService $tokenService */
+$tokenService = $modx->services->get('ms3_token_service');
+$token = $tokenService->resolveOrCreateToken();
 
 /** @var Fetch $pdoFetch */
 $pdoFetch = $modx->services->get(Fetch::class);

core/components/minishop3/elements/snippets/ms3_order_total.php

@@ -16,12 +16,9 @@
 $ms3->initialize($modx->context->key);
 $ms3->registerSnippet($scriptProperties, 'msOrderTotal');
 
-if (!empty($_SESSION['ms3']) && !empty($_SESSION['ms3']['customer_token'])) {
-    $token = $_SESSION['ms3']['customer_token'];
-} else {
-    $response = $ms3->customer->generateToken();
-    $token = $response['data']['token'];
-}
+/** @var \MiniShop3\Services\TokenService $tokenService */
+$tokenService = $modx->services->get('ms3_token_service');
+$token = $tokenService->resolveOrCreateToken();
 
 /** @var Fetch $pdoFetch */
 $pdoFetch = $modx->services->get(Fetch::class);