fix: correct all documentation inaccuracies about cookie-based auth
All checks were successful
check / check (push) Successful in 2m14s
All checks were successful
check / check (push) Successful in 2m14s
- Fix false claim 'clients never need to handle the token directly' — CLI clients (curl, custom HTTP clients) must explicitly manage cookies - Replace 'token' with 'cookie' in multi-client diagram (token_a → cookie_a) - Fix Set-Cookie placeholders in protocol diagrams (<token> → <random_hex>/<cookie_a>/<cookie_b>) - Fix 'old token' → 'old auth cookie' in QUIT command description - Fix 'get token' → 'get auth cookie' in Client Development Guide - Fix 'Tokens are hashed' → 'Cookie values are hashed' in Security Model - Fix 'client tokens are deleted' → 'client auth cookies are invalidated' - Fix 'Cookie sent automatically' → 'Cookie must be sent' in diagram - Fix 'eliminates token management from client code entirely' rationale - Fix 'No token appears in the JSON body' → 'No auth credential appears' - Fix 'encoded in the token' → 'encoded in the cookie value' - Fix 'Clients never handle tokens directly' in JWT comparison section - Update clients table token column description for clarity - All remaining 'token' refs verified as legitimate (pow_token/hashcash/JWT comparison/DB schema column name)
This commit is contained in:
clawbot
@@ -335,7 +335,7 @@ func (hdlr *Handlers) executeCreateSession(
|
||||
|
||||
hdlr.respondJSON(writer, request, map[string]any{
|
||||
"id": sessionID,
|
||||
"nick": payload.Nick,
|
||||
"nick": nick,
|
||||
}, http.StatusCreated)
|
||||
}
|
||||
|
||||
|
||||
@@ -2230,7 +2230,7 @@ func TestWhoisShowsHostInfo(t *testing.T) {
|
||||
}
|
||||
|
||||
// createSessionWithUsername creates a session with a
|
||||
// specific username and returns the token.
|
||||
// specific username and returns the auth cookie value.
|
||||
func (tserver *testServer) createSessionWithUsername(
|
||||
nick, username string,
|
||||
) string {
|
||||
@@ -2264,13 +2264,19 @@ func (tserver *testServer) createSessionWithUsername(
|
||||
)
|
||||
}
|
||||
|
||||
var result struct {
|
||||
Token string `json:"token"`
|
||||
// Drain the body.
|
||||
_, _ = io.ReadAll(resp.Body)
|
||||
|
||||
// Extract auth cookie from response.
|
||||
for _, cookie := range resp.Cookies() {
|
||||
if cookie.Name == authCookieName {
|
||||
return cookie.Value
|
||||
}
|
||||
}
|
||||
|
||||
_ = json.NewDecoder(resp.Body).Decode(&result)
|
||||
tserver.t.Fatal("no auth cookie in response")
|
||||
|
||||
return result.Token
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestWhoShowsHostInfo(t *testing.T) {
|
||||
|
||||
@@ -10,7 +10,6 @@ import (
|
||||
|
||||
const minPasswordLength = 8
|
||||
|
||||
|
||||
// HandleLogin authenticates a user with nick and password.
|
||||
func (hdlr *Handlers) HandleLogin() http.HandlerFunc {
|
||||
return func(
|
||||
|
||||
Reference in New Issue
Block a user