refactor: replace Bearer token auth with HttpOnly cookies

- Remove POST /api/v1/register endpoint entirely - Session creation (POST /api/v1/session) now sets neoirc_auth HttpOnly cookie instead of returning token in JSON body - Login (POST /api/v1/login) now sets neoirc_auth HttpOnly cookie instead of returning token in JSON body - Add PASS IRC command for setting session password (enables multi-client login via POST /api/v1/login) - All per-request auth reads from neoirc_auth cookie instead of Authorization: Bearer header - Cookie properties: HttpOnly, SameSite=Strict, Secure when behind TLS - Logout and QUIT clear the auth cookie - Update CORS to AllowCredentials:true with origin reflection - Remove Authorization from CORS AllowedHeaders - Update CLI client to use cookie jar (net/http/cookiejar) - Remove Token field from SessionResponse - Add SetPassword to DB layer, remove RegisterUser - Comprehensive test updates for cookie-based auth - Add tests: TestPassCommand, TestPassCommandShortPassword, TestPassCommandEmpty, TestSessionCookie - Update README extensively: auth model, API reference, curl examples, security model, design principles, roadmap closes #83
2026-03-17 20:33:12 -07:00
parent bf4d63bc4d
commit cd9fd0c5c5
11 changed files with 625 additions and 711 deletions
--- a/internal/db/auth_test.go
+++ b/internal/db/auth_test.go
@@ -6,63 +6,65 @@ import (
 	_ "modernc.org/sqlite"
 )

-func TestRegisterUser(t *testing.T) {
+func TestSetPassword(t *testing.T) {
 	t.Parallel()

 	database := setupTestDB(t)
 	ctx := t.Context()

-	sessionID, clientID, token, err :=
-		database.RegisterUser(ctx, "reguser", "password123")
+	sessionID, _, _, err :=
+		database.CreateSession(ctx, "passuser")
 	if err != nil {
 		t.Fatal(err)
 	}

-	if sessionID == 0 || clientID == 0 || token == "" {
+	err = database.SetPassword(
+		ctx, sessionID, "password123",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Verify we can now log in with the password.
+	loginSID, loginCID, loginToken, err :=
+		database.LoginUser(ctx, "passuser", "password123")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if loginSID == 0 || loginCID == 0 || loginToken == "" {
 		t.Fatal("expected valid ids and token")
 	}
-
-	// Verify session works via token lookup.
-	sid, cid, nick, err :=
-		database.GetSessionByToken(ctx, token)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if sid != sessionID || cid != clientID {
-		t.Fatal("session/client id mismatch")
-	}
-
-	if nick != "reguser" {
-		t.Fatalf("expected reguser, got %s", nick)
-	}
 }

-func TestRegisterUserDuplicateNick(t *testing.T) {
+func TestSetPasswordThenWrongLogin(t *testing.T) {
 	t.Parallel()

 	database := setupTestDB(t)
 	ctx := t.Context()

-	regSID, regCID, regToken, err :=
-		database.RegisterUser(ctx, "dupnick", "password123")
+	sessionID, _, _, err :=
+		database.CreateSession(ctx, "wrongpw")
 	if err != nil {
 		t.Fatal(err)
 	}

-	_ = regSID
-	_ = regCID
-	_ = regToken
-
-	dupSID, dupCID, dupToken, dupErr :=
-		database.RegisterUser(ctx, "dupnick", "other12345")
-	if dupErr == nil {
-		t.Fatal("expected error for duplicate nick")
+	err = database.SetPassword(
+		ctx, sessionID, "correctpass",
+	)
+	if err != nil {
+		t.Fatal(err)
 	}

-	_ = dupSID
-	_ = dupCID
-	_ = dupToken
+	loginSID, loginCID, loginToken, loginErr :=
+		database.LoginUser(ctx, "wrongpw", "wrongpass12")
+	if loginErr == nil {
+		t.Fatal("expected error for wrong password")
+	}
+
+	_ = loginSID
+	_ = loginCID
+	_ = loginToken
 }

 func TestLoginUser(t *testing.T) {
@@ -71,23 +73,26 @@ func TestLoginUser(t *testing.T) {
 	database := setupTestDB(t)
 	ctx := t.Context()

-	regSID, regCID, regToken, err :=
-		database.RegisterUser(ctx, "loginuser", "mypassword")
+	sessionID, _, _, err :=
+		database.CreateSession(ctx, "loginuser")
 	if err != nil {
 		t.Fatal(err)
 	}

-	_ = regSID
-	_ = regCID
-	_ = regToken
+	err = database.SetPassword(
+		ctx, sessionID, "mypassword",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}

-	sessionID, clientID, token, err :=
+	loginSID, loginCID, token, err :=
 		database.LoginUser(ctx, "loginuser", "mypassword")
 	if err != nil {
 		t.Fatal(err)
 	}

-	if sessionID == 0 || clientID == 0 || token == "" {
+	if loginSID == 0 || loginCID == 0 || token == "" {
 		t.Fatal("expected valid ids and token")
 	}

@@ -103,33 +108,6 @@ func TestLoginUser(t *testing.T) {
 	}
 }

-func TestLoginUserWrongPassword(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-	ctx := t.Context()
-
-	regSID, regCID, regToken, err :=
-		database.RegisterUser(ctx, "wrongpw", "correctpass")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_ = regSID
-	_ = regCID
-	_ = regToken
-
-	loginSID, loginCID, loginToken, loginErr :=
-		database.LoginUser(ctx, "wrongpw", "wrongpass12")
-	if loginErr == nil {
-		t.Fatal("expected error for wrong password")
-	}
-
-	_ = loginSID
-	_ = loginCID
-	_ = loginToken
-}
-
 func TestLoginUserNoPassword(t *testing.T) {
 	t.Parallel()