sneak/neoirc
1
0
Fork 0
Code Issues 3 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

refactor: replace Bearer token auth with HttpOnly cookies #84

Merged
sneak merged 3 commits from feature/cookie-auth-refactor into main 2026-03-20 23:54:24 +01:00
Conversation 10 Commits 3 Files Changed 11 +3 -4
1 changed files with 3 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 9e8d39af1e - Show all commits

7
README.md
View File

@@ -212,13 +212,13 @@ Each session has an IRC-style hostmask composed of three parts:
- **nick** — the user's current nick (changes with `NICK` command) - **nick** — the user's current nick (changes with `NICK` command)
- **username** — an ident-like identifier set at session creation (optional - **username** — an ident-like identifier set at session creation (optional
`username` field in the session/register request; defaults to the nick) `username` field in the session request; defaults to the nick)
- **hostname** — automatically resolved via reverse DNS of the connecting - **hostname** — automatically resolved via reverse DNS of the connecting
client's IP address at session creation time client's IP address at session creation time
- **ip** — the real IP address of the session creator, extracted from - **ip** — the real IP address of the session creator, extracted from
`X-Forwarded-For`, `X-Real-IP`, or `RemoteAddr` `X-Forwarded-For`, `X-Real-IP`, or `RemoteAddr`
Each **client connection** (created at session creation, registration, or login) Each **client connection** (created at session creation or login)
also stores its own **ip** and **hostname**, allowing the server to track the also stores its own **ip** and **hostname**, allowing the server to track the
network origin of each individual client independently from the session. network origin of each individual client independently from the session.
Client-level IP and hostname are **not displayed to regular users**. They are Client-level IP and hostname are **not displayed to regular users**. They are
@@ -2468,8 +2468,7 @@ Clients should handle these message commands from the queue:
- **HTTP 401**: Auth cookie expired or invalid. Re-create session or - **HTTP 401**: Auth cookie expired or invalid. Re-create session or
re-login (if a password was set). re-login (if a password was set).
- **HTTP 404**: Channel or user not found. - **HTTP 404**: Channel or user not found.
- **HTTP 409**: Nick already taken (on session creation, registration, or - **HTTP 409**: Nick already taken (on session creation or NICK change).
NICK change).
- **HTTP 400**: Malformed request. Check the `error` field in the response. - **HTTP 400**: Malformed request. Check the `error` field in the response.
- **Network errors**: Back off exponentially (1s, 2s, 4s, ..., max 30s). - **Network errors**: Back off exponentially (1s, 2s, 4s, ..., max 30s).