improvments:

ribaraka · ribaraka · commit ce37ce6b92a6 · 2025-12-18T17:01:02.000+01:00
- Adjust secure-cookie detection to be proxy/request driven and correctly parse `x-forwarded-proto`, avoiding `NODE_ENV` forcing secure cookies.
- Adopt Bearer-prefix stripping when setting the auth cookie
- Added Cache-Control: no-store headers to prevent stale auth responses:
- Treat tokens that fail JWT decoding as unauthenticated
- Avoid extra domain fetch when RBAC is off
diff --git a/src/app/api/auth/me/route.ts b/src/app/api/auth/me/route.ts
@@ -7,5 +7,7 @@ import {
 
 export async function GET(request: NextRequest) {
   const authContext = await resolveAuthContext(request.cookies);
-  return NextResponse.json(getPublicAuthContext(authContext));
+  return NextResponse.json(getPublicAuthContext(authContext), {
+    headers: { 'Cache-Control': 'no-store' },
+  });
 }
diff --git a/src/app/api/auth/token/route.ts b/src/app/api/auth/token/route.ts
@@ -4,36 +4,57 @@ import { CADENCE_AUTH_COOKIE_NAME } from '@/utils/auth/auth-context';
 
 const COOKIE_OPTIONS = {
   httpOnly: true,
-  secure: process.env.NODE_ENV !== 'development',
   sameSite: 'lax' as const,
   path: '/',
 };
 
+function getCookieSecureAttribute(request: NextRequest) {
+  const xfProto = request.headers.get('x-forwarded-proto');
+  const proto = xfProto?.split(',')[0]?.trim().toLowerCase();
+  if (proto) return proto === 'https';
+  return request.nextUrl.protocol === 'https:';
+}
+
 export async function POST(request: NextRequest) {
   try {
     const body = await request.json();
     if (!body?.token || typeof body.token !== 'string') {
       return NextResponse.json(
         { message: 'A valid token is required' },
-        { status: 400 }
+        { status: 400, headers: { 'Cache-Control': 'no-store' } }
+      );
+    }
+
+    const normalizedToken = body.token.trim().replace(/^bearer\s+/i, '');
+    if (!normalizedToken) {
+      return NextResponse.json(
+        { message: 'A valid token is required' },
+        { status: 400, headers: { 'Cache-Control': 'no-store' } }
       );
     }
 
     const response = NextResponse.json({ ok: true });
-    response.cookies.set(CADENCE_AUTH_COOKIE_NAME, body.token, COOKIE_OPTIONS);
+    response.headers.set('Cache-Control', 'no-store');
+    response.cookies.set(CADENCE_AUTH_COOKIE_NAME, normalizedToken, {
+      ...COOKIE_OPTIONS,
+      secure: getCookieSecureAttribute(request),
+    });
     return response;
   } catch {
     return NextResponse.json(
       { message: 'Invalid request body' },
-      { status: 400 }
+      { status: 400, headers: { 'Cache-Control': 'no-store' } }
     );
   }
 }
 
-export async function DELETE() {
+export async function DELETE(request: NextRequest) {
   const response = NextResponse.json({ ok: true });
+  response.headers.set('Cache-Control', 'no-store');
   response.cookies.set(CADENCE_AUTH_COOKIE_NAME, '', {
     ...COOKIE_OPTIONS,
+    secure: getCookieSecureAttribute(request),
+    expires: new Date(0),
     maxAge: 0,
   });
   return response;
diff --git a/src/hooks/use-domain-access/use-domain-access.ts b/src/hooks/use-domain-access/use-domain-access.ts
@@ -11,11 +11,11 @@ import useUserInfo from '../use-user-info/use-user-info';
 
 export default function useDomainAccess(params: UseDomainDescriptionParams) {
   const userInfoQuery = useUserInfo();
-  const shouldLoadDomain = Boolean(userInfoQuery.data);
+  const isRbacEnabled = userInfoQuery.data?.rbacEnabled === true;
 
   const domainQuery = useQuery({
     ...getDomainDescriptionQueryOptions(params),
-    enabled: shouldLoadDomain,
+    enabled: isRbacEnabled,
   });
 
   const access = useMemo(() => {
@@ -27,6 +27,10 @@ export default function useDomainAccess(params: UseDomainDescriptionParams) {
       return undefined;
     }
 
+    if (!userInfoQuery.data.rbacEnabled) {
+      return { canRead: true, canWrite: true };
+    }
+
     if (domainQuery.data) {
       return getDomainAccessForUser(domainQuery.data, userInfoQuery.data);
     }
@@ -44,7 +48,7 @@ export default function useDomainAccess(params: UseDomainDescriptionParams) {
   ]);
 
   const isLoading =
-    userInfoQuery.isLoading || (shouldLoadDomain && domainQuery.isLoading);
+    userInfoQuery.isLoading || (isRbacEnabled && domainQuery.isLoading);
 
   return {
     access,
diff --git a/src/utils/auth/__tests__/auth-context.test.ts b/src/utils/auth/__tests__/auth-context.test.ts
@@ -20,6 +20,11 @@ const buildToken = (claims: Record<string, unknown>) => {
   return ['header', payload, 'signature'].join('.');
 };
 
+const buildTokenWithNonJsonPayload = (payloadText: string) => {
+  const payload = Buffer.from(payloadText).toString('base64url');
+  return ['header', payload, 'signature'].join('.');
+};
+
 describe('auth-context utilities', () => {
   beforeEach(() => {
     jest.clearAllMocks();
@@ -85,6 +90,27 @@ describe('auth-context utilities', () => {
       });
     });
 
+    it('treats undecodable tokens as unauthenticated', async () => {
+      const token = buildTokenWithNonJsonPayload('not-json');
+      mockGetConfigValue.mockImplementation(async (key: string) => {
+        if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'true';
+        return '';
+      });
+
+      const authContext = await resolveAuthContext({
+        get: (name: string) =>
+          name === CADENCE_AUTH_COOKIE_NAME ? { value: token } : undefined,
+      });
+
+      expect(authContext).toMatchObject({
+        rbacEnabled: true,
+        token: undefined,
+        groups: [],
+        isAdmin: false,
+        userName: undefined,
+      });
+    });
+
     it('treats expired tokens as unauthenticated', async () => {
       const nowMs = 1_700_000_000_000;
       const dateNowSpy = jest.spyOn(Date, 'now').mockReturnValue(nowMs);
diff --git a/src/utils/auth/auth-context.ts b/src/utils/auth/auth-context.ts
@@ -56,13 +56,15 @@ export async function resolveAuthContext(
   const token = tokenFromCookie || undefined;
 
   const claims = token ? decodeCadenceJwtClaims(token) : undefined;
+  const isInvalidToken = token !== undefined && claims === undefined;
   const expiresAtMsRaw =
     typeof claims?.exp === 'number' ? claims.exp * 1000 : undefined;
   const isExpired =
     expiresAtMsRaw !== undefined && Date.now() >= expiresAtMsRaw;
-  const effectiveClaims = isExpired ? undefined : claims;
-  const expiresAtMs = isExpired ? undefined : expiresAtMsRaw;
-  const effectiveToken = isExpired ? undefined : token;
+  const shouldDropToken = isInvalidToken || isExpired;
+  const effectiveClaims = shouldDropToken ? undefined : claims;
+  const expiresAtMs = shouldDropToken ? undefined : expiresAtMsRaw;
+  const effectiveToken = shouldDropToken ? undefined : token;
 
   const normalizeGroups = (): string[] => {
     const raw = effectiveClaims?.groups ?? effectiveClaims?.Groups;

Original file line number	Diff line number	Diff line change
`@@ -7,5 +7,7 @@ import {`
`7`	`7`
`8`	`8`	`export async function GET(request: NextRequest) {`
`9`	`9`	`const authContext = await resolveAuthContext(request.cookies);`
`10`		`- return NextResponse.json(getPublicAuthContext(authContext));`
	`10`	`+ return NextResponse.json(getPublicAuthContext(authContext), {`
	`11`	`+ headers: { 'Cache-Control': 'no-store' },`
	`12`	`+ });`
`11`	`13`	`}`