proxmoxPanel/core
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: auth redirect bug + cookie Secure + migration multi-statements

Browse source 
- fetchMe: handle ALL non-ok responses (not just 401) by calling tryRefresh
  → avoids user=null when backend returns 404/500/any error
- DOMContentLoaded guard: check isAuthenticated instead of localStorage token
  → immediate redirect if fetchMe+tryRefresh both fail, no more flash of dashboard
- Cookie Secure flag: check X-Forwarded-Proto header for Traefik/proxy setup
  → cookie gets Secure=true when behind TLS-terminating reverse proxy
- db.go migrate(): split SQL by ; and exec each statement separately
  → fixes SQLite multi-statement limitation (only first stmt was executed)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
enzo 2026-03-21 22:29:22 +01:00
parent 97212b7ffa
commit 780e5ec81d
3 changed files with 18 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

4
backend/internal/api/auth.go
View file

@ -116,12 +116,14 @@ func (h *AuthHandler) Login(w http.ResponseWriter, r *http.Request) {
h.db.Exec(`UPDATE users SET last_login_at = CURRENT_TIMESTAMP WHERE id = ?`, userID)
// Cookie httpOnly pour le refresh token
// Secure=true si TLS direct ou si derrière un proxy (Traefik) qui a terminé TLS
isHTTPS := r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https"
http.SetCookie(w, &http.Cookie{
Name: "pxp_refresh",
Value: refreshToken,
Path: "/api/auth/refresh",
HttpOnly: true,
Secure: r.TLS != nil,
Secure: isHTTPS,
SameSite: http.SameSiteStrictMode,
Expires: expiry,
})