feat: csrf tokens handling

2025-12-04 06:13:03 +03:00 · 2025-12-04 06:13:03 +03:00 · 6995ce58f6
commit 6995ce58f6
parent ab29c33f5b
12 changed files with 233 additions and 5 deletions
--- a/api/_build/openapi.yaml
+++ b/api/_build/openapi.yaml
@ -120,6 +120,8 @@ paths:
          description: Title not found
        '500':
          description: Unknown server error
+      security:
+        - JwtAuthCookies: []
  '/users/{user_id}':
    get:
      operationId: getUsersId
@ -156,6 +158,8 @@ paths:
        Password updates must be done via the dedicated auth-service (`/auth/`).
        Fields not provided in the request body remain unchanged.
      parameters:
+        - $ref: '#/components/parameters/accessToken'
+        - $ref: '#/components/parameters/csrfToken'
        - name: user_id
          in: path
          description: User ID (primary key)
@ -223,6 +227,8 @@ paths:
          description: 'Unprocessable Entity — semantic errors not caught by schema (e.g., invalid `avatar_id`)'
        '500':
          description: Unknown server error
+      security:
+        - JwtAuthCookies: []
  '/users/{user_id}/titles':
    get:
      operationId: getUserTitles
@ -474,6 +480,39 @@ paths:
          description: Internal server error
 components:
  parameters:
+    accessToken:
+      name: access_token
+      in: cookie
+      required: true
+      schema:
+        type: string
+        format: jwt
+      example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.x.y
+      description: |
+        JWT access token.
+    csrfToken:
+      name: XSRF-TOKEN
+      in: cookie
+      required: true
+      schema:
+        type: string
+        pattern: '^[a-zA-Z0-9_-]{32,64}$'
+      example: abc123def456ghi789jkl012mno345pqr
+      description: |
+        Anti-CSRF token (Double Submit Cookie pattern).
+        Stored in non-HttpOnly cookie, readable by JavaScript.
+        Must be echoed in `X-XSRF-TOKEN` header for state-changing requests (POST/PUT/PATCH/DELETE).
+    csrfTokenHeader:
+      name: X-XSRF-TOKEN
+      in: header
+      required: true
+      schema:
+        type: string
+        pattern: '^[a-zA-Z0-9_-]{32,64}$'
+      description: |
+        Anti-CSRF token. Must match the `XSRF-TOKEN` cookie.
+        Required for all state-changing requests (POST/PUT/PATCH/DELETE).
+      example: abc123def456ghi789jkl012mno345pqr
    cursor:
      in: query
      name: cursor