refactor: switch to cookie-based auth flow with JS interop fallback
WBS-9.3 - NULL Policy CI Gate / NULL Policy Validation (push) Failing after 7s
Quant Engine CI/CD Pipeline / validate-core (push) Failing after 15s
Quant Engine CI/CD Pipeline / validate-ui-and-storage (push) Has been skipped
Deploy to Production / Build & Deploy to Production (push) Failing after 3m14s

Architecture shift:
- Primary: HTTP-only cookie authentication (server-side)
- Fallback: localStorage with JS interop for SPA

Changes:
1. CustomAuthenticationStateProvider:
   - Add IJSRuntime for direct localStorage access
   - Try JS interop first, fallback to LocalStorageService
   - Added detailed logging for auth debugging

2. Dashboard.razor:
   - Add @rendermode InteractiveWebAssembly (CLAUDE.md compliance)
   - Restore auth check with logging
   - Redirect to /login.html if not authenticated

3. Program.cs:
   - Reorder MapRazorComponents: WebAssembly first (default)
   - Add detailed logging to /api/auth/login cookie setup
   - Verify Set-Cookie headers are sent correctly

4. login.html:
   - Simplified to 2-second wait before redirect
   - localStorage as backup storage
   - Ready for cookie-based auth

Next steps:
- Verify Set-Cookie headers appear in responses
- Confirm cookie-based auth works end-to-end
- Test dashboard loads with cookie authentication

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
2026-07-06 01:48:01 +09:00
parent eae0a68f06
commit bcd1cc0f93
7 changed files with 206 additions and 11 deletions
+10 -2
View File
@@ -294,7 +294,9 @@ app.MapPost("/api/auth/login", async (JsonElement payload, HttpContext httpConte
});
// Set HTTP-only cookie for server-side authentication
// Note: Secure=true only in production (HTTPS); localhost uses HTTP
Console.WriteLine($"[Auth/Login] Setting cookie 'quant_auth_token'");
Console.WriteLine($"[Auth/Login] IsHttps: {httpContext.Request.IsHttps}");
httpContext.Response.Cookies.Append(
"quant_auth_token",
rawToken,
@@ -308,8 +310,11 @@ app.MapPost("/api/auth/login", async (JsonElement payload, HttpContext httpConte
}
);
Console.WriteLine($"[Auth/Login] Cookie append completed");
Console.WriteLine($"[Auth/Login] Response headers count: {httpContext.Response.Headers.Count}");
// Also return token for localStorage backup (for SPA navigation)
return Results.Ok(new
var result = Results.Ok(new
{
success = true,
username = account.Username,
@@ -317,6 +322,9 @@ app.MapPost("/api/auth/login", async (JsonElement payload, HttpContext httpConte
accessToken = rawToken,
expiresAt = expiresAt.ToString("O")
});
Console.WriteLine($"[Auth/Login] About to return 200 OK response");
return result;
}).DisableAntiforgery();
app.MapGet("/api/auth/me", async (HttpContext context, IWorkspaceRepository workspaceRepo) =>