Commit Graph

2 Commits

Author SHA1 Message Date
kjh2064 317cd98713 wip: cookie-based auth with AllowAnonymous and absolute URIs
WBS-9.3 - NULL Policy CI Gate / NULL Policy Validation (push) Failing after 7s
Quant Engine CI/CD Pipeline / validate-core (push) Failing after 11s
Quant Engine CI/CD Pipeline / validate-ui-and-storage (push) Has been skipped
Deploy to Production / Build & Deploy to Production (push) Failing after 2m12s
Changes:
- Dashboard.razor: Add [AllowAnonymous] to allow page load before auth check
- CustomAuthenticationStateProvider: Use absolute URIs for HttpClient calls
- Fix JSON parsing: Use ReadAsStringAsync instead of ReadAsAsync
- Implement cookie-first auth strategy with localStorage fallback

Status: /dashboard still not loading after login
Issues to investigate:
- window.location.href redirect not working in Playwright
- Set-Cookie headers not appearing in responses
- JavaScript interop not available during static rendering

Next: Direct browser testing vs Playwright environment issue

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-07-06 01:55:12 +09:00
kjh2064 7b5d8d6f06 feat: implement server-side cookie-based authentication
- Add HTTP-only cookie setting in /api/auth/login endpoint
- Support both Bearer token and cookie auth in /api/auth/me
- Clear cookie on /api/auth/logout
- Handle admin:admin dev fallback with cookie support
- Update login.html to use 1 second redirect (cookie-based auth faster)

Cookie configuration:
- Name: quant_auth_token
- HttpOnly: true (prevents JavaScript access)
- Secure: based on HTTPS status
- SameSite: Lax (for localhost compatibility)
- Expires: 7 days

Status: Cookie auth framework complete, testing in progress

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-07-06 01:06:06 +09:00