+5 -6

src/webapp/hooks/useAuth.tsx

··· 49 // Give it time for cookies to be properly set 50 if (query.isError && !query.isLoading && pathname !== '/') { 51 // Add a small delay for Safari iOS cookie handling 52 - const isSafariIOS = 53 - /iPad|iPhone|iPod/.test(navigator.userAgent) && 54 - /Safari/.test(navigator.userAgent) && 55 - !/Chrome/.test(navigator.userAgent); 56 - 57 if (isSafariIOS) { 58 setTimeout(() => { 59 // Re-check auth status before logging out ··· 62 logout(); 63 } 64 }); 65 - }, 2000); // Increase to 2 seconds for PWA context 66 } else { 67 logout(); 68 }

··· 49 // Give it time for cookies to be properly set 50 if (query.isError && !query.isLoading && pathname !== '/') { 51 // Add a small delay for Safari iOS cookie handling 52 + const isSafariIOS = /iPad|iPhone|iPod/.test(navigator.userAgent) && 53 + /Safari/.test(navigator.userAgent) && 54 + !/Chrome/.test(navigator.userAgent); 55 + 0 56 if (isSafariIOS) { 57 setTimeout(() => { 58 // Re-check auth status before logging out ··· 61 logout(); 62 } 63 }); 64 + }, 1000); 65 } else { 66 logout(); 67 }

-4

src/webapp/lib/auth/dal.ts

··· 1 import type { GetProfileResponse } from '@/api-client/ApiClient'; 2 import { cache } from 'react'; 3 - import { isPWA } from './pwa-cookie-handler'; 4 5 const appUrl = process.env.NEXT_PUBLIC_APP_URL || 'http://127.0.0.1:4000'; 6 ··· 21 const response = await fetch(`${appUrl}/api/auth/me`, { 22 method: 'GET', 23 credentials: 'include', // HttpOnly cookies sent automatically 24 - headers: { 25 - 'X-PWA-Context': isPWA() ? 'true' : 'false', 26 - }, 27 }); 28 29 if (!response.ok) {

··· 1 import type { GetProfileResponse } from '@/api-client/ApiClient'; 2 import { cache } from 'react'; 0 3 4 const appUrl = process.env.NEXT_PUBLIC_APP_URL || 'http://127.0.0.1:4000'; 5 ··· 20 const response = await fetch(`${appUrl}/api/auth/me`, { 21 method: 'GET', 22 credentials: 'include', // HttpOnly cookies sent automatically 0 0 0 23 }); 24 25 if (!response.ok) {

-33

src/webapp/lib/auth/pwa-cookie-handler.ts

··· 1 - export const isPWA = () => { 2 - if (typeof window === 'undefined') return false; 3 - 4 - return ( 5 - window.matchMedia('(display-mode: standalone)').matches || 6 - (window.navigator as any).standalone === true 7 - ); 8 - }; 9 - 10 - export const setCookieForPWA = ( 11 - name: string, 12 - value: string, 13 - days: number = 7, 14 - ) => { 15 - if (isPWA()) { 16 - const expires = new Date(); 17 - expires.setTime(expires.getTime() + days * 24 * 60 * 60 * 1000); 18 - document.cookie = `${name}=${value};expires=${expires.toUTCString()};path=/;secure;samesite=lax`; 19 - } 20 - }; 21 - 22 - export const getCookieForPWA = (name: string): string | null => { 23 - if (isPWA()) { 24 - const nameEQ = name + '='; 25 - const ca = document.cookie.split(';'); 26 - for (let i = 0; i < ca.length; i++) { 27 - let c = ca[i]; 28 - while (c.charAt(0) === ' ') c = c.substring(1, c.length); 29 - if (c.indexOf(nameEQ) === 0) return c.substring(nameEQ.length, c.length); 30 - } 31 - } 32 - return null; 33 - };

··· 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

+2 -38

src/webapp/services/auth/CookieAuthService.client.ts

··· 1 - import { 2 - isPWA, 3 - getCookieForPWA, 4 - setCookieForPWA, 5 - } from '@/lib/auth/pwa-cookie-handler'; 6 - 7 const appUrl = process.env.NEXT_PUBLIC_APP_URL || 'http://127.0.0.1:4000'; 8 9 export class ClientCookieAuthService { 10 - // Note: With HttpOnly cookies, we cannot read tokens from document.cookie in regular browser 11 - // But in PWA context, we may need to handle cookies differently 12 // All auth logic (checking status, refreshing tokens) is handled by /api/auth/me endpoint 13 14 - // Check if we have any auth indicators (for PWA context) 15 - static hasAuthIndicators(): boolean { 16 - if (isPWA()) { 17 - return !!( 18 - getCookieForPWA('accessToken') || getCookieForPWA('refreshToken') 19 - ); 20 - } 21 - // In regular browser, we can't check HttpOnly cookies 22 - return true; // Let the server-side check handle it 23 - } 24 - 25 // Clear cookies via API (logout) 26 static async clearTokens(): Promise<void> { 27 try { 28 const response = await fetch(`${appUrl}/api/auth/logout`, { 29 method: 'POST', 30 credentials: 'include', 31 - headers: { 32 - 'X-PWA-Context': isPWA() ? 'true' : 'false', 33 - }, 34 }); 35 36 if (!response.ok) { ··· 38 'Logout API call failed, but continuing with client-side logout', 39 ); 40 } 41 - 42 - // In PWA context, also clear any client-side cookies 43 - if (isPWA()) { 44 - document.cookie = 45 - 'accessToken=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/; secure; samesite=lax'; 46 - document.cookie = 47 - 'refreshToken=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/; secure; samesite=lax'; 48 - } 49 } catch (error) { 50 console.error('Logout API call failed:', error); 51 // Don't throw - we still want to clear the UI state 52 - 53 - // Still try to clear PWA cookies on error 54 - if (isPWA()) { 55 - document.cookie = 56 - 'accessToken=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/; secure; samesite=lax'; 57 - document.cookie = 58 - 'refreshToken=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/; secure; samesite=lax'; 59 - } 60 } 61 } 62 }

··· 0 0 0 0 0 0 1 const appUrl = process.env.NEXT_PUBLIC_APP_URL || 'http://127.0.0.1:4000'; 2 3 export class ClientCookieAuthService { 4 + // Note: With HttpOnly cookies, we cannot read tokens from document.cookie 5 + // The browser automatically sends cookies with requests using credentials: 'include' 6 // All auth logic (checking status, refreshing tokens) is handled by /api/auth/me endpoint 7 0 0 0 0 0 0 0 0 0 0 0 8 // Clear cookies via API (logout) 9 static async clearTokens(): Promise<void> { 10 try { 11 const response = await fetch(`${appUrl}/api/auth/logout`, { 12 method: 'POST', 13 credentials: 'include', 0 0 0 14 }); 15 16 if (!response.ok) { ··· 18 'Logout API call failed, but continuing with client-side logout', 19 ); 20 } 0 0 0 0 0 0 0 0 21 } catch (error) { 22 console.error('Logout API call failed:', error); 23 // Don't throw - we still want to clear the UI state 0 0 0 0 0 0 0 0 24 } 25 } 26 }