Tetardtek/ClickerZ
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: PKCE auth + CI/CD deploy
Some checks failed
CI/CD — Build & Deploy / Build & Deploy (push) Failing after 25s
Details

Browse Source 
- Frontend: PKCE flow (oauth.js, api.js centralized, cookie-based AuthContext)
- Backend: token introspection, cookies httpOnly, refresh endpoint
- Replaced localStorage JWT with httpOnly session cookies
- useSaveSync migrated to cookie auth
- cookie-parser added
- Gitea CI workflow (vps-runner pattern)
This commit is contained in:
Tetardtek
2026-03-24 13:01:15 +01:00
parent 39f683a31e
commit 91d1616dd7
15 changed files with 548 additions and 393 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
Backend/src/router.js
View File

@@ -2,18 +2,13 @@ const express = require("express");
const router = express.Router();
/* ************************************************************************* */
// Define Your API Routes Here
/* ************************************************************************* */
// Import Controllers
const userControllers = require("./controllers/userControllers");
const authControllers = require("./controllers/authControllers");
const saveControllers = require("./controllers/saveControllers");
const verifyToken = require("./middlewares/verifyToken");
const verifyOAuth = require("./middlewares/verifyOAuth");
// Vérifie que le token appartient au même utilisateur que :id
// Vérifie que le cookie session appartient au même utilisateur que :id
const verifySelf = (req, res, next) => {
if (String(req.user) !== String(req.params.id)) {
return res.status(403).json({ message: "Forbidden." });
@@ -21,11 +16,13 @@ const verifySelf = (req, res, next) => {
return next();
};
// Auth SuperOAuth
router.get("/auth/callback", authControllers.callback);
// Auth — PKCE flow (cookie-based)
router.post("/auth/session", authControllers.session);
router.post("/auth/refresh", authControllers.refresh);
router.get("/auth/me", authControllers.me);
router.post("/auth/logout", authControllers.logout);
// User management (auth locale — conservée pendant migration)
// User management
router.get("/users", verifyToken, userControllers.browse);
router.get("/users/:id", verifyToken, verifySelf, userControllers.read);
router.get("/users/:id/field", verifyToken, verifySelf, userControllers.read);
@@ -34,14 +31,11 @@ router.post("/users", userControllers.add);
router.delete("/users/:id", verifyToken, verifySelf, userControllers.destroy);
router.post("/login", userControllers.login);
// Sync game state — SuperOAuth uniquement
router.patch("/users/:id/coins", verifyOAuth, verifySelf, userControllers.updateCoins);
// Sync game state — cookie auth (was verifyOAuth, now same as verifyToken)
router.patch("/users/:id/coins", verifyToken, verifySelf, userControllers.updateCoins);
// Game saves — JWT required
// Game saves — cookie auth
router.get("/save", verifyToken, saveControllers.load);
router.post("/save", verifyToken, saveControllers.save);
/* ************************************************************************* */
module.exports = router;