feat: update authentication to use http only cookies for token management

Author: FarhanSaleh

app/middlewares/auth_middleware.go

@@ -17,17 +17,38 @@ func (m *Middleware) AuthMiddleware(allowedRole string) domain.MiddlewareFunc {
 			ctx, span := tracer.Start(request.Context(), "auth middleware")
 			defer span.End()
 
-			token := utils.ExtractBearerToken(request)
-			if len(*token) < 5 {
-				ngelog.Error(ctx, "failed to extract bearer token", nil)
-				utils.Response(domain.HttpResponse{
-					Code:    401,
-					Message: "Unauthorized",
-					Data:    nil,
-				}, writer)
-				return
-			}
+			// token := utils.ExtractBearerToken(request)
+			// if len(*token) < 5 {
+			// 	ngelog.Error(ctx, "failed to extract bearer token", nil)
+			// 	utils.Response(domain.HttpResponse{
+			// 		Code:    401,
+			// 		Message: "Unauthorized",
+			// 		Data:    nil,
+			// 	}, writer)
+			// 	return
+			// }
 
+			tokenRaw, err := request.Cookie("token")
+			if err != nil {
+				if err == http.ErrNoCookie {
+					ngelog.Error(ctx, "failed to get token from cookie", nil)
+					utils.Response(domain.HttpResponse{
+						Code:    401,
+						Message: "Unauthorized",
+						Data:    nil,
+					}, writer)
+					return
+				} else {
+					utils.Response(domain.HttpResponse{
+						Code:    401,
+						Message: "Unauthorized",
+						Data:    nil,
+					}, writer)
+					return
+				}
+			}
+			token := &tokenRaw.Value
+			
 			verifyToken, err := m.Jwt.VerifyToken(*token)
 			if err != nil {
 				ngelog.Error(ctx, "failed to verify token", err)

app/users/delivery/http/login_users.go

@@ -4,7 +4,9 @@ import (
 	"encoding/json"
 	"io"
 	"net/http"
+	"time"
 
+	"github.com/hammer-code/lms-be/config"
 	"github.com/hammer-code/lms-be/domain"
 	"github.com/hammer-code/lms-be/utils"
 )
@@ -42,6 +44,20 @@ func (h Handler) Login(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	expiredTime := time.Now().Local().Add(time.Duration(60) * time.Minute)
+
+	cookie := http.Cookie{
+		Name:    "token",
+		Value:   token,
+		Expires: expiredTime,
+		Path:    "/",
+		HttpOnly: true,
+		Secure:   config.GetConfig().APP_ENV != "development",
+	}
+
+	// Atur cookie pada response writer.
+	http.SetCookie(w, &cookie)
+
 	utils.Response(domain.HttpResponse{
 		Code:    200,
 		Message: "Login successfully",

app/users/delivery/http/logout_users.go

@@ -1,9 +1,13 @@
 package http
 
 import (
+	"net/http"
+	"time"
+
+	"github.com/hammer-code/lms-be/config"
 	"github.com/hammer-code/lms-be/domain"
+	"github.com/hammer-code/lms-be/pkg/ngelog"
 	"github.com/hammer-code/lms-be/utils"
-	"net/http"
 )
 
 // Logout
@@ -18,14 +22,47 @@ import (
 // @Failure 200 {object} domain.HttpResponse
 // @Router /api/v1/auth/logout [post]
 func (h Handler) Logout(w http.ResponseWriter, r *http.Request) {
-	token := utils.ExtractBearerToken(r)
+	// token := utils.ExtractBearerToken(r)
 
-	err := h.usecase.Logout(r.Context(), *token)
+	tokenRaw, err := r.Cookie("token")
+	if err != nil {
+		if err == http.ErrNoCookie {
+			ngelog.Error(r.Context(), "failed to get token from cookie", nil)
+			utils.Response(domain.HttpResponse{
+				Code:    401,
+				Message: "Unauthorized",
+				Data:    nil,
+			}, w)
+			return
+		} else {
+			utils.Response(domain.HttpResponse{
+				Code:    401,
+				Message: "Unauthorized",
+				Data:    nil,
+			}, w)
+			return
+		}
+	}
+	token := &tokenRaw.Value
+	
+	err = h.usecase.Logout(r.Context(), *token)
 	if err != nil {
 		resp := utils.CustomErrorResponse(err)
 		utils.Response(resp, w)
 		return
 	}
+	
+	expiredTime := time.Now().Local().Add(time.Duration(0) * time.Minute)
+	cookie := http.Cookie{
+		Name:    "token",
+		Value:   "",
+		Expires: expiredTime,
+		Path:    "/",
+		HttpOnly: true,
+		Secure:   config.GetConfig().APP_ENV != "development",
+	}
+
+	http.SetCookie(w, &cookie)
 
 	utils.Response(domain.HttpResponse{
 		Code:    200,

config/config.go

@@ -48,7 +48,7 @@ func GetConfig() Config {
 
 	if c == nil {
 		// default cors
-		origins := []string{"*"}
+		origins := []string{"http://localhost:3000", "https://stg.hammercode.org", "https://hammercode.org"}
 		methods := []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"}
 		headers := []string{"Accept", "Authorization", "Content-Type"}