Align authentication mechanism between API and web client #193

New Issue

jason.woltje · 2026-02-02T17:26:14Z

jason.woltje commented

2026-02-02 17:26:14 +00:00

Problem

API AuthGuard only accepts Bearer tokens, but web client sends cookies (credentials: "include") without attaching a bearer token. This causes 401 errors on all guarded routes.

Locations

apps/api/src/auth/auth.guard.ts:11 - Requires Authorization header
apps/web/lib/client.ts:31 - Sends credentials: "include"

Mismatch

// API expects
Authorization: Bearer <token>

// Web sends
Cookie: session=xxx

Impact

All authenticated API calls fail with 401
Web client cannot access protected resources
Mixed auth mechanisms create confusion
Missing CSRF protection if using cookies

Decision Required

Choose ONE auth mechanism:

Option A: Bearer tokens (recommended for API)
Option B: Session cookies (requires CSRF protection)

Acceptance Criteria

DECISION: Choose auth mechanism (Bearer or Cookies)
Update AuthGuard to accept chosen mechanism
Update web client to send correct auth
Add CSRF protection if using cookies
Update authentication documentation
Add tests for both API and web client auth
Verify all protected routes work

Option A: Bearer Tokens (Recommended)

// Web client
const token = await getAccessToken();
fetch(url, {
  headers: {
    'Authorization': `Bearer ${token}`,
  },
});

// API guard already supports this

Option B: Session Cookies

// API AuthGuard
const sessionId = req.cookies['session'];
if (!sessionId) throw new UnauthorizedException();

// Web client (no change needed)
fetch(url, { credentials: 'include' });

// MUST add CSRF protection

Testing

Test login flow end-to-end
Test protected routes accessible
Test token/session refresh
Test logout clears auth
Test concurrent sessions

References

External security review findings (2026-02-02)

## Problem API AuthGuard only accepts Bearer tokens, but web client sends cookies (credentials: "include") without attaching a bearer token. This causes 401 errors on all guarded routes. ## Locations - apps/api/src/auth/auth.guard.ts:11 - Requires Authorization header - apps/web/lib/client.ts:31 - Sends credentials: "include" ## Mismatch ```typescript // API expects Authorization: Bearer <token> // Web sends Cookie: session=xxx ``` ## Impact - All authenticated API calls fail with 401 - Web client cannot access protected resources - Mixed auth mechanisms create confusion - Missing CSRF protection if using cookies ## Decision Required Choose ONE auth mechanism: 1. **Option A: Bearer tokens** (recommended for API) 2. **Option B: Session cookies** (requires CSRF protection) ## Acceptance Criteria - [ ] **DECISION**: Choose auth mechanism (Bearer or Cookies) - [ ] Update AuthGuard to accept chosen mechanism - [ ] Update web client to send correct auth - [ ] Add CSRF protection if using cookies - [ ] Update authentication documentation - [ ] Add tests for both API and web client auth - [ ] Verify all protected routes work ## Option A: Bearer Tokens (Recommended) ```typescript // Web client const token = await getAccessToken(); fetch(url, { headers: { 'Authorization': `Bearer ${token}`, }, }); // API guard already supports this ``` ## Option B: Session Cookies ```typescript // API AuthGuard const sessionId = req.cookies['session']; if (!sessionId) throw new UnauthorizedException(); // Web client (no change needed) fetch(url, { credentials: 'include' }); // MUST add CSRF protection ``` ## Testing - [ ] Test login flow end-to-end - [ ] Test protected routes accessible - [ ] Test token/session refresh - [ ] Test logout clears auth - [ ] Test concurrent sessions ## References External security review findings (2026-02-02)

jason.woltje added the web auth api api p1 labels 2026-02-02 17:26:14 +00:00

jason.woltje added this to the M7.1-Remediation (0.0.8) milestone 2026-02-03 22:31:44 +00:00

jason.woltje referenced this issue from a commit

2026-02-04 04:30:07 +00:00

feat(#193): Align authentication mechanism between API and web client

jason.woltje closed this issue

2026-02-04 04:30:28 +00:00

Sign in to join this conversation.

Branches Tags

main

fix/ci-glibc-image

fix/dockerfile-npmrc

fix/matrix-native-binary

fix/kaniko-cache

fix/base-image-kaniko-v2

fix/base-image-kaniko

feat/custom-base-image

ci/pnpm-cache

fix/interceptor-tests

fix/kanban-tests

feat/wire-chat

feat/usage-widget

fix/security-hardening

fix/project-domain-v2

feat/kanban-add-task

fix/project-domain-attach

fix/logs-page-clean

fix/workspace-members

fix/ci-lint-632

fix/file-manager-tags

fix/csrf-debug-log

fix/controller-type-imports

fix/system-admin-env

fix/gateway-cors-trusted-origins

feat/project-detail-page

fix/fleet-provider-form-dto-v2

fix/ms22-audit

fix/orchestrator-widgets

fix/fleet-provider-form-dto

fix/csrf-bearer-bypass

fix/ms22-missing-authmodule-imports

fix/container-lifecycle-config-module

fix/swarm-compose-ms22-vars

chore/ms22-p1-complete

feat/ms22-p1h-settings-ui

feat/ms22-p1f-onboarding-ui

feat/ms22-p1i-chat-proxy

feat/ms22-p1k-idle-reaper

feat/ms22-p1j-docker

feat/ms22-p1e-onboarding-api

feat/ms22-p1g-settings-api

feat/ms22-p1d-container-mgr

feat/ms22-p1c-config-api

chore/ms22-prd-tracking

feat/ms22-p1a-schema

feat/ms22-p1b-crypto

chore/ms22-p1-tasks

docs/ms22-architecture

feat/ms22-openclaw-docker

feat/ms22-openclaw-gateway-module

chore/ms21-complete

chore/ms21-final-tasks-done

fix/ms21-ui-001-qa

test/ms21-ui-tests

chore/ms21-tasks-sync

chore/ms22-phase0-complete

feat/ms22-ingest-clean

feat/ms21-ui-users-members

feat/ms22-task-agent

chore/tasks-final

chore/tasks-update

feat/ms21-session-invalidation

feat/ms21-rbac-settings

feat/ms21-teams-page

feat/ms21-users-page

feat/ms19-terminal-persistence

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#193