Add `/api/auth/logout` endpoint and improve auth flow.

- Implemented `handleAuthLogout` to support user logout by clearing session cookies. - Improved `/api/auth/status` with authentication cookie validation for persistent login state. - Enhanced `App.jsx` to prevent UI flash during auth status checks and streamline logout flow. - Refined user profile handling and permission fetch logic for better reliability.
4 months ago · 82665444f4
2 changed files with 64 additions and 11 deletions
--- a/app/server.go
+++ b/app/server.go
@ -113,6 +113,7 @@ func (s *Server) UserInterface() {
				@@ -113,6 +113,7 @@ func (s *Server) UserInterface() {
 	s.mux.HandleFunc("/api/auth/challenge", s.handleAuthChallenge)
 	s.mux.HandleFunc("/api/auth/login", s.handleAuthLogin)
 	s.mux.HandleFunc("/api/auth/status", s.handleAuthStatus)
+	s.mux.HandleFunc("/api/auth/logout", s.handleAuthLogout)
 	s.mux.HandleFunc("/api/permissions/", s.handlePermissions)
 }

@ -206,7 +207,16 @@ func (s *Server) handleAuthLogin(w http.ResponseWriter, r *http.Request) {
				@@ -206,7 +207,16 @@ func (s *Server) handleAuthLogin(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	
-	// Authentication successful
+	// Authentication successful: set a simple session cookie with the pubkey
+	cookie := &http.Cookie{
+		Name:     "orly_auth",
+		Value:    hex.Enc(evt.Pubkey),
+		Path:     "/",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+		MaxAge:   60 * 60 * 24 * 30, // 30 days
+	}
+	http.SetCookie(w, cookie)
 	w.Write([]byte(`{"success": true, "pubkey": "` + hex.Enc(evt.Pubkey) + `", "message": "Authentication successful"}`))
 }

@ -218,9 +228,36 @@ func (s *Server) handleAuthStatus(w http.ResponseWriter, r *http.Request) {
				@@ -218,9 +228,36 @@ func (s *Server) handleAuthStatus(w http.ResponseWriter, r *http.Request) {
 	}

 	w.Header().Set("Content-Type", "application/json")
+	// Check for auth cookie
+	if c, err := r.Cookie("orly_auth"); err == nil && c.Value != "" {
+		// Validate pubkey format (hex)
+		if _, err := hex.Dec(c.Value); !chk.E(err) {
+			w.Write([]byte(`{"authenticated": true, "pubkey": "` + c.Value + `"}`))
+			return
+		}
+	}
 	w.Write([]byte(`{"authenticated": false}`))
 }

+// handleAuthLogout clears the auth cookie
+func (s *Server) handleAuthLogout(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+	// Expire the cookie
+	http.SetCookie(w, &http.Cookie{
+		Name:     "orly_auth",
+		Value:    "",
+		Path:     "/",
+		MaxAge:   -1,
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+	})
+	w.Header().Set("Content-Type", "application/json")
+	w.Write([]byte(`{"success": true}`))
+}
+
 // handlePermissions returns the permission level for a given pubkey
 func (s *Server) handlePermissions(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
--- a/app/web/src/App.jsx
+++ b/app/web/src/App.jsx
@ -6,9 +6,14 @@ function App() {
				@@ -6,9 +6,14 @@ function App() {
  const [statusType, setStatusType] = useState('info');
  const [profileData, setProfileData] = useState(null);

+  const [checkingAuth, setCheckingAuth] = useState(true);
+
  useEffect(() => {
    // Check authentication status on page load
-    checkStatus();
+    (async () => {
+      await checkStatus();
+      setCheckingAuth(false);
+    })();
  }, []);

  // Effect to fetch profile when user changes
@ -30,17 +35,20 @@ function App() {
				@@ -30,17 +35,20 @@ function App() {
    try {
      const response = await fetch('/api/auth/status');
      const data = await response.json();
-      if (data.authenticated) {
-        setUser(data.pubkey);
-        updateStatus(`Already authenticated as: ${data.pubkey.slice(0, 16)}...`, 'success');
-
-        // Check permissions if authenticated
-        if (data.pubkey) {
+      if (data.authenticated && data.pubkey) {
+        // Fetch permission first, then set user and profile
+        try {
          const permResponse = await fetch(`/api/permissions/${data.pubkey}`);
          const permData = await permResponse.json();
          if (permData && permData.permission) {
-            setUser({...data, permission: permData.permission});
+            const fullUser = { pubkey: data.pubkey, permission: permData.permission };
+            setUser(fullUser);
+            updateStatus(`Already authenticated as: ${data.pubkey.slice(0, 16)}...`, 'success');
+            // Fire and forget profile fetch
+            fetchUserProfile(data.pubkey);
          }
+        } catch (_) {
+          // ignore permission fetch errors
        }
      }
    } catch (error) {
@ -306,11 +314,19 @@ function App() {
				@@ -306,11 +314,19 @@ function App() {
    }
  }

-  function logout() {
+  async function logout() {
+    try {
+      await fetch('/api/auth/logout', { method: 'POST' });
+    } catch (_) {}
    setUser(null);
    updateStatus('Logged out', 'info');
  }

+  // Prevent UI flash: wait until we checked auth status
+  if (checkingAuth) {
+    return null;
+  }
+
  return (
    <>
      {user?.permission ? (