fix: cookie setting by only setting on admin routes

2026-03-16 04:27:21 +00:00 · 2025-06-03 13:04:03 +02:00
parent 50cadbaa8e
commit 15a9c549e7
6 changed files with 270 additions and 59 deletions
--- a/app/package.json
+++ b/app/package.json
@@ -3,7 +3,7 @@
  "type": "module",
  "sideEffects": false,
  "bin": "./dist/cli/index.js",
-  "version": "0.13.1-rc.0",
+  "version": "0.13.1-rc.1",
  "description": "Lightweight Firebase/Supabase alternative built to run anywhere — incl. Next.js, React Router, Astro, Cloudflare, Bun, Node, AWS Lambda & more.",
  "homepage": "https://bknd.io",
  "repository": {
@@ -65,6 +65,7 @@
    "json-schema-library": "10.0.0-rc7",
    "json-schema-to-ts": "^3.1.1",
    "kysely": "^0.27.6",
+    "hono": "^4.7.11",
    "lodash-es": "^4.17.21",
    "oauth4webapi": "^2.11.1",
    "object-path-immutable": "^4.1.2",
@@ -72,12 +73,11 @@
    "swr": "^2.3.3"
  },
  "devDependencies": {
-    "hono": "4.7.6",
    "@aws-sdk/client-s3": "^3.758.0",
    "@bluwy/giget-core": "^0.1.2",
    "@dagrejs/dagre": "^1.1.4",
-    "@hono/typebox-validator": "^0.3.2",
-    "@hono/vite-dev-server": "^0.19.0",
+    "@hono/typebox-validator": "^0.3.3",
+    "@hono/vite-dev-server": "^0.19.1",
    "@hookform/resolvers": "^4.1.3",
    "@libsql/kysely-libsql": "^0.4.1",
    "@mantine/modals": "^7.17.1",
@@ -120,13 +120,13 @@
    "tsc-alias": "^1.8.11",
    "tsup": "^8.4.0",
    "tsx": "^4.19.3",
-    "vite": "^6.2.1",
+    "vite": "^6.3.5",
    "vite-tsconfig-paths": "^5.1.4",
    "vitest": "^3.0.9",
    "wouter": "^3.6.0"
  },
  "optionalDependencies": {
-    "@hono/node-server": "^1.13.8"
+    "@hono/node-server": "^1.14.3"
  },
  "peerDependencies": {
    "react": ">=19",
--- a/app/src/auth/api/AuthController.ts
+++ b/app/src/auth/api/AuthController.ts
@@ -121,6 +121,7 @@ export class AuthController extends Controller {
            const claims = c.get("auth")?.user;
            if (claims) {
               const { data: user } = await this.userRepo.findId(claims.id);
+               await this.auth.authenticator?.requestCookieRefresh(c);
               return c.json({ user });
            }

--- a/app/src/auth/middlewares.ts
+++ b/app/src/auth/middlewares.ts
@@ -60,11 +60,7 @@ export const auth = (options?: {
      }

      await next();
-
-      if (!skipped) {
-         // renew cookie if applicable
-         authenticator?.requestCookieRefresh(c);
-      }
+      // @todo: potentially add cookie refresh if content-type html and about to expire

      // release
      authCtx.skip = false;
--- a/app/src/modules/server/AdminController.tsx
+++ b/app/src/modules/server/AdminController.tsx
@@ -83,22 +83,45 @@ export class AdminController extends Controller {
         logout: this.withAdminBasePath("/auth/logout"),
      };

-      hono.use("*", async (c, next) => {
-         const obj = {
-            user: c.get("auth")?.user,
-            logout_route: authRoutes.logout,
-            admin_basepath: this.options.adminBasepath,
-         };
-         const html = await this.getHtml(obj);
-         if (!html) {
-            console.warn("Couldn't generate HTML for admin UI");
-            // re-casting to void as a return is not required
-            return c.notFound() as unknown as void;
-         }
-         c.set("html", html);
+      const paths = ["/", "/data/*", "/auth/*", "/media/*", "/flows/*", "/settings/*"];
+      if (isDebug()) {
+         paths.push("/test/*");
+      }

-         await next();
-      });
+      for (const path of paths) {
+         hono.get(
+            path,
+            permission(SystemPermissions.accessAdmin, {
+               onDenied: async (c) => {
+                  addFlashMessage(c, "You are not authorized to access the Admin UI", "error");
+
+                  $console.log("redirecting");
+                  return c.redirect(authRoutes.login);
+               },
+            }),
+            permission(SystemPermissions.schemaRead, {
+               onDenied: async (c) => {
+                  addFlashMessage(c, "You not allowed to read the schema", "warning");
+               },
+            }),
+            async (c) => {
+               const obj = {
+                  user: c.get("auth")?.user,
+                  logout_route: authRoutes.logout,
+                  admin_basepath: this.options.adminBasepath,
+               };
+               const html = await this.getHtml(obj);
+               if (!html) {
+                  console.warn("Couldn't generate HTML for admin UI");
+                  // re-casting to void as a return is not required
+                  return c.notFound() as unknown as void;
+               }
+
+               await auth.authenticator?.requestCookieRefresh(c);
+               return c.html(html);
+            },
+         );
+      }

      if (auth_enabled) {
         const redirectRouteParams = [
@@ -126,27 +149,6 @@ export class AdminController extends Controller {
         });
      }

-      // @todo: only load known paths
-      hono.get(
-         "/*",
-         permission(SystemPermissions.accessAdmin, {
-            onDenied: async (c) => {
-               addFlashMessage(c, "You are not authorized to access the Admin UI", "error");
-
-               $console.log("redirecting");
-               return c.redirect(authRoutes.login);
-            },
-         }),
-         permission(SystemPermissions.schemaRead, {
-            onDenied: async (c) => {
-               addFlashMessage(c, "You not allowed to read the schema", "warning");
-            },
-         }),
-         async (c) => {
-            return c.html(c.get("html")!);
-         },
-      );
-
      return hono;
   }

--- a/app/src/modules/server/SystemController.ts
+++ b/app/src/modules/server/SystemController.ts
@@ -331,6 +331,6 @@ export class SystemController extends Controller {
      );
      hono.get("/swagger", swaggerUI({ url: "/api/system/openapi.json" }));

-      return hono.all("*", (c) => c.notFound());
+      return hono;
   }
 }