0
Summary: I have a webservice with Quarkus(Jax-rs) and Vue.js, I do a validation basic Authentication and then I create a cookie httpOnly encrypted...
When I receive a new request I cannot check if this cookie is httpOnly, as the returned is not a javax.ws.rs.core.NewCookie and yes a javax.ws.rs.core.Cookie
@Provider
open class RequestSecurity : ContainerRequestFilter {
[...]
override fun filter(requestContext: ContainerRequestContext?) {
[...]
if (requestContext.uriInfo.path != "/login") {
val cookie = requestContext.cookies[cookieSuffix] // meu problema ta aqui
if (!cookie.isHttpOnly) {
requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build())
return
}
} else {
val cookie = NewCookie(
cookieSuffix,
encrypt(),
"/",
null,
null,
3600,
false,
true
)
requestContext.setProperty("cookieCriptografado", cookie)
}
}
}
@Provider
class ResponseSecurity : ContainerResponseFilter {
override fun filter(requestContext: ContainerRequestContext?, responseContext: ContainerResponseContext?) {
val cookieProperty = requestContext?.getProperty("cookieCriptografado")
if (cookieProperty != null && cookieProperty is NewCookie) {
responseContext?.headers?.add(HttpHeaders.SET_COOKIE, cookieProperty)
}
}
}
Requests on the Vue.js side
doLogin({ commit }, loginData) {
commit('cleanError');
commit('loginStart');
axios({
url: urlLogin,
method: 'POST',
withCredentials: true,
auth: loginData
})
.then(response => {
const user = response.data;
commit('loginStop');
commit('updateUser', user);
localStorage.setItem('user', JSON.stringify(user));
router.push('/');
})
.catch(error => {
let message;
if (error.message.includes('401')) {
message = 'Erro na busca dos dados.';
}
commit('loginStop', message);
});
},
doVerifyUser({ commit }, next) {
commit('verifyUserStart');
axios({
url: urlCheck,
method: 'GET',
withCredentials: true
})
.then(_ => {
let user = JSON.parse(localStorage.getItem('user'));
if (user) {
commit('verifyUserStop');
commit('updateUser', user);
next();
} else {
next('/login');
}
})
.catch(_ => {
commit('verifyUserStop');
next('/login');
});
}
Header of the Response
[Content-Type=application/json,Set-Cookie=QKSESSION="1sCF7zOIQXw3wDoRg90oaQ==";Version=1;Path=/;Max-Age=3600;HttpOnly]
Header of the request
[Accept=application/json, text/plain, */*,Accept-Encoding=gzip, deflate,Accept-Language=pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7,Connection=keep-alive,Cookie=QKSESSION="1sCF7zOIQXw3wDoRg90oaQ==",Host=10.0.11.68:8080,Origin=http://localhost:8081,Referer=http://localhost:8081/,User-Agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.79 Safari/537.36]
Normal cookies are not stored in the back end but on the front, so use
document.cookie(javascript and Vue) will already know if stored, now if it is session (cookie also) will have to test in a request.– Guilherme Nascimento
Yes Guilherme, cookies are stored on the front end, but when you add httpOnly, javascript does not have access to the cookie...
– Carlos Hochsprung
Carlos any future HTTP request will send in the req headers such cookie, ai checks with another server side request, no?
– Guilherme Nascimento
Yes, as I asked the question (request header)... this would be a request that returns the cookie... but does not return me if the cookie is httpOnly.
– Carlos Hochsprung
But that’s what I’m talking about is for you to print the server-side cookie and return it as a BODY from an HTTP response.
– Guilherme Nascimento