This repository was archived by the owner on Oct 22, 2025. It is now read-only.
feat: implement access and refresh token handling in authentication flow#31
Merged
HermanPlay merged 1 commit intodevelopfrom Jul 22, 2025
Merged
feat: implement access and refresh token handling in authentication flow#31HermanPlay merged 1 commit intodevelopfrom
HermanPlay merged 1 commit intodevelopfrom
Conversation
There was a problem hiding this comment.
Pull Request Overview
This pull request implements a token-based authentication system to replace the session-based approach. Key changes include updating the authentication flow (in hooks and middleware) to validate and refresh tokens, refactoring API calls to include bearer tokens in request headers, and adjusting data structures and constants for access and refresh tokens.
Reviewed Changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| src/routes/dashboard/users/[userId]/+page.server.ts | Replaces session references with access tokens in API calls |
| src/routes/dashboard/users/+page.server.ts | Updates API header to use bearer tokens |
| src/routes/dashboard/tasks/new/+page.server.ts | Updates API header to use bearer tokens in task creation actions |
| src/routes/dashboard/tasks/[taskId]/submissions/+page.server.ts | Uses bearer token for submission API calls |
| src/routes/dashboard/tasks/[taskId]/+page.server.ts | Updates API calls and fixes the query param typo for task description |
| src/routes/dashboard/tasks/[taskId]/+layout.server.ts | Uses bearer tokens for task detail fetching |
| src/routes/dashboard/tasks/+page.server.ts | Updates bearer token usage in API calls |
| src/routes/dashboard/groups/[groupId]/+page.server.ts | Updates API header to use bearer tokens in group details fetching |
| src/routes/dashboard/groups/+page.server.ts | Uses bearer tokens in group list loading |
| src/routes/dashboard/+page.server.ts | Refactors logout action and token cookie management |
| src/routes/auth/+page.server.ts | Handles setting access and refresh token cookies on user authentication |
| src/lib/server/utils.ts | Adds refreshTokens function and updates cookie name constants |
| src/lib/backendSchemas.ts | Updates interface definitions to include access and refresh token fields |
| src/hooks.server.ts | Implements token validation with refresh logic and cookie management |
| path: '/', | ||
| sameSite: 'lax', | ||
| httpOnly: true, | ||
| expires: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000), // 7 days |
There was a problem hiding this comment.
[nitpick] Consider using a backend-provided refresh token expiration value if available instead of hardcoding the 7-day period, to allow for flexibility in token lifetimes.
Suggested change
| expires: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000), // 7 days | |
| expires: refreshResponse.data.refreshExpiresAt | |
| ? new Date(refreshResponse.data.refreshExpiresAt) | |
| : new Date(Date.now() + 7 * 24 * 60 * 60 * 1000), // Fallback to 7 days |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces a significant refactor to the authentication system, replacing the use of session-based cookies with access and refresh tokens for improved security and scalability. The changes primarily focus on updating authentication flows, token management, and API request headers across the application.
Authentication System Refactor
SESSION_COOKIE_NAMEwithACCESS_TOKEN_COOKIE_NAMEandREFRESH_TOKEN_COOKIE_NAME. Added logic to handle token refresh and validation, ensuring tokens are updated and invalidated as needed (src/hooks.server.ts). [1] [2]refreshTokensto handle token refresh requests to the backend (src/lib/server/utils.ts).AuthUserResponseto includeaccessToken,refreshToken, andexpiresAt. Added a newAuthRefreshResponseinterface for token refresh responses (src/lib/backendSchemas.ts).API Request Header Updates
Authorization: Bearer <accessToken>across all API requests in multiple routes, ensuring compatibility with the new token-based system. [1] [2] [3] src/routes/dashboard/tasks/[taskId]/+page.server.tsL38-R44, src/routes/dashboard/users/[userId]/+page.server.tsL106-R106)Token Management in Routes
src/routes/auth/+page.server.ts,src/routes/dashboard/+page.server.ts). [1] [2]accessTokeninstead ofsessionId(src/hooks.server.ts).Miscellaneous Fixes
taskIdtotaskIDin the task description fetch request (src/routes/dashboard/tasks/[taskId]/+page.server.ts). (src/routes/dashboard/tasks/[taskId]/+page.server.tsL25-R25)