docs: csrf handling

2025-04-10 22:31:09 +03:00 · 2025-04-10 22:31:09 +03:00 · 2dde8d7942
commit 2dde8d7942
parent 42409429e6
3 changed files with 6 additions and 5 deletions
--- a/docs/API.md
+++ b/docs/API.md
@ -18,9 +18,10 @@ Endpoints protected with `requireAccessToken` middleware:
 - `GET /auth/admin/all`: As an administrator, list all users stored in the system (adjustable with pagination URL parameters) -> Array of `userResponse` DTOs
 - `DELETE /auth/admin/{userID}`: As an administrator, delete a specific user -> HTTP 204 response
-Endpoints protected with `requireRefreshToken` middleware:
+Endpoints protected with `requireRefreshToken` and `gorilla/csrf` middlewares:
- `POST /auth/refresh`: Perform token rotation (revokes the old refresh token server-side) -> Cookie with new refresh token and response with access token
+- `GET /auth/cookie/csrf`: Get new CSRF token -> HTTP 204 response with the token set in the `X-CSRF-Token` response header
 - `POST /auth/cookie/refresh`: Perform token rotation (revokes the old refresh token server-side) -> Cookie with new refresh token and response with access token
 ## Notes
@ -40,7 +41,7 @@ All notes related endpoints are protected with `requireAccessToken` middleware,
 ![Sequence diagram of the authentication flow](./media/auth-sequence.svg)
- Store access token in memory (never in `localStorage`)
+- Store access and CSRF tokens in memory (never in `localStorage`)
 - Automatically handle 401 responses by attempting token refresh
 - Queue pending requests during token refresh, if necessary
 - Clear local tokens on logout (`POST /auth/logout`)
--- a/docs/media/auth-sequence.svg
+++ b/docs/media/auth-sequence.svg
--- a/docs/media/protected-resource-flow.svg
+++ b/docs/media/protected-resource-flow.svg