Refactor authentication: Remove Remember Me API endpoints and schemas; implement cookie-based Remember Me functionality

2026-02-24 03:06:07 -05:00 · 2026-02-22 04:44:57 +00:00
parent eb399ec193
commit 8224363c45
4 changed files with 414 additions and 614 deletions
--- a/server/api_server/api_server_start.py
+++ b/server/api_server/api_server_start.py
@@ -1936,144 +1936,7 @@ def check_auth(payload=None):
        return jsonify({"success": True, "message": "Authentication check successful"}), 200


-# --------------------------
-# Remember Me Validation endpoint
-# --------------------------
-@app.route("/auth/validate-remember", methods=["POST"])
-@validate_request(
-    operation_id="validate_remember",
-    summary="Validate Remember Me Token",
-    description="Validate a persistent Remember Me token against stored hash. Called from login page (no auth required).",
-    request_model=ValidateRememberRequest,
-    response_model=ValidateRememberResponse,
-    tags=["auth"],
-    auth_callable=None  # No auth required - used on login page
-)
-def validate_remember(payload=None):
-    """
-    Validate a Remember Me token from persistent cookie.
-
-    Security: Uses timing-safe hash comparison to prevent timing attacks.
-    Token format: hex-encoded 32 random bytes (64 chars) from bin2hex(random_bytes(32))
-    """
-    try:
-        # Extract token from request
-        data = request.get_json() or {}
-        token = data.get("token")
-
-        if not token:
-            mylog("verbose", ["[auth/validate-remember] Missing token in request"])
-            return jsonify({
-                "success": True,
-                "valid": False,
-                "message": "Token validation failed: missing token"
-            }), 200
-
-        # Validate token against stored hash
-        params_instance = ParametersInstance()
-        result = params_instance.validate_token(token)
-
-        if result['valid']:
-            mylog("verbose", ["[auth/validate-remember] Token validation successful"])
-            return jsonify({
-                "success": True,
-                "valid": True,
-                "message": "Token validation successful"
-            }), 200
-        else:
-            mylog("verbose", ["[auth/validate-remember] Token validation failed"])
-            return jsonify({
-                "success": True,
-                "valid": False,
-                "message": "Token validation failed"
-            }), 200
-
-    except Exception as e:
-        mylog("verbose", [f"[auth/validate-remember] Unexpected error: {e}"])
-        return jsonify({
-            "success": False,
-            "valid": False,
-            "error": "Internal server error",
-            "message": "An unexpected error occurred during token validation"
-        }), 500
-
-
-# --------------------------
-# Remember Me Save endpoint
-# --------------------------
-@app.route("/auth/remember-me/save", methods=["POST"])
-@validate_request(
-    operation_id="save_remember",
-    summary="Save Remember Me Token",
-    description="Save a Remember Me token to the database. Called after successful login to enable persistent authentication.",
-    request_model=SaveRememberRequest,
-    response_model=SaveRememberResponse,
-    tags=["auth"],
-    auth_callable=None  # No auth required - used on login page
-)
-def save_remember(payload=None):
-    """
-    Save a Remember Me token.
-
-    Flow:
-    1. User logs in with "Remember Me" checkbox
-    2. Password validated successfully
-    3. Token generated: bin2hex(random_bytes(32))
-    4. This endpoint called: saves hash(token) to Parameters table
-    5. Token (unhashed) set in persistent cookie
-    6. Session created and user redirected
-
-    Security: Only the HASH is stored in the database, not the token itself.
-    If database is compromised, attacker cannot use stolen hashes without the original token.
-    """
-    try:
-        import uuid
-        import hashlib
-
-        # Extract token from request
-        data = request.get_json() or {}
-        token = data.get("token")
-
-        if not token or len(token) < 64:
-            mylog("verbose", ["[auth/remember-me/save] Invalid or missing token"])
-            return jsonify({
-                "success": False,
-                "error": "Invalid token",
-                "message": "Token must be 64+ hex characters"
-            }), 400
-
-        # Hash the token
-        token_hash = hashlib.sha256(token.encode('utf-8')).hexdigest()
-
-        # Generate UUID-based parameter ID
-        token_id = f"remember_me_token_{uuid.uuid4()}"
-
-        # Store hash in Parameters table
-        params_instance = ParametersInstance()
-        success = params_instance.set_parameter(token_id, token_hash)
-
-        if success:
-            mylog("verbose", [f"[auth/remember-me/save] Token saved successfully: {token_id}"])
-            return jsonify({
-                "success": True,
-                "message": "Remember Me token saved successfully",
-                "token_id": token_id
-            }), 200
-        else:
-            mylog("verbose", ["[auth/remember-me/save] Failed to save token to database"])
-            return jsonify({
-                "success": False,
-                "error": "Database error",
-                "message": "Failed to save Remember Me token"
-            }), 500
-
-    except Exception as e:
-        mylog("verbose", [f"[auth/remember-me/save] Unexpected error: {e}"])
-        return jsonify({
-            "success": False,
-            "error": "Internal server error",
-            "message": "An unexpected error occurred while saving Remember Me token"
-        }), 500
+# Remember Me is now implemented via cookies only (no API endpoints required)


 # --------------------------