[PR #743] [MERGED] feat: use new JWT auth in all frontend API calls #766

New issue

Closed

opened 2026-02-25 23:35:24 +03:00 by kerem · 0 comments

kerem commented

2026-02-25 23:35:24 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/go-shiori/shiori/pull/743
Author: @fmartingr
Created: 9/30/2023
Status: ✅ Merged
Merged: 9/30/2023
Merged by: @fmartingr

Base: master ← Head: frontend-jwt-auth

📝 Commits (3)

ba71dbc properly store jwt token
2d9f153 use a secret in the local dev server
248bbce send jwt token in all api calls

📊 Changes

4 files changed (+110 additions, -97 deletions)

View changed files

📝 Makefile (+1 -1)
📝 internal/view/assets/js/page/home.js (+99 -94)
📝 internal/view/assets/js/page/setting.js (+9 -1)
📝 internal/view/login.html (+1 -1)

📄 Description

Properly store the JWT token in the local storage
Use a secret locally to prevent logouts when restarting the dev server
Make it so all API requests from the frontend sends then Authorization header.

There's still something to solve when we require the user to load an URL that is not an API route (bookmark archive, readable, ebook), since those won't be API calls per se, but load content directly in the browser. Right now they work because we still maintain the cookie with the session around, but we need to figure out the best way to migrate that to the new routes. Probably a cookie is the best solution, but we need to think what to put in it.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/go-shiori/shiori/pull/743 **Author:** [@fmartingr](https://github.com/fmartingr) **Created:** 9/30/2023 **Status:** ✅ Merged **Merged:** 9/30/2023 **Merged by:** [@fmartingr](https://github.com/fmartingr) **Base:** `master` ← **Head:** `frontend-jwt-auth` --- ### 📝 Commits (3) - [`ba71dbc`](https://github.com/go-shiori/shiori/commit/ba71dbcef3b9b3427a37957c01354fe4507f8923) properly store jwt token - [`2d9f153`](https://github.com/go-shiori/shiori/commit/2d9f153a1b26097c2c4da933e0d5fad5cc9a91c8) use a secret in the local dev server - [`248bbce`](https://github.com/go-shiori/shiori/commit/248bbce9aeb13a805f5fbe06e246c46ba7d16857) send jwt token in all api calls ### 📊 Changes **4 files changed** (+110 additions, -97 deletions) <details> <summary>View changed files</summary> 📝 `Makefile` (+1 -1) 📝 `internal/view/assets/js/page/home.js` (+99 -94) 📝 `internal/view/assets/js/page/setting.js` (+9 -1) 📝 `internal/view/login.html` (+1 -1) </details> ### 📄 Description - Properly store the JWT token in the local storage - Use a secret locally to prevent logouts when restarting the dev server - Make it so all API requests from the frontend sends then `Authorization` header. There's still something to solve when we require the user to load an URL that is not an API route (bookmark archive, readable, ebook), since those won't be API calls per se, but load content directly in the browser. Right now they work because we still maintain the cookie with the session around, but we need to figure out the best way to migrate that to the new routes. Probably a cookie is the best solution, but we need to think what to put in it. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>