refactor(auth): migrate fully to HTTP-only cookie sessions

Remove client-side token storage and Authorization header injection Backend login now only returns user data, omitting the session token Remove Authorization from backend CORS allowed headers Clean up obsolete VITE_* environment variable fallbacks Update Modal component to use Vue useId() instead of Math.random()
2026-05-06 17:15:46 +08:00
parent f26cfdc830
commit fa656a8d02
24 changed files with 123 additions and 357 deletions
--- a/frontend/src/views/LifePostDetail.vue
+++ b/frontend/src/views/LifePostDetail.vue
@@ -28,10 +28,8 @@ import {
 } from '../icons';
 import {
  api,
-  getAuthToken,
  moderationUpdateEvent,
-  onAuthTokenChange,
-  setAuthToken,
+  onAuthChange,
  type AiModerationStatus,
  type AuthUser,
  type CommentSort,
@@ -112,17 +110,11 @@ function summaryText(value: string, maxLength: number) {
 }

 async function loadCurrentUser() {
-  if (!getAuthToken()) {
-    currentUser.value = null;
-    return;
-  }
-
  try {
    const response = await api.me();
    currentUser.value = response.user;
  } catch {
    currentUser.value = null;
-    setAuthToken(null);
  }
 }

@@ -840,14 +832,13 @@ onMounted(() => {
  document.addEventListener('click', closeReactionPickerFromDocument);
  document.addEventListener('keydown', closeReactionPickerFromKeyboard);
  window.addEventListener(moderationUpdateEvent, handleModerationUpdate);
-  const hadAuthToken = getAuthToken() !== null;
  void (async () => {
    await loadCurrentUser();
-    if (!initialPostLoaded.value || hadAuthToken) {
+    if (!initialPostLoaded.value || currentUser.value) {
      await loadPost();
    }
  })();
-  removeAuthListener = onAuthTokenChange(() => {
+  removeAuthListener = onAuthChange(() => {
    void loadCurrentUser();
    void loadPost();
  });