Skip to content

feat(medcat-trainer): Clear app storage on start-up to prevent auth state conflicts #316

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jocelyneholdbrook wants to merge 2 commits into
base: main
Choose a base branch
from
+201 −32
Open

feat(medcat-trainer): Clear app storage on start-up to prevent auth state conflicts #316

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c170b9f
feat(medcat-trainer): Clear app storage on start-up to prevent auth s…
jocelyneholdbrook Feb 4, 2026
f26c4a6
feat(medcat-trainer): Remove callback URL fragments after successful …
jocelyneholdbrook Feb 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions medcat-trainer/webapp/frontend/src/main.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ import '@/assets/main.css'
import { createApp } from 'vue'

import App from './App.vue'
import router from './router'
import { initialiseRouter } from './router'
import axios from 'axios'
import VueCookies from 'vue-cookies'
import vSelect from 'vue-select'
Expand All @@ -24,6 +24,7 @@ import * as components from 'vuetify/components'
import * as directives from 'vuetify/directives'
import {authPlugin} from "./auth";
import { loadRuntimeConfig, isOidcEnabled } from './runtimeConfig';
import { performStartupCleanup } from './utils/storage-cleanup';

const theme ={
dark: false,
Expand Down Expand Up @@ -55,7 +56,6 @@ async function bootstrap() {
app.component("v-select", vSelect)
app.component('vue-simple-context-menu', VueSimpleContextMenu)
app.component('font-awesome-icon', FontAwesomeIcon)
app.use(router)
app.use(VueCookies, { expires: '7d'})
app.use(vuetify);

Expand All @@ -81,9 +81,16 @@ async function bootstrap() {
}

app.config.compilerOptions.whitespace = 'preserve'

// Router is initialised and created after keycloak initialisation as workaround to URL fragments not being removed after successful login
// See: https://github.com/keycloak/keycloak/issues/14742#issuecomment-1663069438
app.use(initialiseRouter())
app.mount('#app')
}

// Clear app storage before the application is bootstrapped
// This prevents stale auth state from being used
performStartupCleanup();
bootstrap()
.then(() => console.log('[Bootstrap] Application started successfully'))
.catch(error => console.error('[Bootstrap] Failed to start application:', error))
60 changes: 31 additions & 29 deletions medcat-trainer/webapp/frontend/src/router/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,51 +1,53 @@
import { createRouter, createWebHistory } from 'vue-router'
import {createRouter, createWebHistory} from 'vue-router'
import Home from '../views/Home.vue'
import TrainAnnotations from '../views/TrainAnnotations.vue'
import Demo from '../views/Demo.vue'
import Metrics from '../views/Metrics.vue'
import MetricsHome from '../views/MetricsHome.vue'
import ConceptDatabase from '../views/ConceptDatabase.vue'


const router = createRouter({
history: createWebHistory(import.meta.env.BASE_URL),
routes: [
const initialiseRouter = () => {
return createRouter({
history: createWebHistory(import.meta.env.BASE_URL),
routes: [
{
path: '/train-annotations/:projectId/:docId?',
name: 'train-annotations',
component: TrainAnnotations,
props: true,
// query: true
path: '/train-annotations/:projectId/:docId?',
name: 'train-annotations',
component: TrainAnnotations,
props: true,
// query: true
},
{
path: '/metrics-reports/',
name: 'metrics-reports',
component: MetricsHome,
path: '/metrics-reports/',
name: 'metrics-reports',
component: MetricsHome,
},
{
path: '/metrics/:reportId/',
name: 'metrics',
component: Metrics,
props: router => ({reportId: parseInt(router.params.reportId)})
path: '/metrics/:reportId/',
name: 'metrics',
component: Metrics,
props: router => ({reportId: parseInt(router.params.reportId)})
},
{
path: '/demo',
name: 'demo',
component: Demo
path: '/demo',
name: 'demo',
component: Demo
},
{
path: '/model-explore',
name: 'model-explore',
component: ConceptDatabase
path: '/model-explore',
name: 'model-explore',
component: ConceptDatabase
},
{
path: '/:pathMatch(.*)',
name: 'home',
component: Home
path: '/:pathMatch(.*)',
name: 'home',
component: Home
}
]
})
]
})
}


export default router
export {initialiseRouter}


132 changes: 132 additions & 0 deletions medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
import { performStartupCleanup } from '@/utils/storage-cleanup'

describe('storageCleanup', () => {
let consoleLogSpy: any
let localStorageMock: { [key: string]: any }
let sessionStorageMock: { [key: string]: any }

beforeEach(() => {
// Mock console.log
consoleLogSpy = vi.spyOn(console, 'log').mockImplementation(() => {})

// Mock localStorage with proper Object.keys() support
localStorageMock = {}
const localStorageProxy = new Proxy(localStorageMock, {
get(target, prop) {
if (prop === 'getItem') return (key: string) => target[key] || null
if (prop === 'setItem') return (key: string, value: string) => { target[key] = value }
if (prop === 'removeItem') return (key: string) => { delete target[key] }
if (prop === 'clear') return () => { Object.keys(target).forEach(k => delete target[k]) }
if (prop === 'key') return (index: number) => Object.keys(target)[index] || null
if (prop === 'length') return Object.keys(target).length
return target[prop as string]
},
ownKeys(target) {
return Object.keys(target)
},
getOwnPropertyDescriptor(target, prop) {
return {
enumerable: true,
configurable: true,
value: target[prop as string]
}
}
})
vi.stubGlobal('localStorage', localStorageProxy)

// Mock sessionStorage
sessionStorageMock = {}
const sessionStorageProxy = {
getItem: (key: string) => sessionStorageMock[key] || null,
setItem: (key: string, value: string) => { sessionStorageMock[key] = value },
removeItem: (key: string) => { delete sessionStorageMock[key] },
clear: () => { sessionStorageMock = {} },
key: (index: number) => Object.keys(sessionStorageMock)[index] || null,
get length() { return Object.keys(sessionStorageMock).length }
} as Storage
vi.stubGlobal('sessionStorage', sessionStorageProxy)

// Mock document.cookie
let cookieStore: string[] = []
Object.defineProperty(document, 'cookie', {
get: () => cookieStore.join('; '),
set: (value: string) => {
if (value.includes('expires=Thu, 01 Jan 1970')) {
// Cookie deletion
const name = value.split('=')[0]
cookieStore = cookieStore.filter(c => !c.startsWith(name + '='))
} else {
cookieStore.push(value)
}
},
configurable: true
})

// Mock window.location and URL
delete (window as any).location
window.location = {
href: 'https://example.com/',
hostname: 'example.com'
} as any

// Mock window.history.replaceState
window.history.replaceState = vi.fn()
})

afterEach(() => {
consoleLogSpy.mockRestore()
vi.restoreAllMocks()
vi.unstubAllGlobals()
})

describe('performStartupCleanup', () => {
it('should log startup cleanup message', () => {
performStartupCleanup()
expect(consoleLogSpy).toHaveBeenCalledWith('[StorageCleanup] Performing startup cleanup')
})

it('should clear application cookies', () => {
// Set some cookies
document.cookie = 'api-token=test123'

Check warning

Code scanning / CodeQL

Clear text transmission of sensitive cookie Medium test

Sensitive cookie sent without enforcing SSL encryption.

Copilot Autofix

AI 1 day ago

In general, the way to fix clear-text transmission of sensitive cookies is to ensure that any cookie containing authentication/session data is set with the Secure attribute (and usually HttpOnly and SameSite), so it is only sent over HTTPS and less exposed to JavaScript.

In this specific file, the issue is only in how test cookies are created. The document.cookie setter is mocked to store the full cookie string verbatim, so adding attributes like Secure; HttpOnly to the cookie strings will not alter the test’s semantics: the cleanup code under test still “sees” the same cookie names/values, and the test only checks that cleanup runs (via consoleLogSpy) rather than inspecting cookie contents. The best fix is therefore to update each document.cookie = '...' line in the it('should clear application cookies', ...) test to include ; Secure; HttpOnly (and optionally SameSite=Lax) in the cookie string.

Concretely:

  • In medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts, around lines 89–101, update all document.cookie = 'name=value' to document.cookie = 'name=value; Secure; HttpOnly'.
  • No new imports or helper methods are required; this is a straightforward change to the literal cookie strings.
Suggested changeset 1
medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts b/medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts
--- a/medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts
+++ b/medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts
@@ -88,16 +88,16 @@
 
     it('should clear application cookies', () => {
       // Set some cookies
-      document.cookie = 'api-token=test123'
-      document.cookie = 'username=testuser'
-      document.cookie = 'admin=true'
-      document.cookie = '_oauth2_proxy=djIuWDI5aGRYUm9NbDl3Y205NGVTMDVaV05sTjJJeE1qUXdZVE0wTWpVNE1UYzBaVEJqWm1KaU1tWXdPR'
-      document.cookie = '_oauth2_proxy_1=mdlsjjsadfhHLFhBLGnbJlhB>j'
-      document.cookie = 'sessionid=6id701ipjww6rx0gumt0vvz1pnxpy12p'
-      document.cookie = 'AUTH_SESSION_ID=OTI4Mzk4NmUtZWJhNi'
-      document.cookie = 'KC_RESTART=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4..'
-      document.cookie = 'KEYCLOAK_IDENTITY=eyJhbGciOiJIUzUxMiIsInR5cCI...'
-      document.cookie = 'KEYCLOAK_SESSION=-9rVzyOy1xEA4sktmgSvv8DriM3ZO4kv-zjrhjuYFkA'
+      document.cookie = 'api-token=test123; Secure; HttpOnly'
+      document.cookie = 'username=testuser; Secure; HttpOnly'
+      document.cookie = 'admin=true; Secure; HttpOnly'
+      document.cookie = '_oauth2_proxy=djIuWDI5aGRYUm9NbDl3Y205NGVTMDVaV05sTjJJeE1qUXdZVE0wTWpVNE1UYzBaVEJqWm1KaU1tWXdPR; Secure; HttpOnly'
+      document.cookie = '_oauth2_proxy_1=mdlsjjsadfhHLFhBLGnbJlhB>j; Secure; HttpOnly'
+      document.cookie = 'sessionid=6id701ipjww6rx0gumt0vvz1pnxpy12p; Secure; HttpOnly'
+      document.cookie = 'AUTH_SESSION_ID=OTI4Mzk4NmUtZWJhNi; Secure; HttpOnly'
+      document.cookie = 'KC_RESTART=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4..; Secure; HttpOnly'
+      document.cookie = 'KEYCLOAK_IDENTITY=eyJhbGciOiJIUzUxMiIsInR5cCI...; Secure; HttpOnly'
+      document.cookie = 'KEYCLOAK_SESSION=-9rVzyOy1xEA4sktmgSvv8DriM3ZO4kv-zjrhjuYFkA; Secure; HttpOnly'
 
       performStartupCleanup()
 
EOF
@@ -88,16 +88,16 @@

it('should clear application cookies', () => {
// Set some cookies
document.cookie = 'api-token=test123'
document.cookie = 'username=testuser'
document.cookie = 'admin=true'
document.cookie = '_oauth2_proxy=djIuWDI5aGRYUm9NbDl3Y205NGVTMDVaV05sTjJJeE1qUXdZVE0wTWpVNE1UYzBaVEJqWm1KaU1tWXdPR'
document.cookie = '_oauth2_proxy_1=mdlsjjsadfhHLFhBLGnbJlhB>j'
document.cookie = 'sessionid=6id701ipjww6rx0gumt0vvz1pnxpy12p'
document.cookie = 'AUTH_SESSION_ID=OTI4Mzk4NmUtZWJhNi'
document.cookie = 'KC_RESTART=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4..'
document.cookie = 'KEYCLOAK_IDENTITY=eyJhbGciOiJIUzUxMiIsInR5cCI...'
document.cookie = 'KEYCLOAK_SESSION=-9rVzyOy1xEA4sktmgSvv8DriM3ZO4kv-zjrhjuYFkA'
document.cookie = 'api-token=test123; Secure; HttpOnly'
document.cookie = 'username=testuser; Secure; HttpOnly'
document.cookie = 'admin=true; Secure; HttpOnly'
document.cookie = '_oauth2_proxy=djIuWDI5aGRYUm9NbDl3Y205NGVTMDVaV05sTjJJeE1qUXdZVE0wTWpVNE1UYzBaVEJqWm1KaU1tWXdPR; Secure; HttpOnly'
document.cookie = '_oauth2_proxy_1=mdlsjjsadfhHLFhBLGnbJlhB>j; Secure; HttpOnly'
document.cookie = 'sessionid=6id701ipjww6rx0gumt0vvz1pnxpy12p; Secure; HttpOnly'
document.cookie = 'AUTH_SESSION_ID=OTI4Mzk4NmUtZWJhNi; Secure; HttpOnly'
document.cookie = 'KC_RESTART=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4..; Secure; HttpOnly'
document.cookie = 'KEYCLOAK_IDENTITY=eyJhbGciOiJIUzUxMiIsInR5cCI...; Secure; HttpOnly'
document.cookie = 'KEYCLOAK_SESSION=-9rVzyOy1xEA4sktmgSvv8DriM3ZO4kv-zjrhjuYFkA; Secure; HttpOnly'

performStartupCleanup()

Copilot is powered by AI and may make mistakes. Always verify output.
document.cookie = 'username=testuser'

Check warning

Code scanning / CodeQL

Clear text transmission of sensitive cookie Medium test

Sensitive cookie sent without enforcing SSL encryption.

Copilot Autofix

AI 1 day ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

document.cookie = 'admin=true'
document.cookie = '_oauth2_proxy=djIuWDI5aGRYUm9NbDl3Y205NGVTMDVaV05sTjJJeE1qUXdZVE0wTWpVNE1UYzBaVEJqWm1KaU1tWXdPR'

Check warning

Code scanning / CodeQL

Clear text transmission of sensitive cookie Medium test

Sensitive cookie sent without enforcing SSL encryption.

Copilot Autofix

AI 1 day ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

document.cookie = '_oauth2_proxy_1=mdlsjjsadfhHLFhBLGnbJlhB>j'

Check warning

Code scanning / CodeQL

Clear text transmission of sensitive cookie Medium test

Sensitive cookie sent without enforcing SSL encryption.

Copilot Autofix

AI 1 day ago

In general, sensitive cookies must be created with the Secure attribute (and usually HttpOnly) so that browsers only send them over HTTPS. In browser JavaScript, this means appending ; Secure; HttpOnly (case‑insensitive) when assigning document.cookie. For tests that simulate such cookies, we should mirror this secure form.

In this specific file, the only problematic code is in the test "should clear application cookies" where several sensitive cookies are set with plain name=value. The test’s cookie mock simply stores the raw string and looks for an expires=Thu, 01 Jan 1970 substring to detect deletions; it ignores other attributes. Therefore, we can safely modify each document.cookie = ... assignment to include secure attributes such as ; Secure; HttpOnly without changing the test semantics. The test assertions only check that performStartupCleanup runs and logs, not the exact cookie format, so behavior remains unchanged.

You only need to edit medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts in the block where cookies are set (lines 90–100). No new imports or helpers are required: we just update the literal strings.

Suggested changeset 1
medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts b/medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts
--- a/medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts
+++ b/medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts
@@ -88,16 +88,16 @@
 
     it('should clear application cookies', () => {
       // Set some cookies
-      document.cookie = 'api-token=test123'
-      document.cookie = 'username=testuser'
-      document.cookie = 'admin=true'
-      document.cookie = '_oauth2_proxy=djIuWDI5aGRYUm9NbDl3Y205NGVTMDVaV05sTjJJeE1qUXdZVE0wTWpVNE1UYzBaVEJqWm1KaU1tWXdPR'
-      document.cookie = '_oauth2_proxy_1=mdlsjjsadfhHLFhBLGnbJlhB>j'
-      document.cookie = 'sessionid=6id701ipjww6rx0gumt0vvz1pnxpy12p'
-      document.cookie = 'AUTH_SESSION_ID=OTI4Mzk4NmUtZWJhNi'
-      document.cookie = 'KC_RESTART=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4..'
-      document.cookie = 'KEYCLOAK_IDENTITY=eyJhbGciOiJIUzUxMiIsInR5cCI...'
-      document.cookie = 'KEYCLOAK_SESSION=-9rVzyOy1xEA4sktmgSvv8DriM3ZO4kv-zjrhjuYFkA'
+      document.cookie = 'api-token=test123; Secure; HttpOnly'
+      document.cookie = 'username=testuser; Secure; HttpOnly'
+      document.cookie = 'admin=true; Secure; HttpOnly'
+      document.cookie = '_oauth2_proxy=djIuWDI5aGRYUm9NbDl3Y205NGVTMDVaV05sTjJJeE1qUXdZVE0wTWpVNE1UYzBaVEJqWm1KaU1tWXdPR; Secure; HttpOnly'
+      document.cookie = '_oauth2_proxy_1=mdlsjjsadfhHLFhBLGnbJlhB>j; Secure; HttpOnly'
+      document.cookie = 'sessionid=6id701ipjww6rx0gumt0vvz1pnxpy12p; Secure; HttpOnly'
+      document.cookie = 'AUTH_SESSION_ID=OTI4Mzk4NmUtZWJhNi; Secure; HttpOnly'
+      document.cookie = 'KC_RESTART=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4..; Secure; HttpOnly'
+      document.cookie = 'KEYCLOAK_IDENTITY=eyJhbGciOiJIUzUxMiIsInR5cCI...; Secure; HttpOnly'
+      document.cookie = 'KEYCLOAK_SESSION=-9rVzyOy1xEA4sktmgSvv8DriM3ZO4kv-zjrhjuYFkA; Secure; HttpOnly'
 
       performStartupCleanup()
 
EOF
@@ -88,16 +88,16 @@

it('should clear application cookies', () => {
// Set some cookies
document.cookie = 'api-token=test123'
document.cookie = 'username=testuser'
document.cookie = 'admin=true'
document.cookie = '_oauth2_proxy=djIuWDI5aGRYUm9NbDl3Y205NGVTMDVaV05sTjJJeE1qUXdZVE0wTWpVNE1UYzBaVEJqWm1KaU1tWXdPR'
document.cookie = '_oauth2_proxy_1=mdlsjjsadfhHLFhBLGnbJlhB>j'
document.cookie = 'sessionid=6id701ipjww6rx0gumt0vvz1pnxpy12p'
document.cookie = 'AUTH_SESSION_ID=OTI4Mzk4NmUtZWJhNi'
document.cookie = 'KC_RESTART=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4..'
document.cookie = 'KEYCLOAK_IDENTITY=eyJhbGciOiJIUzUxMiIsInR5cCI...'
document.cookie = 'KEYCLOAK_SESSION=-9rVzyOy1xEA4sktmgSvv8DriM3ZO4kv-zjrhjuYFkA'
document.cookie = 'api-token=test123; Secure; HttpOnly'
document.cookie = 'username=testuser; Secure; HttpOnly'
document.cookie = 'admin=true; Secure; HttpOnly'
document.cookie = '_oauth2_proxy=djIuWDI5aGRYUm9NbDl3Y205NGVTMDVaV05sTjJJeE1qUXdZVE0wTWpVNE1UYzBaVEJqWm1KaU1tWXdPR; Secure; HttpOnly'
document.cookie = '_oauth2_proxy_1=mdlsjjsadfhHLFhBLGnbJlhB>j; Secure; HttpOnly'
document.cookie = 'sessionid=6id701ipjww6rx0gumt0vvz1pnxpy12p; Secure; HttpOnly'
document.cookie = 'AUTH_SESSION_ID=OTI4Mzk4NmUtZWJhNi; Secure; HttpOnly'
document.cookie = 'KC_RESTART=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4..; Secure; HttpOnly'
document.cookie = 'KEYCLOAK_IDENTITY=eyJhbGciOiJIUzUxMiIsInR5cCI...; Secure; HttpOnly'
document.cookie = 'KEYCLOAK_SESSION=-9rVzyOy1xEA4sktmgSvv8DriM3ZO4kv-zjrhjuYFkA; Secure; HttpOnly'

performStartupCleanup()

Copilot is powered by AI and may make mistakes. Always verify output.
document.cookie = 'sessionid=6id701ipjww6rx0gumt0vvz1pnxpy12p'

Check warning

Code scanning / CodeQL

Clear text transmission of sensitive cookie Medium test

Sensitive cookie sent without enforcing SSL encryption.

Copilot Autofix

AI 1 day ago

In general, sensitive cookies should always be set with the Secure attribute (and usually HttpOnly and SameSite as appropriate) so they are only sent over HTTPS. In browser JavaScript, this means ensuring the cookie string assigned to document.cookie includes Secure (e.g. document.cookie = 'name=value; Secure; HttpOnly'). Even though this is test code using a mock document.cookie, adding these attributes to the cookie strings being set avoids the insecure pattern and more accurately represents production best practice.

The best way to fix this without changing functionality is to update each cookie assignment in the test to append ; Secure (and optionally ; HttpOnly if you want to be stricter) to the cookie string values. The test only cares that these cookies exist so that performStartupCleanup() will attempt to clear them; adding attributes after the value does not affect the test’s logic, because the mock cookie store stores the entire string as-is and the deletion logic only uses the name before the first =. Specifically, in medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts, in the it('should clear application cookies', () => { ... }) block, lines 91–100 (the series of document.cookie = '...') should be updated to include ; Secure after each cookie value. No new imports or helper methods are required; this is just a change to the literal strings used in the test.

Suggested changeset 1
medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts b/medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts
--- a/medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts
+++ b/medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts
@@ -88,16 +88,16 @@
 
     it('should clear application cookies', () => {
       // Set some cookies
-      document.cookie = 'api-token=test123'
-      document.cookie = 'username=testuser'
-      document.cookie = 'admin=true'
-      document.cookie = '_oauth2_proxy=djIuWDI5aGRYUm9NbDl3Y205NGVTMDVaV05sTjJJeE1qUXdZVE0wTWpVNE1UYzBaVEJqWm1KaU1tWXdPR'
-      document.cookie = '_oauth2_proxy_1=mdlsjjsadfhHLFhBLGnbJlhB>j'
-      document.cookie = 'sessionid=6id701ipjww6rx0gumt0vvz1pnxpy12p'
-      document.cookie = 'AUTH_SESSION_ID=OTI4Mzk4NmUtZWJhNi'
-      document.cookie = 'KC_RESTART=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4..'
-      document.cookie = 'KEYCLOAK_IDENTITY=eyJhbGciOiJIUzUxMiIsInR5cCI...'
-      document.cookie = 'KEYCLOAK_SESSION=-9rVzyOy1xEA4sktmgSvv8DriM3ZO4kv-zjrhjuYFkA'
+      document.cookie = 'api-token=test123; Secure'
+      document.cookie = 'username=testuser; Secure'
+      document.cookie = 'admin=true; Secure'
+      document.cookie = '_oauth2_proxy=djIuWDI5aGRYUm9NbDl3Y205NGVTMDVaV05sTjJJeE1qUXdZVE0wTWpVNE1UYzBaVEJqWm1KaU1tWXdPR; Secure'
+      document.cookie = '_oauth2_proxy_1=mdlsjjsadfhHLFhBLGnbJlhB>j; Secure'
+      document.cookie = 'sessionid=6id701ipjww6rx0gumt0vvz1pnxpy12p; Secure'
+      document.cookie = 'AUTH_SESSION_ID=OTI4Mzk4NmUtZWJhNi; Secure'
+      document.cookie = 'KC_RESTART=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4..; Secure'
+      document.cookie = 'KEYCLOAK_IDENTITY=eyJhbGciOiJIUzUxMiIsInR5cCI...; Secure'
+      document.cookie = 'KEYCLOAK_SESSION=-9rVzyOy1xEA4sktmgSvv8DriM3ZO4kv-zjrhjuYFkA; Secure'
 
       performStartupCleanup()
 
EOF
@@ -88,16 +88,16 @@

it('should clear application cookies', () => {
// Set some cookies
document.cookie = 'api-token=test123'
document.cookie = 'username=testuser'
document.cookie = 'admin=true'
document.cookie = '_oauth2_proxy=djIuWDI5aGRYUm9NbDl3Y205NGVTMDVaV05sTjJJeE1qUXdZVE0wTWpVNE1UYzBaVEJqWm1KaU1tWXdPR'
document.cookie = '_oauth2_proxy_1=mdlsjjsadfhHLFhBLGnbJlhB>j'
document.cookie = 'sessionid=6id701ipjww6rx0gumt0vvz1pnxpy12p'
document.cookie = 'AUTH_SESSION_ID=OTI4Mzk4NmUtZWJhNi'
document.cookie = 'KC_RESTART=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4..'
document.cookie = 'KEYCLOAK_IDENTITY=eyJhbGciOiJIUzUxMiIsInR5cCI...'
document.cookie = 'KEYCLOAK_SESSION=-9rVzyOy1xEA4sktmgSvv8DriM3ZO4kv-zjrhjuYFkA'
document.cookie = 'api-token=test123; Secure'
document.cookie = 'username=testuser; Secure'
document.cookie = 'admin=true; Secure'
document.cookie = '_oauth2_proxy=djIuWDI5aGRYUm9NbDl3Y205NGVTMDVaV05sTjJJeE1qUXdZVE0wTWpVNE1UYzBaVEJqWm1KaU1tWXdPR; Secure'
document.cookie = '_oauth2_proxy_1=mdlsjjsadfhHLFhBLGnbJlhB>j; Secure'
document.cookie = 'sessionid=6id701ipjww6rx0gumt0vvz1pnxpy12p; Secure'
document.cookie = 'AUTH_SESSION_ID=OTI4Mzk4NmUtZWJhNi; Secure'
document.cookie = 'KC_RESTART=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4..; Secure'
document.cookie = 'KEYCLOAK_IDENTITY=eyJhbGciOiJIUzUxMiIsInR5cCI...; Secure'
document.cookie = 'KEYCLOAK_SESSION=-9rVzyOy1xEA4sktmgSvv8DriM3ZO4kv-zjrhjuYFkA; Secure'

performStartupCleanup()

Copilot is powered by AI and may make mistakes. Always verify output.
document.cookie = 'AUTH_SESSION_ID=OTI4Mzk4NmUtZWJhNi'

Check warning

Code scanning / CodeQL

Clear text transmission of sensitive cookie Medium test

Sensitive cookie sent without enforcing SSL encryption.

Copilot Autofix

AI 1 day ago

In general, to avoid clear-text transmission of sensitive cookies, you must ensure all security-sensitive cookies are set with the Secure attribute (and typically HttpOnly and SameSite as appropriate). In a browser context, that means including ; Secure in the cookie string assigned to document.cookie or via Set-Cookie headers, so that the browser will only send that cookie over HTTPS.

For this specific test file, we should update the cookie strings used in the should clear application cookies test so that each cookie that represents a session/authentication token is set with at least the Secure flag. Since the mocked document.cookie implementation simply stores whatever string is assigned and does not parse attributes, adding ; Secure (and optionally ; HttpOnly) to the cookie values will not change the behavior of the test: performStartupCleanup will still see the same cookie names and will still clear them. Therefore, the best fix is to append a ; Secure attribute to each sensitive cookie string in lines 91–101 (or at minimum all clearly session/auth cookies), leaving the rest of the test logic unchanged. No new imports or helpers are necessary; we only adjust the literal strings being assigned.

Suggested changeset 1
medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts b/medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts
--- a/medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts
+++ b/medcat-trainer/webapp/frontend/src/tests/utils/storage-cleanup.spec.ts
@@ -88,16 +88,16 @@
 
     it('should clear application cookies', () => {
       // Set some cookies
-      document.cookie = 'api-token=test123'
-      document.cookie = 'username=testuser'
-      document.cookie = 'admin=true'
-      document.cookie = '_oauth2_proxy=djIuWDI5aGRYUm9NbDl3Y205NGVTMDVaV05sTjJJeE1qUXdZVE0wTWpVNE1UYzBaVEJqWm1KaU1tWXdPR'
-      document.cookie = '_oauth2_proxy_1=mdlsjjsadfhHLFhBLGnbJlhB>j'
-      document.cookie = 'sessionid=6id701ipjww6rx0gumt0vvz1pnxpy12p'
-      document.cookie = 'AUTH_SESSION_ID=OTI4Mzk4NmUtZWJhNi'
-      document.cookie = 'KC_RESTART=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4..'
-      document.cookie = 'KEYCLOAK_IDENTITY=eyJhbGciOiJIUzUxMiIsInR5cCI...'
-      document.cookie = 'KEYCLOAK_SESSION=-9rVzyOy1xEA4sktmgSvv8DriM3ZO4kv-zjrhjuYFkA'
+      document.cookie = 'api-token=test123; Secure'
+      document.cookie = 'username=testuser; Secure'
+      document.cookie = 'admin=true; Secure'
+      document.cookie = '_oauth2_proxy=djIuWDI5aGRYUm9NbDl3Y205NGVTMDVaV05sTjJJeE1qUXdZVE0wTWpVNE1UYzBaVEJqWm1KaU1tWXdPR; Secure'
+      document.cookie = '_oauth2_proxy_1=mdlsjjsadfhHLFhBLGnbJlhB>j; Secure'
+      document.cookie = 'sessionid=6id701ipjww6rx0gumt0vvz1pnxpy12p; Secure'
+      document.cookie = 'AUTH_SESSION_ID=OTI4Mzk4NmUtZWJhNi; Secure'
+      document.cookie = 'KC_RESTART=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4..; Secure'
+      document.cookie = 'KEYCLOAK_IDENTITY=eyJhbGciOiJIUzUxMiIsInR5cCI...; Secure'
+      document.cookie = 'KEYCLOAK_SESSION=-9rVzyOy1xEA4sktmgSvv8DriM3ZO4kv-zjrhjuYFkA; Secure'
 
       performStartupCleanup()
 
EOF
@@ -88,16 +88,16 @@

it('should clear application cookies', () => {
// Set some cookies
document.cookie = 'api-token=test123'
document.cookie = 'username=testuser'
document.cookie = 'admin=true'
document.cookie = '_oauth2_proxy=djIuWDI5aGRYUm9NbDl3Y205NGVTMDVaV05sTjJJeE1qUXdZVE0wTWpVNE1UYzBaVEJqWm1KaU1tWXdPR'
document.cookie = '_oauth2_proxy_1=mdlsjjsadfhHLFhBLGnbJlhB>j'
document.cookie = 'sessionid=6id701ipjww6rx0gumt0vvz1pnxpy12p'
document.cookie = 'AUTH_SESSION_ID=OTI4Mzk4NmUtZWJhNi'
document.cookie = 'KC_RESTART=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4..'
document.cookie = 'KEYCLOAK_IDENTITY=eyJhbGciOiJIUzUxMiIsInR5cCI...'
document.cookie = 'KEYCLOAK_SESSION=-9rVzyOy1xEA4sktmgSvv8DriM3ZO4kv-zjrhjuYFkA'
document.cookie = 'api-token=test123; Secure'
document.cookie = 'username=testuser; Secure'
document.cookie = 'admin=true; Secure'
document.cookie = '_oauth2_proxy=djIuWDI5aGRYUm9NbDl3Y205NGVTMDVaV05sTjJJeE1qUXdZVE0wTWpVNE1UYzBaVEJqWm1KaU1tWXdPR; Secure'
document.cookie = '_oauth2_proxy_1=mdlsjjsadfhHLFhBLGnbJlhB>j; Secure'
document.cookie = 'sessionid=6id701ipjww6rx0gumt0vvz1pnxpy12p; Secure'
document.cookie = 'AUTH_SESSION_ID=OTI4Mzk4NmUtZWJhNi; Secure'
document.cookie = 'KC_RESTART=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4..; Secure'
document.cookie = 'KEYCLOAK_IDENTITY=eyJhbGciOiJIUzUxMiIsInR5cCI...; Secure'
document.cookie = 'KEYCLOAK_SESSION=-9rVzyOy1xEA4sktmgSvv8DriM3ZO4kv-zjrhjuYFkA; Secure'

performStartupCleanup()

Copilot is powered by AI and may make mistakes. Always verify output.
document.cookie = 'KC_RESTART=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4..'
document.cookie = 'KEYCLOAK_IDENTITY=eyJhbGciOiJIUzUxMiIsInR5cCI...'
document.cookie = 'KEYCLOAK_SESSION=-9rVzyOy1xEA4sktmgSvv8DriM3ZO4kv-zjrhjuYFkA'

performStartupCleanup()

// Cookies should be cleared (setting them with expired date)
// We can't easily verify the exact cookie string, but we can check the function runs
expect(consoleLogSpy).toHaveBeenCalled()
})

it('should clear all sessionStorage', () => {
// Add some sessionStorage items
sessionStorage.setItem('session-key1', 'value1')
sessionStorage.setItem('session-key2', 'value2')

expect(Object.keys(sessionStorageMock)).toHaveLength(2)

performStartupCleanup()

expect(Object.keys(sessionStorageMock)).toHaveLength(0)
})


it('should handle localStorage with no Keycloak items', () => {
localStorage.setItem('normal-key', 'normal-value')

performStartupCleanup()

// Normal key should remain untouched
expect(localStorageMock['normal-key']).toBe('normal-value')
expect(Object.keys(localStorageMock)).toHaveLength(1)
})
})
})
28 changes: 28 additions & 0 deletions medcat-trainer/webapp/frontend/src/utils/storage-cleanup.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
/**
* Utility to clear application-specific browser storage on startup to prevent auth state conflicts
*/

function clearAuthRelatedCookies() {
console.debug('[StorageCleanup] Clearing auth-related cookies')
// Omit keycloak cookies ( 'AUTH_SESSION_ID', 'KC_RESTART', 'KEYCLOAK_IDENTITY', 'KEYCLOAK_SESSION',) as removing them breaks the oauth callback flow when OIDC auth is enabled
const cookies = [
'api-token', 'username', 'admin', 'user-id',
'sessionid',
'_oauth2_proxy', '_oauth2_proxy_csrf', '_oauth2_proxy_1', '_oauth2_proxy_2'
]
cookies.forEach(name => {
document.cookie = `${name}=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;`
})
}

function clearSessionStorage() {
console.debug('[StorageCleanup] Clearing sessionStorage')
sessionStorage.clear()
}


export function performStartupCleanup(): void {
console.log('[StorageCleanup] Performing startup cleanup')
clearAuthRelatedCookies();
clearSessionStorage();
}
2 changes: 1 addition & 1 deletion medcat-trainer/webapp/frontend/tsconfig.vitest.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"extends": "./tsconfig.app.json",
"include": ["env.d.ts", "src/tests/**/*.ts"],
"include": ["env.d.ts", "src/tests/**/*.ts", "src/utils/**/*.ts"],
"exclude": [],
"compilerOptions": {
"composite": true,
Expand Down