[Feature Request] OpenAPI Toolkit – Cookie-Based Session Authentication & Session Persistence

[bermudas]

Problem Statement

ELITEA's OpenAPI toolkit currently supports API Key, OAuth 2.0, and Anonymous authentication. It does not support cookie-based session authentication, which is required by several enterprise systems (e.g., Micro Focus ALM QC, legacy enterprise APIs) that use session cookies (LWSSO, QCSession, XSRF tokens) for authentication and authorization.

Currently, Code nodes run in a Pyodide sandbox environment using the browser's Fetch API. Due to W3C Fetch Specification security policies, the browser prevents JavaScript/WASM from accessing or persisting Set-Cookie headers across requests. This makes cookie-based flows fundamentally impossible in the current architecture without a server-side workaround.

---

Use Case Reference

System: Micro Focus ALM Quality Center
Requested by: ARC Project Team (via Support #888)

Authentication Flow:

POST /authentication-point/authenticate  (Basic or form-based)
  → Response: Set-Cookie: LWSSO_COOKIE_KEY=<token>; QCSession=<token>

GET /rest/domains/{domain}/projects/{project}/requirements
  → Request: Cookie: LWSSO_COOKIE_KEY=<token>; QCSession=<token>
  → (Also requires XSRF token for write operations)

Insomnia/Postman behavior to replicate: Maintains a cookie jar across all API calls in a session, automatically applies all captured cookies to subsequent requests, handles XSRF automatically.

---

Requested Capabilities

Option A: Cookie Jar / Session Authentication in OpenAPI Toolkit (Primary Request)

Add a new authentication type to OpenAPI toolkit credentials: "Session / Cookie-Based"

Required behavior:

1. Step 1 – Authenticate: Call a configurable authentication endpoint (e.g., POST /authentication-point/authenticate) with credentials
2. Step 2 – Capture cookies: Extract session cookies from the response headers (Set-Cookie) — e.g., LWSSO_COOKIE_KEY, QCSession
3. Step 3 – Persist session: Store captured cookies in a managed session/cookie jar
4. Step 4 – Reuse session: Automatically attach stored cookies to all subsequent API calls within the same agent session
5. Step 5 – Session refresh: Detect session expiry (e.g., 401 response) and re-authenticate automatically.

Proposed configuration fields:

Field	Description
auth_endpoint	URL to POST credentials for authentication
username	Auth username (stored as secret)
password	Auth password (stored as secret)
session_cookie_names	Cookie names to capture (e.g., LWSSO_COOKIE_KEY, QCSession)
xsrf_header	Optional: XSRF header name (e.g., X-XSRF-TOKEN)
session_timeout_seconds	Optional: Session lifetime for proactive refresh

---

Acceptance Criteria

• OpenAPI toolkit supports cookie-based session authentication as a credential type
• Session cookies are captured from authentication response and persisted for the session lifetime
• All subsequent toolkit calls automatically include captured session cookies
• XSRF token handling supported (optional header extraction from response)
• Session expiry detection and auto-reauthentication on 401 responses
• Works for both Read APIs (GET requirements/tests) and Write APIs (POST test cases/design-steps)
• Compatible with ALM QC REST API (/authentication-point/authenticate, /rest/... endpoints)

---

Priority Justification

• Blocks a real ARC project use case (QA agent reading requirements from Micro Focus ALM)
• Enterprise ALM systems commonly use cookie-based auth — this is not an edge case
• Current workaround (external proxy + Secrets API) adds operational complexity and external dependencies
• Insomnia and Postman (common alternatives) both support this natively, representing a feature gap vs. industry-standard tooling

---

Reported via ELITEA Support — issue #888