Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sending refresh token via response body when JWT_AUTH_HTTPONLY is set to True #586

Open
ThukuWakogi opened this issue Jan 24, 2024 · 1 comment
Open

Sending refresh token via response body when JWT_AUTH_HTTPONLY is set to True #586

ThukuWakogi opened this issue Jan 24, 2024 · 1 comment

Comments

@ThukuWakogi
Copy link

I have worked on projects where the API is consumed by web apps and native apps. I store the jwt in a httponly cookie, which is used by the web app. For the native app, I pass the refresh-token as a response payload upon a successful authentication which comes in handly when refreshing the token.

For dj_rest_auth, when JWT_AUTH_HTTPONLY is set to true, the refresh token is not passed in the response payload, hence I can't refresh the token since I have no access to the refresh token in the cookie.

Is there a way or a work around I can use so that the refres_token is sent when JWT_AUTH_HTTPONLY is set to true?
@afoalb
Copy link

afoalb commented Feb 5, 2024

If you're using http only cookies, you shouldn't pass the refresh token in the payload. The JS client code shouldn't have access to the refresh token.

It's the backend responsibility to refresh the token. The client should only send an HTTP POST request to dj-rest-auth/token/refresh/ and let the backend do the rest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ThukuWakogi @afoalb