Is there any way to implement HTTP Only Cookies? about api_guard HOT 9 OPEN

#63 here is the implementation and also something is wrong in repository, needs Cognitive Complexity of 5, but I am exceeding in it, I write a custom tokenscontroller and registration controller and also authentication controller, to get yourself ready as fast as possible, is combining the three response methods, I am storing the refresh token in the cookie with ( jit as a keyword) and leaving the access token in the headers because in the frontend, I will store it, in the state using redux and access it from the state and do my logic and when you signed in or signed up, I am returning the access token in the response body

from api_guard.

Managed to do some workarounds for now but it's a shoddy approach.

Overrode AuthenticationController and set the access + refresh tokens after it's generated and set in the headers by api_guard.

I took a look at the gem's core code further and I think we could probably add support for HTTP Only Cookie as an alternative to using Request Headers.

My suggestion is to:

• Refactor create_token_and_set_header(resource, resource_name) to create_token_and_set_in_strategy
• Add a create_token_and_set_in_strategy to allow users to specify which strategy they'd like: Http Only Cookie or Request Headers, or both
• Allow users to specify the configuration in api_guard.rb initializer file. Some users might want to have both Request Headers and http only cookie support?

Would love to give this a try if you're open to it.

from api_guard.

@gczh Thanks for your suggestion, it looks good.

We need to support three ways of sending tokens in response:

• response headers
• response body (requested in this discussion)
• cookies

I am also thinking about using the access & refresh tokens from cookies (if present) for authenticating the request when Authorization header is missing in the request. It would be better if you can add this too. We are accessing the tokens in below listed places:

• ApiGuard::JwtAuth::Authentication#authenticate_and_set_resources
• ApiGuard::TokensController#find_refresh_token
• lib/generators/api_guard/controllers/templates/tokens_controller.rb

Let me know if you are willing to do these changes.

from api_guard.

Happy to tackle this if you're up to code review my changes(:

from api_guard.

Yes. I can. Please proceed 👍

from api_guard.

Yes. I can. Please proceed 👍

Will work on this!

from api_guard.

Is there any update on this, cc @Gokul595?

from api_guard.

I got refresh tokens in cookies working in my startup, I am gonna fork the repository and start working on it :)

from api_guard.

and also I think we need to make the http cookie implementation default ?

from api_guard.