Comments (9)
#63 here is the implementation and also something is wrong in repository, needs Cognitive Complexity of 5, but I am exceeding in it, I write a custom tokenscontroller and registration controller and also authentication controller, to get yourself ready as fast as possible, is combining the three response methods, I am storing the refresh token in the cookie with ( jit as a keyword) and leaving the access token in the headers because in the frontend, I will store it, in the state using redux and access it from the state and do my logic and when you signed in or signed up, I am returning the access token in the response body
from api_guard.
Managed to do some workarounds for now but it's a shoddy approach.
Overrode AuthenticationController and set the access + refresh tokens after it's generated and set in the headers by api_guard.
I took a look at the gem's core code further and I think we could probably add support for HTTP Only Cookie as an alternative to using Request Headers.
My suggestion is to:
- Refactor
create_token_and_set_header(resource, resource_name)
tocreate_token_and_set_in_strategy
- Add a
create_token_and_set_in_strategy
to allow users to specify which strategy they'd like: Http Only Cookie or Request Headers, or both - Allow users to specify the configuration in
api_guard.rb
initializer file. Some users might want to have both Request Headers and http only cookie support?
Would love to give this a try if you're open to it.
from api_guard.
@gczh Thanks for your suggestion, it looks good.
We need to support three ways of sending tokens in response:
- response headers
- response body (requested in this discussion)
- cookies
I am also thinking about using the access & refresh tokens from cookies (if present) for authenticating the request when Authorization
header is missing in the request. It would be better if you can add this too. We are accessing the tokens in below listed places:
ApiGuard::JwtAuth::Authentication#authenticate_and_set_resources
ApiGuard::TokensController#find_refresh_token
lib/generators/api_guard/controllers/templates/tokens_controller.rb
Let me know if you are willing to do these changes.
from api_guard.
Happy to tackle this if you're up to code review my changes(:
from api_guard.
Yes. I can. Please proceed 👍
from api_guard.
Yes. I can. Please proceed 👍
Will work on this!
from api_guard.
Is there any update on this, cc @Gokul595?
from api_guard.
I got refresh tokens in cookies working in my startup, I am gonna fork the repository and start working on it :)
from api_guard.
and also I think we need to make the http cookie implementation default ?
from api_guard.
Related Issues (20)
- Expiring Refresh Tokens HOT 9
- authenticate_and_set_user without restricting access HOT 2
- Guest access without bearer token HOT 1
- POST data to sign_up doubt HOT 2
- ActionCable support? HOT 6
- [Question] How to set a cookie in authentication response? HOT 1
- How to map to Users::User? HOT 3
- Ability to turn off routes / feature such as deleting accounts HOT 1
- How to issue a token outside api guard default controllers HOT 2
- Rails 6.1 undefined method 'day' for 1:Integer HOT 2
- Ability to not only change password but also to reset forgotten password
- How to send a new access token to the browser before the old access token expire? HOT 1
- Error when use nested routes like /api/v1/api_guard HOT 2
- Could we extend to use public/private keys? HOT 1
- Issue with a custom logout route HOT 3
- refresh tokens is not set in the headers
- Add posibility to refresh expired access token HOT 4
- Avoid creating new refresh token when retrieving new access token HOT 1
- Is this project still maintained HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from api_guard.