Is there any way to implement HTTP Only Cookies?

[gczh]

Implemented this gem for JWT auth and it works like a charm, even with GraphQL.

However, using localstorage to store the Bearer token isn't very secure. Using HTTP Only Cookies seem to be a reasonable solution to that security issue. However, it seems that api_guard only supports the use of HTTP Headers to retrieve the tokens (including the refresh tokens)

Would it be possible to override the controllers to implement support for using HTTP Only cookies to retrieve the bearer and refresh tokens?

[gczh]

Managed to do some workarounds for now but it's a shoddy approach.

Overrode AuthenticationController and set the access + refresh tokens after it's generated and set in the headers by api_guard.

I took a look at the gem's core code further and I think we could probably add support for HTTP Only Cookie as an alternative to using Request Headers.

My suggestion is to:

• Refactor create_token_and_set_header(resource, resource_name) to create_token_and_set_in_strategy
• Add a create_token_and_set_in_strategy to allow users to specify which strategy they'd like: Http Only Cookie or Request Headers, or both
• Allow users to specify the configuration in api_guard.rb initializer file. Some users might want to have both Request Headers and http only cookie support?

Would love to give this a try if you're open to it.

[Gokul595]

@gczh Thanks for your suggestion, it looks good.

We need to support three ways of sending tokens in response:

• response headers
• response body (requested in this discussion)
• cookies

I am also thinking about using the access & refresh tokens from cookies (if present) for authenticating the request when Authorization header is missing in the request. It would be better if you can add this too. We are accessing the tokens in below listed places:

• ApiGuard::JwtAuth::Authentication#authenticate_and_set_resources
• ApiGuard::TokensController#find_refresh_token
• lib/generators/api_guard/controllers/templates/tokens_controller.rb

Let me know if you are willing to do these changes.

[gczh]

Happy to tackle this if you're up to code review my changes(:

[Gokul595]

Yes. I can. Please proceed 👍

[gczh]

Yes. I can. Please proceed 👍

Will work on this!

[mdodell]

Is there any update on this, cc @Gokul595?

[hassanrbh]

I got refresh tokens in cookies working in my startup, I am gonna fork the repository and start working on it :)

[hassanrbh]

and also I think we need to make the http cookie implementation default ?

[hassanrbh]

#63 here is the implementation and also something is wrong in repository, needs Cognitive Complexity of 5, but I am exceeding in it, I write a custom tokenscontroller and registration controller and also authentication controller, to get yourself ready as fast as possible, is combining the three response methods, I am storing the refresh token in the cookie with ( jit as a keyword) and leaving the access token in the headers because in the frontend, I will store it, in the state using redux and access it from the state and do my logic and when you signed in or signed up, I am returning the access token in the response body