Open brunohenriquy opened 3 years ago
IndominusByte
commented
3 years ago refresh_token just like an access_token it's better to send it from the header because it makes frontend easy to access the endpoint from the backend without having to replace the payload if want to access the endpoint that required access token or refresh token. maybe it's you mean to add a feature to getting jwt from json body?
brunohenriquy
commented
3 years ago @IndominusByte I am talking about a security aspect, I've read a couple of articles talking about this. The access_token sent on the header can be logged along the way, but it's ok since its life is short. But the refresh_token has a longer TTL, so having it traveling only in the post BODY data would be safer.
Here some references to what I am trying to say: https://stackoverflow.com/a/47710538
https://simpleisbetterthancomplex.com/tutorial/2018/12/19/how-to-use-jwt-authentication-with-django-rest-framework.html "Whatβs The Point of The Refresh Token?"
And yes, In this case we can send the refresh_token in the body and your lib will be able to retrieve it "add a feature to getting jwt from json body".
IndominusByte
commented
3 years ago ahh make sense, it was my first time saw the best practice to send refresh token via body payload, thank you for sharing with me @brunohenriquy π π, I will fix this issue later in the next version
brunohenriquy
commented
3 years ago Awesome! If you want, I can give you a hand on it!
IndominusByte
commented
3 years ago Thanks! you can make PR to me, click this link for information on how to contribute
brunohenriquy
commented
3 years ago All right!! xD
guillemfrancisco
commented
3 years ago Is anyone working on it? If needed I can help implementing the feature! π
elpablete
commented
3 years ago Yeah, me too! Is there a PR already, do you need testing, dev? how can we help?
brunohenriquy
commented
3 years ago @guillemfrancisco @elpablete I didn't have time to code it yet, in fact I changed my approach to use cookies. So if you guys have some spare time and want to code it, go for it.
encryptblockr
commented
3 years ago @guillemfrancisco @elpablete I didn't have time to code it yet, in fact I changed my approach to use cookies. So if you guys have some spare time and want to code it, go for it.
you mind sharing your approach with using cookies? any link to using cookies that can be helpful? thanks
encryptblockr
commented
3 years ago @brunohenriquy is this what you following with the cookie approach? https://indominusbyte.github.io/fastapi-jwt-auth/usage/jwt-in-cookies/
or something else? please share
shuhaojie
commented
1 year ago Has anyone fix this issue?
I saw that the basic usage is sending the refresh_token on the Header and validating it with Authorize.jwt_refresh_token_required() Isn't it a best practice to send refresh_token on the Body? Would this option be a good feature for this lib?