JWT_AUTH_COOKIE is force to httponly

Tivix / django-rest-auth

This app makes it extremely easy to build Django powered SPA's (Single Page App) or Mobile apps exposing all registration and authentication related functionality as CBV's (Class Base View) and REST (JSON)

www.tivix.com

MIT License

2.4k stars 662 forks source link

JWT_AUTH_COOKIE is force to httponly #525

Open kostyachum opened 5 years ago

kostyachum commented 5 years ago

After https://github.com/Tivix/django-rest-auth/pull/345/files was resolved the cookie become forced http only and there is no way to change it in a convenient way. Is it possible to add settings for it or a class attribute? Or maybe extract set_cookies part into a dedicated method so it can be overridden gradually without get_response?

pou426 commented 5 years ago

JWT is commonly put inside a cookie to prevent XSS attacks, hence the http only flag, otherwise you'd just put it in some other locations such as session/localStrorage.

kostyachum commented 5 years ago

True, though it is not something that is forbidden or can't be done, just suggest extracting a few methods to make it easy to override.