The getAuthHeader method currently implements a fallback to request.input('token') if an authorization header is not set. I just add a second fallback to read the jwt from a cookie if neither an authorization header nor a token body are set.
This commit permit to store the jwt in a http-only cookie in order to avoid exposing jwt to js and thereby reduce xss attacks possibilities.
The getAuthHeader method currently implements a fallback to request.input('token') if an authorization header is not set. I just add a second fallback to read the jwt from a cookie if neither an authorization header nor a token body are set.
This commit permit to store the jwt in a http-only cookie in order to avoid exposing jwt to js and thereby reduce xss attacks possibilities.