How about an XSRF-TOKEN?

[tomriddle1234]

It appears that this article made clear that how to use the JWT token on client side.

Because gin-jwt sends back the token with httponly cookie, so it seems cannot be read with JS on client side.

So that when we want to send a request to a route that require JWT authentication, we need to prepare a custom "Bearer" header. But the JWT token must be read right? And since it won't be from the httponly cookie, so we have to store a copy of it without httponly flag when client side redirects pages (lost the first time login respond info), correct?

so from the article above, we seems need an XSRF-TOKEN, and put it in the request header too. Then how gin-jwt deal with this ？

[appleboy]

See https://github.com/appleboy/gin-jwt/pull/164

[kingcw]

XSRF-TOKEN is a separate issue, there are many other libraries outta there, i would recommend justinas/nosurf, but the project is dead, so create a fork and bulid your own library