It appears that this article made clear that how to use the JWT token on client side.
Because gin-jwt sends back the token with httponly cookie, so it seems cannot be read with JS on client side.
So that when we want to send a request to a route that require JWT authentication, we need to prepare a custom "Bearer" header. But the JWT token must be read right? And since it won't be from the httponly cookie, so we have to store a copy of it without httponly flag when client side redirects pages (lost the first time login respond info), correct?
so from the article above, we seems need an XSRF-TOKEN, and put it in the request header too. Then how gin-jwt deal with this ?
XSRF-TOKEN is a separate issue, there are many other libraries outta there, i would recommend justinas/nosurf, but the project is dead, so create a fork and bulid your own library
It appears that this article made clear that how to use the JWT token on client side.
Because gin-jwt sends back the token with httponly cookie, so it seems cannot be read with JS on client side.
So that when we want to send a request to a route that require JWT authentication, we need to prepare a custom "Bearer" header. But the JWT token must be read right? And since it won't be from the httponly cookie, so we have to store a copy of it without httponly flag when client side redirects pages (lost the first time login respond info), correct?
so from the article above, we seems need an XSRF-TOKEN, and put it in the request header too. Then how gin-jwt deal with this ?