Cookie stored access tokens combined with a CSRF token is the safest form of session management combined with JWT because you are completely resilient from XSS attacks. Request forgery attacks are mitigated by CSRF token. See CookieAuthenticationsController & RefreshCookiesController.
An access token can be willfully passed down to your client application, but it is not recommended to use this technique for web pages or SPAs. See TokenAuthenticationsController & RefreshTokensController.
All of these new controllers are well tested. All classes have detailed class comments.
Cookie stored access tokens combined with a CSRF token is the safest form of session management combined with JWT because you are completely resilient from XSS attacks. Request forgery attacks are mitigated by CSRF token. See
CookieAuthenticationsController&RefreshCookiesController.An access token can be willfully passed down to your client application, but it is not recommended to use this technique for web pages or SPAs. See
TokenAuthenticationsController&RefreshTokensController.All of these new controllers are well tested. All classes have detailed class comments.
See issue #8