The default for HTTPOnly is incorrect in the views.py on line #92:
if getattr(settings, 'REST_USE_JWT', False):
from .jwt_auth import set_jwt_cookies
set_jwt_cookies(response, self.access_token, self.refresh_token)`
Further, the HTTPOnly should be included in the serializer; no reason to remove it. This will simplify the code and also allow for easier testing. This can be seen on lines 99-103.
The default for HTTPOnly is incorrect in the views.py on line #92:
Further, the HTTPOnly should be included in the serializer; no reason to remove it. This will simplify the code and also allow for easier testing. This can be seen on lines 99-103.