Open iboughtbed opened 1 year ago
@IBoughtBed I wonder why you don't want the refresh/access token in the response of the body when refreshing? Is this because that information won't be used anyway? Or is it for security reasons?
@IBoughtBed I wonder why you don't want the refresh/access token in the response of the body when refreshing? Is this because that information won't be used anyway? Or is it for security reasons?
Yes it is for security reasons. As I said before It's using http only cookies. However, maybe they'll add some lines to check if http only cookies are enabled?
Logoutview
By default the library uses HTTP-only JWT cookies. In logoutview it doesn't take refresh token from cookies, but instead tries to take it from request body. So I can't put refresh token in body, because it's HTTP-only (not accessable by JavaScript). I searched for answers and one of them offers using middleware, but you can just edit the view (If i have mistakes, please let me know):
So, basically what I did is changed code to take token from cookies.
Refresh view
In refresh view it does set access-token cookie, but returns access token in the body of response. So I changed the code to: