Open mbegoc opened 10 months ago
EDIT - Realized when I looked at this I missed that this was this library's source :facepalm:
That's the idea behind HttpOnly cookies, the app doesn't handle them, the server and the browser do - and they are sent on each request to the server automatically.
In the Django request object, there is a COOKIES
property - the code needs to look there if JWT_HTTP_ONLY
is on:
request.COOKIES['token']
A simple edit to the APIView to have an if condition there should do the trick, I'll test that.
I've opened a PR to address this one @iMerica
Fix has merged to master, pending release.
Can this be closed? I see its released.
On line https://github.com/iMerica/dj-rest-auth/blob/master/dj_rest_auth/views.py#L181 the code look for the refresh token into the data, but with HTTP_ONLY, the token can be found only in cookies.
Is it by design (no need to blacklist the refresh cookie in this case) or should the code look into both data and cookies?