search

iMerica / dj-rest-auth

Authentication for Django Rest Framework
https://dj-rest-auth.readthedocs.io/en/latest/index.html
MIT License
1.62k stars 302 forks source link

Refresh Token to be saved as a http only cookie instead of Access Token #566

Closed anykate closed 8 months ago

anykate commented 8 months ago

Hello,

I am requesting to the developers of this repository to include the "refresh token" instead of access token as a http only cookie(HttpOnly=true) along with sessionid(HttpOnly=true) and csrftoken(HttpOnly=false) as a response to the /dj-rest-auth/login/ (POST) endpoint.

The reason being "refresh_token" is not included in the response data and also not set as a HttpOnly cookie makes it difficult to get hold of the refresh token (from the django server) when the access token expires.

Setting refresh token as a HttpOnly cookie and access token in the response data will help to access both tokens at the appropriate point in the code.

Please let me know your thoughts on this.

Thanks, A.

anykate commented 8 months ago

After doing some research came to know that below setting will include the refresh token as a HttpOnly cookie: "JWT_AUTH_REFRESH_COOKIE": "refresh"

Hence closed this request.