Open rostgoat opened 7 months ago
HTTPOnly cookies are sent with every request, and the very point is that Javascript cannot access them. Getting them in the response would defeat that.
Arguably it shouldn't return the access token either, as you shouldn't be using it. You need to store the expiration times and use them to determine if the credentials will still be valid, as well as appropriately handle 401 errors.
To refresh with JWT_HTTP_ONLY
on, you post an empty body to the refresh endpoint and ensure your javascript is configured to send credentials (cookies) with the request. (In angular you add the parameter withCredentials: true
to the http.post)
If you're past the expiration date of the access token or get a 401, post empty to refresh and store the updated access_expiration
, and if you're past the refresh expiration date or get a 401 from refresh, then prompt the user for re-authentication.
@rostgoat
/token/refresh
View, accept the refresh_token
on the body, not in the headers.
So, when you use a httponly
flag in the cookies, it's no longer accessible by the Javascript
. And for that, you can't add the refresh_token
as a payload.
httponly
flag is enabled in the cookies, the browser automatically adds the cookies on every api request.That's the main purpose of using a httponly
flag
refresh_token
on the server and retrieve a new access_token
?The answer is that you have to move the headers
cookies to the payload
This is something like a preflight process. The client sent a request on the server with appropriate cookies headers, and when it was received by the server, It should extract the refresh_token
from the request headers and added to payload
. That's it !
You can archive this by simply creating a middleware.py
and adding the middleware to your django settings.py
Here is the middleware code! []()https://github.com/iMerica/dj-rest-auth/issues/97#issuecomment-739942573
This issue was solved 4 years ago,
In 2024, it should be added to this project. Don't know why it has still not been added,
Thanks to @Wolf-Byte
+1
+1
@rostgoat
/token/refresh
View, accept therefresh_token
on the body, not in the headers.So, when you use a
httponly
flag in the cookies, it's no longer accessible by theJavascript
. And for that, you can't add therefresh_token
as a payload.Note: If the
httponly
flag is enabled in the cookies, the browser automatically adds the cookies on every api request.That's the main purpose of using a
httponly
flagSo the question is, if we can't access the cookies. How are we gonna send the
refresh_token
on the server and retrieve a newaccess_token
?The answer is that you have to move the
headers
cookies to thepayload
This is something like a preflight process. The client sent a request on the server with appropriate cookies headers, and when it was received by the server, It should extract the
refresh_token
from the request headers and added topayload
. That's it !You can archive this by simply creating a
middleware.py
and adding the middleware to your djangosettings.py
Here is the middleware code! #97 (comment)
This issue was solved 4 years ago,
In 2024, it should be added to this project. Don't know why it has still not been added,
Thanks to @Wolf-Byte
There is no need to add refresh token to request. The refresh cookie will directly be used from the cookie headers to produce a new access token for the user.
See https://github.com/iMerica/dj-rest-auth/blob/master/dj_rest_auth/jwt_auth.py#L84
I am using this functionality without any issues. I believe this particular issue should be closed.
From the docs:
/dj-rest-auth/token/refresh/ (POST)
(see also)Then if you visit the (see also) link, here is what it says:
So what's the issue?
if
JWT_AUTH_HTTPONLY
is set toTrue
,refresh
returns an empty string when a login request is made. So how can one refresh an expired JWT if the above endpoint expects a refresh token to be present in the payload?As described in the docs: