L0PiTaL
commented
5 months ago Although I am new to the project, I agree that tokens should be hidden.
Note that expiration dates are controlled by JWT_AUTH_RETURN_EXPIRATION, so your PR should test for that setting for the expiration date, entirely independently of JWT_AUTH_HTTPONLY.
I agree that the auth tokens should also be hidden in a similar way, although maybe using separate settings.
The reason for using cookies over Bearer token in headers is because the javascript code can't access http only cookies.
Currently I see, even if we are using cookies for authentication, we are not removing the tokens from response body. For now, I have only made this change for refresh token and not changed anything related to access token to be consistent with LoginView. But I believe we should remove the access token as well if we are using http only cookies.