Support for passing token over cookie

johnbrett / hapi-auth-bearer-token

Simple Bearer authentication scheme plugin for hapi, accepts token by Header, Cookie or Query parameter.

MIT License

218 stars 46 forks source link

Support for passing token over cookie #96

Closed wennergr closed 8 years ago

wennergr commented 8 years ago

A cookie can be used as transport mechanism for a token.

Name of the cookie is configured through the accessTokenName configuration option. (Same as query parameter).

The feature can be disabled by flipping the allowQueryToken configuration option to false. It's enabled by default

Order of precedence for tokens delivery mechanism is:

Authorization header
Cookie
Query parameter

johnbrett commented 8 years ago

Awesome work on this @wennergr, thanks! Just a heads up, I'm going to make this false by default. I don't like adding an extra means of passing credentials without specific opt-in, I would even consider this a breaking change security-wise.

(I know allowQueryToken is enabled by default, but I would also prefer this to be false as well only for it's a breaking change which I'm hesitant to do also!)

AdriVanHoudt commented 8 years ago

@johnbrett maybe open a tracking issue of things that you'd want to change that would be breaking for a next major version release? I'm in favor of defaulting to false as well in both cases

johnbrett commented 8 years ago

good call adri, issue created https://github.com/johnbrett/hapi-auth-bearer-token/issues/98. If a few breaking changes surface I'll put them all in the one new major release.