Open robertjd opened 9 years ago
Can the access token be used as a csrf token? I came across the concept of double submit cookies. I'm using Angular on the client and its only a simple configuration to have Angular return the access token in the X-XSRF-TOKEN
header and then on the server I can compare the cookie and header after the stormpath middleware.
Sounds simple but is it right?
never mind, the access token is rightfully HttpOnly
Hey @robertjd, is this still in the works? I found this during my google search for resources on how CSRF tokens are created and validated in express-stormpath
This is probably going to come in the form of some suggested modules to use, not something that is built into this library.
Because we are storing authentication information in cookies, we need to implement a CSRF strategy for this module. Any middleware function which is using cookies to authenticate the request should assert that the request is coming from the same domain as the cookie.