Support Submit/Authed Submit driver for full page reload

[bjrmatos]

I think the main idea to use JWT for stateless verification is great, however it would be nice to support apps with full page reloads.

i think that using only the cookie persistence (without header persistence), generating the token, adding it in my view (maybe in hidden field) and with a middleware that verify the jwt in the cookie against a field in the req object would make it work. Any toughts?

[mstuart]

Hmm... I think you're right. Passing back the token as a header makes sense w/ AJAX, but not really anything else. The double submit pattern is pretty nice though... but as it stands, it only works with cookies and headers. Not sure I want to add yet another CSRF driver, but maybe we could add another "persistence method" (Ex: "form" or "body") that parses out body params, then we can just require users to drop a hidden form param named x-csrf-jwt.

[mstuart]

Thanks for bringing this up @bjrmatos! I'll tag this issue as a feature request and keep this open for contributions (if nobody wants to contribute, I might be able to find some time soon).

[bjrmatos]

@mstuart thnk you! my main intention is to be able to use a single package based on JWT for the CRSF problem no matter if it is a SPA or a web app with full reloads.

maybe i can find some time and take care of this 👍