api_guard icon indicating copy to clipboard operation
api_guard copied to clipboard

Published 20 hours ago verified publisher icon Gokul595

Is there any way to implement HTTP Only Cookies?

Open gczh opened this issue 3 years ago • 9 comments

Implemented this gem for JWT auth and it works like a charm, even with GraphQL.

However, using localstorage to store the Bearer token isn't very secure. Using HTTP Only Cookies seem to be a reasonable solution to that security issue. However, it seems that api_guard only supports the use of HTTP Headers to retrieve the tokens (including the refresh tokens)

Would it be possible to override the controllers to implement support for using HTTP Only cookies to retrieve the bearer and refresh tokens?

gczh avatar Apr 04 '21 03:04 gczh

Managed to do some workarounds for now but it's a shoddy approach.

CleanShot 2021-04-04 at 12 10 05@2x

Overrode AuthenticationController and set the access + refresh tokens after it's generated and set in the headers by api_guard.

I took a look at the gem's core code further and I think we could probably add support for HTTP Only Cookie as an alternative to using Request Headers.

My suggestion is to:

  • Refactor create_token_and_set_header(resource, resource_name) to create_token_and_set_in_strategy
  • Add a create_token_and_set_in_strategy to allow users to specify which strategy they'd like: Http Only Cookie or Request Headers, or both
  • Allow users to specify the configuration in api_guard.rb initializer file. Some users might want to have both Request Headers and http only cookie support?

Would love to give this a try if you're open to it.

gczh avatar Apr 04 '21 04:04 gczh

@gczh Thanks for your suggestion, it looks good.

We need to support three ways of sending tokens in response:

I am also thinking about using the access & refresh tokens from cookies (if present) for authenticating the request when Authorization header is missing in the request. It would be better if you can add this too. We are accessing the tokens in below listed places:

  • ApiGuard::JwtAuth::Authentication#authenticate_and_set_resources
  • ApiGuard::TokensController#find_refresh_token
  • lib/generators/api_guard/controllers/templates/tokens_controller.rb

Let me know if you are willing to do these changes.

Gokul595 avatar Apr 05 '21 04:04 Gokul595

Happy to tackle this if you're up to code review my changes(:

gczh avatar Apr 05 '21 12:04 gczh

Yes. I can. Please proceed 👍

Gokul595 avatar Apr 07 '21 05:04 Gokul595

Yes. I can. Please proceed 👍

Will work on this!

gczh avatar Apr 09 '21 09:04 gczh

Is there any update on this, cc @Gokul595?

mdodell avatar May 29 '22 17:05 mdodell

I got refresh tokens in cookies working in my startup, I am gonna fork the repository and start working on it :)

hassanrbh avatar Oct 09 '22 11:10 hassanrbh

and also I think we need to make the http cookie implementation default ?

hassanrbh avatar Oct 09 '22 11:10 hassanrbh

#63 here is the implementation and also something is wrong in repository, needs Cognitive Complexity of 5, but I am exceeding in it, I write a custom tokenscontroller and registration controller and also authentication controller, to get yourself ready as fast as possible, is combining the three response methods, I am storing the refresh token in the cookie with ( jit as a keyword) and leaving the access token in the headers because in the frontend, I will store it, in the state using redux and access it from the state and do my logic and when you signed in or signed up, I am returning the access token in the response body

hassanrbh avatar Oct 09 '22 19:10 hassanrbh