gin-jwt icon indicating copy to clipboard operation
gin-jwt copied to clipboard

Published 20 hours ago verified publisher icon appleboy

How about an XSRF-TOKEN?

Open tomriddle1234 opened this issue 7 years ago • 2 comments

It appears that this article made clear that how to use the JWT token on client side.

Because gin-jwt sends back the token with httponly cookie, so it seems cannot be read with JS on client side.

So that when we want to send a request to a route that require JWT authentication, we need to prepare a custom "Bearer" header. But the JWT token must be read right? And since it won't be from the httponly cookie, so we have to store a copy of it without httponly flag when client side redirects pages (lost the first time login respond info), correct?

so from the article above, we seems need an XSRF-TOKEN, and put it in the request header too. Then how gin-jwt deal with this ?

tomriddle1234 avatar Sep 04 '18 03:09 tomriddle1234

See https://github.com/appleboy/gin-jwt/pull/164

appleboy avatar Sep 10 '18 02:09 appleboy

XSRF-TOKEN is a separate issue, there are many other libraries outta there, i would recommend justinas/nosurf, but the project is dead, so create a fork and bulid your own library

kingcw avatar Oct 12 '18 20:10 kingcw