servant-auth icon indicating copy to clipboard operation
servant-auth copied to clipboard

Published 20 hours ago verified publisher icon haskell-servant

Make "Set-Cookie" header in the response optional

Open AliasQli opened this issue 3 years ago • 2 comments

I noticed that often it's not needed to pass a JWT token in cookie. A field is added to CookieSettings to let the used specify whether to generate Set-Cookie headers. The default value for it is True, so the default behavior is kept the same as prevoius versions. I made as little change as possible to add this feature.

AliasQli avatar Mar 12 '21 14:03 AliasQli

@AliasQli what's the use case?

domenkozar avatar Mar 19 '21 09:03 domenkozar

@domenkozar Because it's often the desired behaviour of an API server. At least in my use case, there's only one central place for verification (for example, login) and the server will respond with a JSON containing the JWT token, like this:

{
    "token": "someJwtToken"
}

And the client will use this token in all its following requests as its bearer token. In such a use case, the set-cookie header is completely unneeded, and may even lead to security problems. Thus I propose making the header optional.

AliasQli avatar Mar 21 '21 11:03 AliasQli