dj-rest-auth
dj-rest-auth copied to clipboard
iMerica
Add a new option to remove access_token in the response data
I am wondering the usage of access_token/refresh_token in the response is needed? Since those token is already included in the cookie, I think maybe we should have an option(setting) to remove access_token.
For example, add REST_USE_JWT_COOKIE_ONLY to determine.
views.py LoginView()
def get_response(self):
serializer_class = self.get_response_serializer()
if getattr(settings, 'REST_USE_JWT', False):
...
...
if getattr(settings, 'REST_USE_JWT_COOKIE_ONLY', False):
data = {
'user': self.user
}
else:
data = {
'user': self.user,
'access_token': self.access_token,
'refresh_token': self.refresh_token,
}
...
...
response = Response(serializer.data, status=status.HTTP_200_OK)
if getattr(settings, 'REST_USE_JWT', False):
from .jwt_auth import set_jwt_cookies
set_jwt_cookies(response, self.access_token, self.refresh_token)
return response
Yeah same on the refresh token as this is a security issue. You should actually just send the refresh_token as a http-only token. That way the frontend doesn't have access to it but the server does. The frontend should only have access to the access_token. Then, when requesting a refresh, the server checks that cookie and responds only with the access_token That prevents certain attacks (where cross site scripting could steal the refresh token and run away with it)
I would love to remove the refresh tokens from the response body both for the login and refresh endpoints. As a workaround I overridden the LoginView to remove the refresh_token key from the serializer.data. I was wondering what would be the best way to this for the refresh endpoint. My thought was to override the get_refresh_view() function that is called as the view of the endpoint and delete response.data['refresh'] there, but this seems a bit messy. Did you come up with a clean solution in the end?
