dj-rest-auth icon indicating copy to clipboard operation
dj-rest-auth copied to clipboard

Published 20 hours ago verified publisher icon iMerica

[Security] Remove tokens from response body if httpOnly Cookie and Rotate Refresh token is being Used

Open Aniket-Singla opened this issue 1 year ago • 1 comments

The reason for using cookies over Bearer token in headers is because the javascript code can't access http only cookies.

Currently I see, even if we are using cookies for authentication, we are not removing the tokens from response body. For now, I have only made this change for refresh token and not changed anything related to access token to be consistent with LoginView. But I believe we should remove the access token as well if we are using http only cookies.

Aniket-Singla avatar Jan 09 '24 05:01 Aniket-Singla

Although I am new to the project, I agree that tokens should be hidden.

Note that expiration dates are controlled by JWT_AUTH_RETURN_EXPIRATION, so your PR should test for that setting for the expiration date, entirely independently of JWT_AUTH_HTTPONLY.

I agree that the auth tokens should also be hidden in a similar way, although maybe using separate settings.

L0PiTaL avatar Feb 03 '24 15:02 L0PiTaL