Sending refresh token via response body when JWT_AUTH_HTTPONLY is set to True

[ThukuWakogi]

I have worked on projects where the API is consumed by web apps and native apps. I store the jwt in a httponly cookie, which is used by the web app. For the native app, I pass the refresh-token as a response payload upon a successful authentication which comes in handly when refreshing the token.

For dj_rest_auth, when JWT_AUTH_HTTPONLY is set to true, the refresh token is not passed in the response payload, hence I can't refresh the token since I have no access to the refresh token in the cookie.

Is there a way or a work around I can use so that the refres_token is sent when JWT_AUTH_HTTPONLY is set to true?

[afoalb]

If you're using http only cookies, you shouldn't pass the refresh token in the payload. The JS client code shouldn't have access to the refresh token.

It's the backend responsibility to refresh the token. The client should only send an HTTP POST request to dj-rest-auth/token/refresh/ and let the backend do the rest.