fastapi-jwt-auth icon indicating copy to clipboard operation
fastapi-jwt-auth copied to clipboard

Published 20 hours ago β€’ verified publisher icon IndominusByte

Refresh Token on Body

Open brunohenriquy opened this issue 4 years ago β€’ 12 comments

I saw that the basic usage is sending the refresh_token on the Header and validating it with Authorize.jwt_refresh_token_required() Isn't it a best practice to send refresh_token on the Body? Would this option be a good feature for this lib?

brunohenriquy avatar Jan 27 '21 20:01 brunohenriquy

refresh_token just like an access_token it's better to send it from the header because it makes frontend easy to access the endpoint from the backend without having to replace the payload if want to access the endpoint that required access token or refresh token. maybe it's you mean to add a feature to getting jwt from json body?

IndominusByte avatar Jan 28 '21 15:01 IndominusByte

@IndominusByte I am talking about a security aspect, I've read a couple of articles talking about this. The access_token sent on the header can be logged along the way, but it's ok since its life is short. But the refresh_token has a longer TTL, so having it traveling only in the post BODY data would be safer.

Here some references to what I am trying to say: https://stackoverflow.com/a/47710538

https://simpleisbetterthancomplex.com/tutorial/2018/12/19/how-to-use-jwt-authentication-with-django-rest-framework.html "What’s The Point of The Refresh Token?"

And yes, In this case we can send the refresh_token in the body and your lib will be able to retrieve it "add a feature to getting jwt from json body".

brunohenriquy avatar Jan 28 '21 16:01 brunohenriquy

ahh make sense, it was my first time saw the best practice to send refresh token via body payload, thank you for sharing with me @brunohenriquy πŸ™ 😁, I will fix this issue later in the next version

IndominusByte avatar Jan 28 '21 16:01 IndominusByte

Awesome! If you want, I can give you a hand on it!

brunohenriquy avatar Jan 28 '21 17:01 brunohenriquy

Thanks! you can make PR to me, click this link for information on how to contribute

IndominusByte avatar Jan 28 '21 17:01 IndominusByte

All right!! xD

brunohenriquy avatar Jan 28 '21 17:01 brunohenriquy

Is anyone working on it? If needed I can help implementing the feature! πŸ˜„

guillemfrancisco avatar Mar 24 '21 15:03 guillemfrancisco

Yeah, me too! Is there a PR already, do you need testing, dev? how can we help?

elpablete avatar Jun 10 '21 14:06 elpablete

@guillemfrancisco @elpablete I didn't have time to code it yet, in fact I changed my approach to use cookies. So if you guys have some spare time and want to code it, go for it.

brunohenriquy avatar Jun 10 '21 14:06 brunohenriquy

@guillemfrancisco @elpablete I didn't have time to code it yet, in fact I changed my approach to use cookies. So if you guys have some spare time and want to code it, go for it.

you mind sharing your approach with using cookies? any link to using cookies that can be helpful? thanks

encryptblockr avatar Aug 16 '21 07:08 encryptblockr

@brunohenriquy is this what you following with the cookie approach? https://indominusbyte.github.io/fastapi-jwt-auth/usage/jwt-in-cookies/

or something else? please share

encryptblockr avatar Aug 16 '21 07:08 encryptblockr

Has anyone fix this issue?

shuhaojie avatar Dec 01 '22 12:12 shuhaojie