Douglas

Hi, I am a novice end-user. I found this while looking for a way to do the **append to an array** use case, as in https://github.com/PostgREST/postgrest/issues/465#issuecomment-1199858002: In my case jsonb...

> Right now there are good snippets in http://postgrest.org/en/v5.2/auth.html#logins and they have been working good. But seems the section is a mix of an explanation and how-to. I'm thinking we...

Has there been any more work on this? Is a proxy server still mandatory, or can postgrest be configured to use a cookie header for its JWT? I am pretty...

What protects the `Authorization` header from CSRF that doesn't apply to a `SameSite` cookie? My current understanding is that `cors` is the primary mitigation for CSRF, and pgRest can be...

> I am just not buying the argument that using those cookies is actually any safer than the Authorization header. I clearly have more to learn here; the 'safer' that...

> > If I'm storing this header in local or session storage instead of a cookie, isn't it trivial for an XSS attack to possess? > > Yes, absolutely. This...

@jhf : > Cookie Auth token + Refresh Token. After login two server side http cookies are set auth-token and refresh-token. Every request provides both auth-token and refresh-token. If auth-token...

> Ok, the part I was missing is that PostgREST IS the Authorization server in this story. In that case it stands to reason that it needs to be able...

I solved this problem for myself by removing the library; it was a legacy inclusion from a template by Anton Kalik, specifically https://github.com/antonkalik/session-react-router If some hapless Googler finds this the...

Starting work on this