jwt-auth
jwt-auth copied to clipboard
Allow to emit the refresh token in the response body instead of a cookie
Follow-up on https://github.com/usefulteam/jwt-auth/issues/1#issuecomment-895468941
Goal
- Add an option or constant to emit the refresh token in the response body instead of a cookie.
Details
- For security reasons with regard to web/browser clients, #33 implemented the refresh token only as a cookie.
- In cases where no web (browser) apps are involved (e.g. only native apps), it would be secure to emit the refresh token as part of the token response body.
Notes
- I have no use-case for this myself, so I will probably not implement it myself. PRs are welcome though.