Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Use JWT through cookies instead of Bearer scheme in headers #773
I could not find a way in documentation to use JWT authentication using cookies instead of the Bearer scheme in headers which requires you to store the JWT in localStorage (which can be a fatal in case of an XSS vulnerability). For reference: Where to store JWTs.
This would require recognising the token as:
Seems like a perfect fit to rewrite this in the reverse proxy layer. nginx, apache etc. are all able to read and write HTTP headers while proxying a request.
But, how are Cookies less vulnerable to XSS than localstorage?
Yes I was able to get it working using lua-nginx-module to rewrite the request.
If your Postgrest API server is on
Actual request (to nginx proxy by the client):
Request relayed to Postgrest:
Note that the regex used to extract the
What I did is setting local config in login plpgsql function, and do the transfer job in nginx (without lua).
expected postgrest would support to read token from cookie, but currently seems not. So I have to transfer token from cookie header to authorizaition header.
I hope it could support to read access_token or session_token in cookie header as jwt token.