New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
馃 Add angular-http-only-cookie
blog
#277
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm confused about the recommended changes to tryAuthWithRefreshToken in the ZeroRefreshTokenService class (starts at line 250). It says "remove this line" but then shows multiple lines of code. If you remove those lines then the code doesn't compile. If you keep only those lines then no value is returned. If you keep those lines and return refreshTokenObservable then no token is found and you can't log in. If you don't get the token but return refreshTokenObservable then no sessionService.user is found in auth-route-guard canActivateInternal and the page seems to get into an inconsistent state (not successfully logged in).
Returning of(false)
causes login to fail and returning of(true)
causes an infinite page load loop.
|
||
return new AuthenticateResultModel | ||
{ | ||
AccessToken = accessToken, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While changing the cookies so that they can be HttpOnly is good, it doesn't solve the problem where the client code has access to the authentication tokens. The tokens are still returned within the auth response bodies to the client (as shown here). The token data would need to be removed from the response bodies to prevent the client from getting access to the auth/refresh tokens.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doing this makes the applicability of the solution really difficult. But if you want, you can remove the return methods and make your application better. This blog post is designed to give you a base for http only tokens.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. Just wanted to make sure that you were aware of the issue.
50128b5
to
a16eb8f
Compare
@m-aliozkaya : As per the blog, both applications should be on the same domain. but by default on localhost, these are running on different ports. backend: localhost:44301 do you have any help to use these on the same port while developing? |
@Harshgupta71 This is something you should consider for production, not for development. If you want to use the same approach during the development, it will be problematic. You need to publish your app to wwwroot folder of the Host app every time you make a change on Angular app. |
Thanks @ismcagdas , I got your point. |
@Harshgupta71 you are right, we should definitely consider this case. I created an issue for this https://github.com/aspnetzero/aspnet-zero-core/issues/5128 |
No description provided.