Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

馃 Add angular-http-only-cookie blog #277

Merged
merged 11 commits into from Jan 31, 2024
Merged

馃 Add angular-http-only-cookie blog #277

merged 11 commits into from Jan 31, 2024

Conversation

m-aliozkaya
Copy link
Member

No description provided.

StarbuckSapien
StarbuckSapien reviewed Jan 22, 2024
View reviewed changes
Copy link

@StarbuckSapien StarbuckSapien left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm confused about the recommended changes to tryAuthWithRefreshToken in the ZeroRefreshTokenService class (starts at line 250). It says "remove this line" but then shows multiple lines of code. If you remove those lines then the code doesn't compile. If you keep only those lines then no value is returned. If you keep those lines and return refreshTokenObservable then no token is found and you can't log in. If you don't get the token but return refreshTokenObservable then no sessionService.user is found in auth-route-guard canActivateInternal and the page seems to get into an inconsistent state (not successfully logged in).

Returning of(false) causes login to fail and returning of(true) causes an infinite page load loop.

StarbuckSapien
StarbuckSapien reviewed Jan 26, 2024
View reviewed changes
blog-posts/en/angular-http-only-cookie.md Outdated

return new AuthenticateResultModel
{
AccessToken = accessToken,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While changing the cookies so that they can be HttpOnly is good, it doesn't solve the problem where the client code has access to the authentication tokens. The tokens are still returned within the auth response bodies to the client (as shown here). The token data would need to be removed from the response bodies to prevent the client from getting access to the auth/refresh tokens.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doing this makes the applicability of the solution really difficult. But if you want, you can remove the return methods and make your application better. This blog post is designed to give you a base for http only tokens.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Just wanted to make sure that you were aware of the issue.

@ismcagdas ismcagdas merged commit baf9eee into master Jan 31, 2024
@Harshgupta71
Copy link

@m-aliozkaya : As per the blog, both applications should be on the same domain. but by default on localhost, these are running on different ports.

backend: localhost:44301
frontend (angular): localhost:4200

do you have any help to use these on the same port while developing?

image

@ismcagdas
Copy link
Contributor

@Harshgupta71 This is something you should consider for production, not for development. If you want to use the same approach during the development, it will be problematic. You need to publish your app to wwwroot folder of the Host app every time you make a change on Angular app.

@Harshgupta71
Copy link

Thanks @ismcagdas , I got your point.
but whenever we apply the changes mentioned above, it gives us an issue. We are not able to log in to the application due to Http-Only. I think we should implement a development condition so during development on the localhost application should not apply http-only. it should apply only to the deployed version.

@ismcagdas
Copy link
Contributor

@Harshgupta71 you are right, we should definitely consider this case. I created an issue for this https://github.com/aspnetzero/aspnet-zero-core/issues/5128

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@StarbuckSapien StarbuckSapien StarbuckSapien left review comments

@ismcagdas ismcagdas ismcagdas approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@m-aliozkaya @Harshgupta71 @ismcagdas @StarbuckSapien