Replies: 2 comments 4 replies
-
Interesting, thank you for your proposal! I'm curious to see a PR implementing this pattern :) |
Beta Was this translation helpful? Give feedback.
-
Hah! Came here looking for exactly this. Agreed with all of the above. Sharing some of my own notes below: I haven't dug deep into the code, but in trying to implement this with the existing API, it struck me as odd that In my use case, which I'm approaching as a custom middleware, the secure cookie is a signed/dated UUID (server session key, DB-backed, |
Beta Was this translation helpful? Give feedback.
-
The CookieTransport class allows setting an httpOnly cookie for authentication purposes. However, it becomes impossible for the frontend to check the existence of the authentication cookie when the httpOnly flag is set (as we cannot access this cookie using JS). This becomes a problem when the client needs to determine if the user is already authenticated.
Proposal
I propose to solve this problem by creating an additional non-httpOnly cookie that could be set alongside the main authentication cookie. This cookie would serve as an indicator for the frontend to recognize the user's authentication state (e.g., at the application initialization stage).
Implementation Suggestion
A new optional parameter could be added to the CookieTransport. When enabled, we would set an additional non-httpOnly cookie with similar lifespan parameters as the main authentication cookie. Remove it when logging out.
I am ready to contribute by creating a PR with the necessary changes if the idea is accepted.
Beta Was this translation helpful? Give feedback.
All reactions