Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable sending access token in response while sending refresh in a cookie #217

Open
creationspirit opened this issue Aug 12, 2020 · 2 comments
Open

Enable sending access token in response while sending refresh in a cookie #217

creationspirit opened this issue Aug 12, 2020 · 2 comments

Comments

@creationspirit
Copy link

Currently when using long running refresh tokens if jwt_cookie decorator is set both tokens will be send in separate cookies. There should be an option to send only refresh token in a cookie while access token is sent in body response.

This way, access token can be stored in memory which is OAuth2 recommendation for token storage: https://auth0.com/docs/tokens/token-storage
@syberen
Copy link

syberen commented Mar 12, 2021

This is a very good point. To solve this in one of my projects I created an adapted version of the jwt_cookie decorator. I would however be glad to create a pull request to make sending an access token cookie into a setting, if the maintainers think that's a good idea as well.

from functools import wraps

from graphql_jwt.utils import set_cookie, delete_cookie
from graphql_jwt.settings import jwt_settings


def jwt_refresh_cookie(view_func):
    """
    Adaptation of the jwt_cookie decorator from graphql_jwt. The default decorator
    sets both a jwt and refresh token cookie, the adaptation sets only the latter.
    """

    @wraps(view_func)
    def wrapped_view(request, *args, **kwargs):
        request.jwt_cookie = True
        response = view_func(request, *args, **kwargs)

        if hasattr(request, "jwt_refresh_token"):
            refresh_token = request.jwt_refresh_token
            expires = refresh_token.created + jwt_settings.JWT_REFRESH_EXPIRATION_DELTA

            set_cookie(
                response,
                jwt_settings.JWT_REFRESH_TOKEN_COOKIE_NAME,
                refresh_token.token,
                expires=expires,
            )

        if hasattr(request, "delete_jwt_cookie"):
            delete_cookie(response, jwt_settings.JWT_COOKIE_NAME)

        if hasattr(request, "delete_refresh_token_cookie"):
            delete_cookie(response, jwt_settings.JWT_REFRESH_TOKEN_COOKIE_NAME)

        return response

    return wrapped_view

@Stijn-B
Copy link

Stijn-B commented Aug 24, 2021
edited
Loading

@syberen I ran into this problem as well and was thinking about to trying to fix it with a decorator as well

There seem to be 2 other issues related to this:

I think it would be good to create a pull request for this. Especially since sending the jwt in the payload and the refresh token in an http only cookie currently seems to be safest approach.

I hope this gets some feedback from the maintainers!
Kind regards

@mongkok mongkok mentioned this issue Aug 28, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@creationspirit @Stijn-B @syberen