-
Notifications
You must be signed in to change notification settings - Fork 302
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update JWT cookie on token refresh #97
Comments
Hi there, its currently missing from the dj-rest-auth docs but simple-jwt has a default expiry of 5 minutes. SIMPLE_JWT = {
'ACCESS_TOKEN_LIFETIME': timedelta(days=1),
'REFRESH_TOKEN_LIFETIME': timedelta(days=2),
} I would also suggest setting Thanks for adding cookie refresh to the token refresh view <3 is a good idea |
Add a dedicated view that subclasses django-rest-framework-simplejwt's TokenRefreshView to update the JWT_AUTH_COOKIE on successful refreshes. Fixes: iMerica#97
Hi, Regards |
The token refresh & verify endpoints are available in dj-rest-auth, to enable them you must enable REST_USE_JWT in your settings.py Once enabled the following endpoints will be added
Note: If you resgistered
The issue you have when you call these endpoints they use simple_jwt which expects the token to be passed in the body. When you use HTTP only cookies the data is sent in the head. This is not a huge issue as we can use middleware to move the data from the head to the body. When I submitted the pull request for #160 I did not include the middleware as the issue leans more towards simple-jwt rather than DJ-rest-auth (they have a PR). Here is an old stack overflow post I used to base my solution. middleware.py
If anyone has a solution to create an object with the token if no body data is sent that would be great. You will see from the code above if Next, you need to add the middleware to your settings.py
I hope this helps |
Note the URLs in my snippet above are hardcoded, you could improve this by using reverse() on the url name to get the path dynamically. |
Thank you so much for these explanations. It's so easy now to setup a nice JWT token use . |
As precised by @Wolf-Byte this issue concerns two packages:
Thank to @lemirep and @Wolf-Byte for their work. |
@Wolf-Byte I can see that this is I understand your solution, but how is this not included by default in Now every time I use the library with JWT (which will be nearly all of the time), I have to copy/paste your middleware in order to have a fully-closed request/response loop with Isn't this highly unergonomic? Why can't your solution or that of @lemirep be baked into the library? |
@alexerhardt I agree with you. We have 3 options :
I have a preference for the last solution as it is straight forward for the users. |
My two cents is that if you want a good development experience out of the package, it should be either option 2 or 3 - or anything that bakes the solution into the library, really. Like I said, it's quite awkward that you have JWT as an option - albeit through an external lib - and that you enable However, if all this was baked in, the dev experience would be "holy sh*@, it works" - which is what everyone would like out of a library! I am fairly new to Django so I'm not sure I should contribute code (though perhaps, as I think I have a good grasp on the issue), but I'd be happy to help with documentation or additional feedback. I would also definitely contribute a more complete SPA React example if you are interested, complete with automated refresh token cycles via an axios interceptor. I think however it doesn't make sense as it stands because with |
@alexerhardt, thank for your feedback. As I am also inexperienced on this topic, I think it would be nice to have @iMerica opinion on the proposed solution. @alexerhardt, your contribution proposal is very welcome, there is a issue about this with the tag |
As @Wolf-Byte said, the issue was the Can the refresh token endpoint simply change to I think anyone with SPA website using this library with JWT will hit this issue? |
I've encountered the same problem hence why I'm here. Digging around a bit more on Reddit and Google, I realized using HttpOnly cookies for JWT is pretty close to just using the session authentication instead. So I went with that. I don't want to start a debate here. But can someone explain to me what advantage JWT cookies have over the standard session cookies from DRF? |
Is this still an issue in 2023? This is the only library that provides "out of the box" support for JWT in HttpOnly cookies, yet it seems that its implementation is still only half-baked. Pinging @iMerica, it would be great to have this fully supported instead of copy-pasting a three year old patch. |
Hello,
First of all thanks for all your efforts on the project, that's greatly appreciated.
I'm hitting an issue and I'm not sure if it's a bug or my lack of knowledge. Please excuse me for the inconvenience if that's the latter.
I've been playing with dj-rest-auth and the JWT support with http cookie storage.
Log in and log out work great with my client app. Upon login I don't need to pass in the access_token because of it being stored in the http cookie. However after a few minutes, the access token expires and I believe the cookie as well. My client tests for authentication errors on API calls and tries to refresh the token which it successfully achieves using the token/refresh/ url.
However, for subsequent authenticated api calls to work, I need to start passing the access token as part of the request header. I believe I'm either missing the API entry point that refresh the access_token and updates/recreates a new JWT cookie or that this could be actually missing from the project.
Could you please tell me if I'm not misled?
If I'm not, I'd be happy to create a new API endpoint to refresh token and update JWT cookie.
Thanks,
Paul
The text was updated successfully, but these errors were encountered: