Should passport-http-bearer read token from session cookie?

[lvbeck]

I know it looks like a stupid question, usually a bearer token is stored in LocalStorage and send with request which contain the Authorization header field. However recently I read this article:

https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage

Above article argue that localStorage shouldn't be used because of XSS attacks and suggests using session cookie(with HttpOnly flag) to store the jwt token. This method seems to be reasonable.

in this case, javascript cannot read the cookie (which contains access_token) since HttpOnly flag is set, hence i cannot append the token in the request authorization header.

So any possible that passport-http-bearer will also read token from session cookie in future?

[AOlefirenko]

@lvbeck I agree with you. I would like to use cookie for storing JWT. There are several benefits.
First it's simpler because browser automatically adds a token to each request.
Second When using social logins to authenticate users (passport-facebook/passport-google) you need to pass new token with redirect response. I know two options how to perform it: add token to query string or add record to cookie. So in this case using cookies is simpler way as well.
It would be very nice to add this feature. I've created a pull request #46