Authenticating requests in a decoupled Django + Vue.js app using JSON Web Tokens (JWT) and HttpOnly Cookies

Repo for this project: GitHub - briancaffey/django-step-by-step

I have been working on rewriting my reference Django/Vue app. For authentication, I have done previously used either regular session authentication or JWTs stored in localStorage. Storing tokens and credentials in localStorage is generally seen as a bad practice, and there is an issue in the drf-simplejwt repo that I borrowed some code from: [Allow httpOnly cookie storage · Issue #71 · jazzband/djangorestframework-simplejwt · GitHub](DRF SimpleJWT GitHub Issue). Here’s another helpful article I found from Hasura that goes into more depth about how to use JWT on web clients: [](Hasura blog post about using JWT with HttpOnly cookies). The main idea is:

  • access tokens are stored in memory (in the Vue application)

  • refresh token is stored in an HttpOnly cookie and is used to silently refresh the access token in the background

Is anyone doing authentication with JWT / HttpOnly cookies in a similar way? Thanks for anyone that can take a look or offer some feedback!