Repo for this project: GitHub - briancaffey/django-step-by-step
I have been working on rewriting my reference Django/Vue app. For authentication, I have done previously used either regular session authentication or JWTs stored in localStorage. Storing tokens and credentials in localStorage is generally seen as a bad practice, and there is an issue in the drf-simplejwt repo that I borrowed some code from: [Allow httpOnly cookie storage · Issue #71 · jazzband/djangorestframework-simplejwt · GitHub](DRF SimpleJWT GitHub Issue). Here’s another helpful article I found from Hasura that goes into more depth about how to use JWT on web clients: [https://hasura.io/blog/best-practices-of-using-jwt-with-graphql/?fbclid=IwAR381Z1Cq-xr-4o2V27V_R4BJeu5jG3V-yWG_KCWbXnH9n3-Toebqnbk70o](Hasura blog post about using JWT with HttpOnly cookies). The main idea is:
access tokens are stored in memory (in the Vue application)
refresh token is stored in an HttpOnly cookie and is used to silently refresh the access token in the background
Is anyone doing authentication with JWT / HttpOnly cookies in a similar way? Thanks for anyone that can take a look or offer some feedback!