Repo for this project: GitHub - briancaffey/django-step-by-step
I have been working on rewriting my reference Django/Vue app. For authentication, I have done previously used either regular session authentication or JWTs stored in localStorage. Storing tokens and credentials in localStorage is generally seen as a bad practice, and there is an issue in the drf-simplejwt repo that I borrowed some code from: [Allow httpOnly cookie storage · Issue #71 · jazzband/djangorestframework-simplejwt · GitHub](DRF SimpleJWT GitHub Issue). Here’s another helpful article I found from Hasura that goes into more depth about how to use JWT on web clients: [https://hasura.io/blog/best-practices-of-using-jwt-with-graphql/?fbclid=IwAR381Z1Cq-xr-4o2V27V_R4BJeu5jG3V-yWG_KCWbXnH9n3-Toebqnbk70o](Hasura blog post about using JWT with HttpOnly cookies). The main idea is:
-
access tokens are stored in memory (in the Vue application)
-
refresh token is stored in an HttpOnly cookie and is used to silently refresh the access token in the background
Is anyone doing authentication with JWT / HttpOnly cookies in a similar way? Thanks for anyone that can take a look or offer some feedback!