I’m using rest framework with its add-on for easy jwt work:
SIMPLE_JWT = {
"ACCESS_TOKEN_LIFETIME": timedelta(hours=1),
"REFRESH_TOKEN_LIFETIME": timedelta(days=1),
'ROTATE_REFRESH_TOKENS': False,
"AUTH_HEADER_TYPES": ("JWT",),
"ALGORITHM": "HS512",
'AUTH_COOKIE': 'access_token', # Cookie name. Enables cookies if value is set.
'AUTH_COOKIE_DOMAIN': None, # A string like "example.com", or None for standard domain cookie.
'AUTH_COOKIE_SECURE': True, # Whether the auth cookies should be secure (https:// only).
'AUTH_COOKIE_HTTP_ONLY': True, # Http only cookie flag.It's not fetch by javascript.
'AUTH_COOKIE_PATH': '/', # The path of the auth cookie.
'AUTH_COOKIE_SAMESITE': 'Lax', # Whether to set the flag restricting cookie leaks on cross-site requests.
}
А JWT token return to user from my login view:
def post(self, request, format=None):
data = request.data
response = Response()
username = data.get('username', None)
password = data.get('password', None)
user = authenticate(username=username, password=password)
if user is not None:
if user.is_active:
data = get_tokens_for_user(user)
response.set_cookie(
key=settings.SIMPLE_JWT['AUTH_COOKIE'],
value=data["access"],
expires=settings.SIMPLE_JWT['ACCESS_TOKEN_LIFETIME'],
secure=settings.SIMPLE_JWT['AUTH_COOKIE_SECURE'],
httponly=settings.SIMPLE_JWT['AUTH_COOKIE_HTTP_ONLY'],
samesite=settings.SIMPLE_JWT['AUTH_COOKIE_SAMESITE']
)
csrf.get_token(request)
response.data = {"Success": "Login successfully", "data": data}
return response
else:
return Response({"No active": "This account is not active!!"}, status=status.HTTP_404_NOT_FOUND)
else:
return Response({"Invalid": "Invalid username or password!!"}, status=status.HTTP_404_NOT_FOUND)
My main question is that on the server it is expected that the request body will have an Authorisation header with JWT prefix and token accordingly, httpOnly cookie can only be attached as a cookie to the request?