-
-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] Use double submit verification for browser auth #120
Comments
#158 takes care of the auto-refreshing and adds some CSRF protections that jwt-flask-extended has in it. For the double submit verification how will the frontend be sending the token in the form body? I can write a middleware for us that we can annotate some routes with where we want that functionality |
I believe flask-jwt-extended automatically checks the X-CSRF-TOKEN header when configured to use csrf protection, which you set in production in #158. So we will need to update the frontend to set that header but shouldn't need to do anything on the backend, will file a separate ticket for the frontend change. #160 |
We currently authenticate using a JWT access token in the authorization header. For browsers, we should utilize cookies and double submit verification to allow automatically refreshing auth tokens and to prevent cross-site request forgery. We can follow this section of the docs.
@ryanmahan we spoke about using flask_login for browser sessions but I didn't realize flask-jwt-extended supports this pattern.
The text was updated successfully, but these errors were encountered: