[FEATURE] Use double submit verification for browser auth #120
Comments
|
#158 takes care of the auto-refreshing and adds some CSRF protections that jwt-flask-extended has in it. For the double submit verification how will the frontend be sending the token in the form body? I can write a middleware for us that we can annotate some routes with where we want that functionality |
Merged
|
I believe flask-jwt-extended automatically checks the X-CSRF-TOKEN header when configured to use csrf protection, which you set in production in #158. So we will need to update the frontend to set that header but shouldn't need to do anything on the backend, will file a separate ticket for the frontend change. #160 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We currently authenticate using a JWT access token in the authorization header. For browsers, we should utilize cookies and double submit verification to allow automatically refreshing auth tokens and to prevent cross-site request forgery. We can follow this section of the docs.
@ryanmahan we spoke about using flask_login for browser sessions but I didn't realize flask-jwt-extended supports this pattern.
The text was updated successfully, but these errors were encountered: