modest gust
@Post('login')
@HttpCode(HttpStatus.OK)
async login(@Body() data: LoginDto, @Req() request) {
const { access_token, refresh_token } = await this.AuthService.login(
data.identifier,
data.password,
);
request.res.cookie('refresh_token', refresh_token, {
httpOnly: true,
path: '/auth/refresh',
});
return access_token;
}
im using this but it does not set cookie
in case you wonder, yes refresh_token is not null or undefined
grand stratus
What cookie package are you using?
modest gust
let me check
just cookie parser
oh wait
yes just cookie parser
i can see response cookies here
but not on my storage section of browser
grand stratus
Where is here?
modest gust
network tab
grand stratus
In the browser.
modest gust
yea
grand stratus
So, the cookie is being sent.
grand stratus
You are seeing it. In the browser. So, it is sent with the response. When you send a request back to the path mentioned in the cookie, the browser will send it back.
grand stratus
You did. /auth/refresh
So, when you try to request a refresh, the cookie will be sent to that endpoint.
modest gust
like this
yes yes then i removed cuz of this tab
ahhh
that makes sensee
thats how we prevent refresh token to be stolen
grand stratus
So, your refresh endpoint should be checking for the "refresh_token" in the cookie. (and not the "access_token"). Not sure why it is showing as "access_t..."
grand stratus
Um, what token is this?
grand stratus
That's not what your code is doing and the access token doesn't need to be in a cookie.
grand stratus
So, why is access token showing as a cookie?
grand stratus
No, just in memory. The access token shouldn't be stored anywhere.
modest gust
how my client knows access token after come back to website
grand stratus
Well, nowhere other than memory.
He sends a refresh request and gets a new access token.
modest gust
hmm
grand stratus
Remember, access tokens are short lived. 5 minutes at best.
grand stratus
So, if the user comes back to the website after 5 minutes, he'd have to run the refresh (the user doesn't, your frontend does it automatically in the background).
modest gust
when u go to /b page you should send request to refresh endpoint to get new token?
grand stratus
No, you have the access token in memory. It gets added to the auth headers for each request. If the request fails with a 403, the refresh process is started by the frontend automatically. If the refresh process works, then the user gets new tokens and the frontend tries the request again for the page the user wanted.
modest gust
i got the refresh logic but not the access token logic
how can my client store access token in memory
should i set auth header of client from backend or something else
grand stratus
So, the process is as follows:
modest gust
i got this part
this part is okay thanks for your helps
but the other part. "storing access token in memory"
is it something like with my front end framework
or something else
grand stratus
how can my client store access token in memory
You store it to a variable in your frontend code, from the response. .
grand stratus
I just looked at what my app does (also Vue) and it is storing the access token in LocalStorage, so it is globally accessible for the app.
modest gust
That's not what your code is doing and the access token doesn't need to be in a ...
btw i just checked
it does not work somehow
i can see my network tab that i got response cookie
i add debug code to my refresh endpoint. when i send request from browser it does not send
in postman system works perfectly
but browser its not
ahh i didn't include credentials when i login
barren zealot
What's your http client?
opal falcon
i can see my network tab that i got response cookie
I have a similar issue but in mine, on the network tab, the response contains the cookie, but the browser never saves it in the cookies storage
