Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add FromCookie token extractor #10

Closed
wants to merge 1 commit into from
Closed

add FromCookie token extractor #10

wants to merge 1 commit into from

Conversation

mattmessinger
Copy link

No description provided.

donatj
donatj reviewed May 21, 2018
View reviewed changes
jwtmiddleware.go
return cookie.Value, nil
} else {
return "", nil
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The } else { can be eliminated, ala

if cookie != nil {
	return cookie.Value, nil
}

return "", nil

@donatj
Copy link

donatj commented May 21, 2018

I've built basically the same thing.

Cookies are a reasonably common place to store JWTs in non-SPAs, and I feel like support here would be greatly appreciated.

ashmilhussain
ashmilhussain approved these changes Feb 16, 2020
View reviewed changes
Copy link

@ashmilhussain ashmilhussain left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why this PR is not accepted?

@ashmilhussain ashmilhussain mentioned this pull request Feb 16, 2020
Closed
@alokedesai
Copy link

Hi Auth0 team, can you provide more context as to why this isn't merged? This feels like a pretty common use case (e.g. read from cookie, if it's not there read the Authorization header) so I'm confused as to why this hasn't been merged for 5+ years.

@jeromedoucet
Copy link

jeromedoucet commented Nov 28, 2020
edited
Loading

I agree with @donatj and @alokedesai . Authorization header is not always the best place to put the token, even for SPA application, because it is vulnerable to XSS exploit.

With http-only cookies, token are vulnerable to CSRF attacks only, but on my opinion, that's easier secure with a simple CSRF token. In that configuration, the token itself is not accessible for an attacker.

@grounded042
Copy link
Contributor

I apologize that this has not been looked at or merged in. We are starting work on a v2 and would be happy to take a look at this as part of that effort.

@grounded042 grounded042 added this to the v2 milestone Jan 29, 2021
@grounded042 grounded042 mentioned this pull request Apr 23, 2021
Closed
21 tasks
@grounded042 grounded042 mentioned this pull request Jun 11, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@donatj donatj donatj left review comments

@ashmilhussain ashmilhussain ashmilhussain approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2
Development

Successfully merging this pull request may close these issues.
6 participants
@mattmessinger @donatj @alokedesai @jeromedoucet @grounded042 @ashmilhussain