use cookies instead of JWT #3420
Conversation
|
Hey hey, if you just wanna use cookies instead that's a totally fine and valid reason. I see nothing here though that can't be easily done with JWT. If you aren't rushed I can open a PR for a second option |
|
Would definitely be curious to see how it would work with JWT. When I try and educate myself on the topic I come up against phrases like
and
I can't see how we could (for example) expose a user-accessible JSON endpoint for the user's saved gists without using a cookie (as in this amendment to #3415), but if we need to use cookies anyway, is there much of a benefit to using JWT as well? There's also the question of the degree to which this app should be an example of how to authenticate a user and pass data from server to client, and I think I'd argue that the cookie version is more immediately grokkable — certainly compared to cookies plus JWT. So if you think that JWT is a better approach then I'm definitely interested to see what it looks like, but I do think we need to meet those criteria. |
Codecov Report
@@ Coverage Diff @@
## master #3420 +/- ##
=========================================
Coverage ? 50.25%
=========================================
Files ? 1
Lines ? 197
Branches ? 0
=========================================
Hits ? 99
Misses ? 98
Partials ? 0Continue to review full report at Codecov.
|
Related to #3415. We want to be able to server-render a list of the user's saved REPLs (and eventually, expose published ones publicly). JWT seems to make this harder — it seems like the logical thing to do would be to use cookies instead. (@lukeed, I am happy to be corrected on this point, if I've misunderstood everything)
This isn't finished yet, but I'm leaving for the day so thought I'd leave it here. Changes still to make:
/auth/*should just be regular server routes)This is the first time I've had a crack at this sort of thing, so if I'm making any wince-inducing errors (especially regarding security) please yell at me.