How to use this library by only using Http Only Cookie? #482
Description
After using JWT token in un unsafe way for a little over an year I've finally decided that I would like to fix my current setup.
I read everywhere that is not good to save a JWT token in the local client and that is best to use Http Only Cookie.
I'm now trying to use JWT_AUTH_COOKIE in order to create an Http Only Cookie.
I'm getting the Cookie correctly returned by the server when using getToken API. What I'm wondering now, is how I can refresh the token.
What happens when I call refreshToken I get the following response:
{"token":["This field is required."]}
True, I'm not sending any token in the request's HEADER and that is what I want since the client isn't supposed to keep it saved anywhere.
And that is where I'm getting confused:
If i'm not wrong from now on every request the client does to the server, the cookie should be added to the request.
Shouldn't the server check the cookie after it sees that no token has been passed in the Header?