Is there a way to work with the refresh token in httponly cookie?

[afuno]

Hello. Is there a way to implement the following?

• The app stores the access token only in vuex.
• The app understands that it should work with a refresh token, but this token is stored only in the backend in the httponly cookie.

When the page is fully refreshed, the app does not have an access token. And it must go through the refresh endpoint to receive data.

Now I see that this library can store data either in a cookie, or in localStorage, or it is possible to disable this.

[afuno]

Why when I set the required option for refreshToken to false and when the accessToken becomes invalid, I get it in my backend?

"app.refresh_token.local_user"=>"true"

It is wrong to store refreshToken this way. How can I use httpOnly, which installs my backend? I want my backend to use the cookie that it created itself.

I started writing my own solution which has nothing to do with your library. And there it works. But this is additional time that I would not want to waste. Please tell me, can your library implement such an obvious functionality, or is there no point in wasting time on it and using it?

[LeeKrane]

Could you share your own solution please? I currently have the exact same problem, and I don't really wanna remove the HttpOnly cookie.

[loichu]

I have the exact same issue here... I'm trying to achieve the exact same authentication but it's really a pain... It is in my sense the only secure way to authenticate to my own API.

This is what I expect but don't find a way to do via configuration:

• Set an httpOnly cookie containing the refreshToken
• Choose a refresh strategy (like on 401 or on token expiry or automatically using a timer)
• The access token should be stored in memory using VueX
• All this complexity should be abstracted and hidden away from the frontend dev

I would also be interested to see a custom implementation of the mentioned requirements if someone wants to share :)

EDIT:
After some investigation, I found out that an httpOnly cookie can only be set by the server (I initially thought that it was a kind of write-only cookie). So the JWT auth strategy should only care about the access token and when expired, try to refresh by sending a request with the httpOnly cookie. If succeed: replace access token by the new one in vuex, if it fails: you're redirected to login.
Shouldn't this be an option ? I think it is useless and unsecure to leave both tokens accessible by client code...

Tell me if I'm wrong :)

[steklopod]

I don't understand the problem.
My nuxt-auth token cookie:

I send it from my backend in the response body in /login endpoint (refresh_token field).

My nuxt.config.ts:

refreshToken: {
          property: 'refresh_token',
          tokenRequired: false,
          maxAge: 60 * 60 * 24 * 21
        },

[roymckenzie]

I'd like to also mention that having the ability to extract the refresh_token from the httpOnly cookie while using refresh strategy would be great.

[loichu]

Hi ! I didn't investigate further but I think that the default behavior of nuxt-auth (storing all tokens everywhere) is a security issue and it's a shame that there is no good documentation on how to implement the recommended auth flow (httpOnly refresh and in-memory access). Unfortunately there is no way to "extract" an httpOnly cookie because the whole point of it is to not be extractable.

[roymckenzie]

Thank you for responding. Upon further investigation I also now understand that the httpOnly cookie is not extractable. And the reasons sense. I am of the understanding the cookie is communicated back in the headers automatically, but I haven't tested that in my application yet.