I have an application that uses JWT authentication with Guardian. When a user signs in, the response contains the jwt in the body. The front-end (which is an SPA) then stores that jwt in localStorage, and attaches it to the Authorization
header of every request sent from there on. The server then verifies this using Guardian's built-in verification plug:
pipeline :api do
plug :accepts, ["json"]
plug Guardian.Plug.VerifyHeader, realm: "Bearer"
end
I would like to change this so that, instead of storing the JWTs in localStorage (which isn't secure), the server sends them to the front-end as secure cookies (with Secure
and HttpOnly
settings). I then want Guardian to read the jwt from the cookie, rather than from the Authorization
header.
Does Guardian support this functionality?
Here is my SessionController create
function:
def create(conn, params) do
case authenticate(params) do
{:ok, user} ->
new_conn = Guardian.Plug.api_sign_in(conn, user, :access)
jwt = Guardian.Plug.current_token(new_conn)
new_conn
|> put_status(:created)
|> render("show.json", user: user, jwt: jwt)
:error ->
conn
|> put_status(:unauthorized)
|> render("error.json")
end
end