I have the following request being sent in React Native:
const getData = async (cookie) => {
const resp = await fetch('/some_info');
const data = await resp.json();
console.log(data)
}
as you can see I purposefully did not add the appropriate header:
headers: {
'X-CSRF-TOKEN':value,
}
in the request because I wanted to verify that the GET request would fail without it.
The following are my configs:
JWT_ACCESS_TOKEN_EXPIRY_MINS = 15
JWT_REFRESH_TOKEN_EXPIRY_MINS = 1000
JWT_TOKEN_LOCATION = ['cookies']
JWT_COOKIE_CSRF_PROTECT = True
JWT_COOKIE_SECURE = False # change to True in prod
And in my browser I can see the following relevant cookies:
The endpoint is defined as follows:
@app.route('/some_info', methods=['GET'])
@jwt_required
def get_some_info():
user_identity = get_jwt_identity()
name = get_user_name_from_identity()
age = get_user_age_from_identity()
return jsonify({
'name': name,
'age': age
})
When the request happens, in the console log, I get a 200 and am able to see the json data. In the Request Headers (Using Chrome Inspector) I see that the X-CSRF-TOKEN is never set. Why is this happening/ why is the request going through ?
From JWT Extended Documentation:
# By default, the CRSF cookies will be called csrf_access_token and
# csrf_refresh_token, and in protected endpoints we will look for the
# CSRF token in the 'X-CSRF-TOKEN' header. You can modify all of these
# with various app.config options. Check the options page for details.
