devise-jwt-cookie
is a devise extension based on devise-jwt. It should be used alongside devise-jwt
.
- Upgraded dependencies
- Added
same_site
option for the cookie (default to "Lax") - Added header to return JWT expiration to client, with customizable name via
expiration_header_name
option- NOTE: this header is included with every response, not just the ones that set
- Removed
Authorization
header thatdevise-jwt
sets to further secure against JS XSS attacks - Added support for
aud
header - Only overwrite Authorization header w/ cookie value if it's not already set
Add this line to your application's Gemfile:
gem 'devise-jwt-cookie', git: 'https://github.com/Nayya-com/devise-jwt-cookie.git', branch: 'main'
And then execute:
bundle
First you need to setup up and configure devise and devise-jwt. This gem hooks into devise-jwt to add an httpOnly cookie with the JWT.
You have to update the user model to be able to use the cookie method. For example:
class User < ApplicationRecord
devise :database_authenticatable,
:jwt_cookie_authenticatable,
:jwt_authenticatable, jwt_revocation_strategy: Blacklist
end
This library can be configured by calling jwt_cookie
on the devise config object:
Devise.setup do |config|
config.jwt do |jwt|
# config for devise-jwt goes here
end
config.jwt_cookie do |jwt_cookie|
# ...
jwt_cookie.secure = false if Rails.env.development?
end
end
The name of the cookie. Defaults to access_token
.
The domain the cookie should be issued to. Will be omitted if not set.
If a secure cookie should be set, this means the cookie must be sent over a secure connection. Defaults to true.