Our great sponsors
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
I am using dj-rest-auth for authentication. I am using JWT token authentication. All advice on JWT tokens is to not store them in local storage. Instead, using this package I store them in HttpOnly cookie. Now, I am apparently vulnerable to CSRF attack. So I enable JWT_AUTH_COOKIE_USE_CSRF. This checks the CSRF token on authenticated requests. However, there is still the potential vulnerability known as "login CSRF" as detailed by this issue on Github. In order to account for this, there is another setting called JWT_AUTH_COOKIE_ENFORCE_CSRF_ON_UNAUTHENTICATED. This enforces CSRF on unauthenticated views (such as login).
Related posts
- Social authentication in django rest framework.
- How can I add Login/Register/Logout endpoint
- How can I add Login/Register/Logout endpoints?
- How could we do a reliable social authentication api with custom user model?
- Login error when using Google OAuth with dj-rest-auth. Getting "redirect_uri_mismatch" error but the callback url seems to be configured correctly