1👍
In order for things to be secure:
- You need CORS (Quickstart: CORS_ALLOWED_HOSTS=["http://localhost:3000"], CORS_ALLOW_CREDENTIALS=True)
- The short-lived token (session) cookie (5-15mins), should NOT have HTTP-ONLY setting
- The refresh token cookie SHALL have HTTP-ONLY setting
Then your basic flow is:
- On login Django creates session token and sends it
- Your SPA reads the cookie and adds its value to the authorization header (Authorization: JWT …token…)
- Any request to Django should be made with that Authorization header
The refresh flow is:
- Send a request to the refresh token endpoint following the documentation of the library you use
- Django then reads the HTTP-ONLY cookie and verifies it
- If valid, Django sends a new refresh token as HTTP-ONLY cookie along with a new short-lived token session cookie
- Once the refresh token has expired, you log the user out.
An article here goes into detail using GraphQL, but the cookie part and handling of most of the frontend code you should be able to adapt to REST.
Source:stackexchange.com