Use auth cookie set by backend instead of jwt (fixes #2193)
#2208
Conversation
Nutomic
requested review from
dessalines,
SleeplessOne1917,
alectrocute and
jsit
as code owners
|
You can use |
|
I noticed that the path for the cookie that's set on the server side is
|
|
Im not setting any path, seems like the library or browser is doing it automatically. Should I change it to a different one? Btw if there is an existing |
|
I've got this accounted for in #2210 Unfortunately we still have to use the manual set method for various reasons:
|
|
We could also change how the cookie is set by the backend. |
|
I think session cookies are intened to expire right after you close that tab / app. But its probably better for clients / apps to decide their own expirations anyway, and if we do have any expiration, have it built into the JWT. If we wanted to be consistent, I'd argue that maybe setting a cookie and JWT expiration of a year or so might be a good idea. Security ppl will hate that, but less-so than now. |
|
I didnt know that there are so many different options for cookies. Should we get rid of the code that sets cookies in backend then? |
|
Tough call... I'd bring it up in one of the dev matrix chats. I do think it'd be much simpler tho to only support the Authorization Bearer header. Applies to not just cookie setting, but cookie reading too. |
|
I would still read the cookie for request auth besides the header, but only if it was explicitly set by the client. |
I think #2193 happens because lemmy-ui still uses the
jwtcookie while the backend automatically setsauthon login. So by switching lemmy-ui to the same cookie it should prevent the login error. Unfortunately I cant reproduce the problem locally so Im not certain.Requires LemmyNet/lemmy-js-client#208