feat: Additional httpOnly token for enhanced security in browsers

2025-07-30 18:49:44 +02:00 · 2024-09-01 09:31:04 +02:00 · 2024-09-01 09:31:04 +02:00 · 50519f1bcd
commit 50519f1bcd
parent d4043c9726
18 changed files with 171 additions and 48 deletions
--- a/client/src/api/access-tokens.js
+++ b/client/src/api/access-tokens.js
@ -1,15 +1,14 @@
 import http from './http';
-import socket from './socket';

 /* Actions */

-const createAccessToken = (data, headers) => http.post('/access-tokens', data, headers);
+const createAccessToken = (data, headers) =>
+  http.post('/access-tokens?withHttpOnlyToken=true', data, headers);

 const exchangeForAccessTokenUsingOidc = (data, headers) =>
-  http.post('/access-tokens/exchange-using-oidc', data, headers);
+  http.post('/access-tokens/exchange-using-oidc?withHttpOnlyToken=true', data, headers);

-const deleteCurrentAccessToken = (headers) =>
-  socket.delete('/access-tokens/me', undefined, headers);
+const deleteCurrentAccessToken = (headers) => http.delete('/access-tokens/me', undefined, headers);

 export default {
  createAccessToken,
--- a/client/src/api/http.js
+++ b/client/src/api/http.js
@ -5,7 +5,7 @@ import Config from '../constants/Config';
 const http = {};

 // TODO: add all methods
-['GET', 'POST'].forEach((method) => {
+['GET', 'POST', 'DELETE'].forEach((method) => {
  http[method.toLowerCase()] = (url, data, headers) => {
    const formData =
      data &&
@ -19,6 +19,7 @@ const http = {};
      method,
      headers,
      body: formData,
+      credentials: 'include',
    })
      .then((response) =>
        response.json().then((body) => ({