feat: Additional httpOnly token for enhanced security in browsers

client/src/api/access-tokens.js

@@ -1,15 +1,14 @@
 import http from './http';
-import socket from './socket';
 
 /* Actions */
 
-const createAccessToken = (data, headers) => http.post('/access-tokens', data, headers);
+const createAccessToken = (data, headers) =>
+  http.post('/access-tokens?withHttpOnlyToken=true', data, headers);
 
 const exchangeForAccessTokenUsingOidc = (data, headers) =>
-  http.post('/access-tokens/exchange-using-oidc', data, headers);
+  http.post('/access-tokens/exchange-using-oidc?withHttpOnlyToken=true', data, headers);
 
-const deleteCurrentAccessToken = (headers) =>
-  socket.delete('/access-tokens/me', undefined, headers);
+const deleteCurrentAccessToken = (headers) => http.delete('/access-tokens/me', undefined, headers);
 
 export default {
   createAccessToken,

client/src/api/http.js

@@ -5,7 +5,7 @@ import Config from '../constants/Config';
 const http = {};
 
 // TODO: add all methods
-['GET', 'POST'].forEach((method) => {
+['GET', 'POST', 'DELETE'].forEach((method) => {
   http[method.toLowerCase()] = (url, data, headers) => {
     const formData =
       data &&
@@ -19,6 +19,7 @@ const http = {};
       method,
       headers,
       body: formData,
+      credentials: 'include',
     })
       .then((response) =>
         response.json().then((body) => ({

client/src/constants/Config.js

@@ -1,11 +1,12 @@
 const { BASE_URL } = window;
+
 const BASE_PATH = BASE_URL.replace(/^.*\/\/[^/]*(.*)[^?#]*.*$/, '$1');
 
 const SERVER_BASE_URL =
   process.env.REACT_APP_SERVER_BASE_URL ||
   (process.env.NODE_ENV === 'production' ? BASE_URL : 'http://localhost:1337');
-const SERVER_BASE_PATH = SERVER_BASE_URL.replace(/^.*\/\/[^/]*(.*)[^?#]*.*$/, '$1');
 
+const SERVER_BASE_PATH = SERVER_BASE_URL.replace(/^.*\/\/[^/]*(.*)[^?#]*.*$/, '$1');
 const SERVER_HOST_NAME = SERVER_BASE_URL.replace(/^(.*\/\/[^/?#]*).*$/, '$1');
 
 const ACCESS_TOKEN_KEY = 'accessToken';