researchequals/api
1
0
Fork 0
Code Issues 29 Pull requests Projects Releases Packages Activity

fix(security): restrict refresh token scope #103

New issue
Open
opened 2025-11-04 11:24:14 +00:00 by chartgerink · 1 comment
chartgerink commented 2025-11-04 11:24:14 +00:00
Owner
Copy link

Set-Cookie: refreshToken=...; HttpOnly; Secure; SameSite=Strict; Path=/api/auth/refresh; Max-Age=604800

This helps secure the refresh token to only be transmitted when the appropriate endpoint is used. See also

https://junkangworld.com/blog/the-definitive-guide-to-refreshing-httponly-tokens#implementation-flow

> `Set-Cookie: refreshToken=...; HttpOnly; Secure; SameSite=Strict; Path=/api/auth/refresh; Max-Age=604800` This helps secure the refresh token to only be transmitted when the appropriate endpoint is used. See also https://junkangworld.com/blog/the-definitive-guide-to-refreshing-httponly-tokens#implementation-flow
chartgerink added this to the v2.0.0 milestone 2025-11-04 11:24:14 +00:00
chartgerink commented 2025-11-05 14:26:29 +00:00
Author
Owner
Copy link

Will have to handle the middleware as it currently uses the presence/absence of refresh token in the logic.

access refresh result
x _ 200 (if valid)
_ x 401
_ _ _

It is important that the refresh process stays functional.

Will have to handle the middleware as it currently uses the presence/absence of refresh token in the logic. | access | refresh | result | | -- | -- | -- | | x | _ | 200 (if valid) | | _ | x | 401 | | _ | _ | _ | It is important that the refresh process stays functional.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix/92
add/frontend
No results found.
Labels
Clear labels   
bug

Something is not working

  
critical

issues that are blocking other work, high importance + urgent

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
future

Not on the docket right now. Keeping the issue for future work.

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No labels
bug
critical
duplicate
enhancement
future
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
v2.0.0
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
researchequals/api#103
No description provided.