如何在 Django 和 Drf 中使用 httponly cookie 实现令牌认证

Question

I'm building an application with django, Drf and currently using vanilla JS as Frontend for now.

I searched almost all through web on different use case for authentication on the web and I found out different links but these links seem to always favour the session authentication and token authentication.

Using Django helps us with the session authentication as default so I decided to study the auth process using a token auth.

While doing this, I initially used the localstorage as a store for my tokens gotten from the backend response after user authenticates, But for some reasons which are valid, most devs/engineers advise against using the localstorage as it prones one to xss attacks..

So I decided to implement the httponly cookie method, but I haven't seen a practical use of this done on Django, I've seen theories on implementing all these but haven't seen someone done this..

Please how can I use the httponly cookie with my token stored as a cookie with DJANGO

EDIT I know a httponly cookie does not allow JavaScript to access a cookie, so I decided to do this.

1. Django sends the cookie httponly with the token as the cookie

2. User makes a request to the backend

3. server gets the token from the cookie sent as a request from the backend.

4)"where the problem now comes" I can't set the token as an header in Django, I tried using the request.headers['Autho...] = Token.... But that doesn't allow item assignment.. So if my logic is correct this is where I'm stucked

EDIT So this time, I am now able to add a header from the server, using request.META to pass an Authorization key with the Token.... Value, that seems to work fine instead of having to use request.headers for passing an assignment..

But something happened which shocked me, in as much as I'm able to change or add an authorization token from the server, the view still gives me an error, much like I never passed a token at all.....

It's like after the whole efforts and everything nothing still changes, except if it's requested from the client side. Guess I will have to stick with localstorage for now, but still research more or wait for answers.

Answer 1

I've done the Authentication with token using httponly cookie..

I recalled when I asked questions and some loving guys from here helped tho, we couldn't see a straight off answer as we had to research and think as well...

The steps I used was this.

1. Django takes in user credentials

2. Django authenticate that credentials

3. a token is exchanged for that data

4. we set the token to a cookie using set_cookie(.... , httponly=True)

** Then it was now time for the real workout.

5. I created a middleware which will be responsible for setting the token to an Authorization key in header dict.. instead of allowing the client to do this. ---- The client couldn't handle this coz it was now a httponly flag which will prevent js from accessing it as the purpose of using httponly was for this to prevent xss attacks when tokens/cookies are normally stored in a browser storage

6. we then handle the middleware to our taste, as in mine I tried making sure it work for only some views and not all views (will be planning on making a custom decorator for it)

7. then last was to we'll have fun and smile at seeing me create something as such without a previous tutorial...

The GitHub repo link https://github.com/HarryAustin/tweeter-DrfTest-httonlycookie