Will magic support http cookie token validation ?

[AlkenD]

So i actually came across various articles and yt videos stating that storing the jwt tokens locally is vulnerable and hence be prevented. So will magic provide a way to send http only cookie of the jwt or something similar to avoid this security issue ?

[polterguy]

Hi Alken, we are working on it, and it's an important feature to have, and the core itself actually supports it as you can see in the attached code from magic.library - However, the frontend dashboard does not support it, and it would be hard to implement in it, since it's a "multi backend solution" ...

If you use cookie auth, the cookie needs to be named "ticket". For your own frontend development efforts, you could use cookie auth. Not sure how valuable it would be though, since JWT is a transparent token, and you kind of want the token in the frontend to parse stuff such as usernames, roles, etc - Implying if you use server side cookies only, you'd have to return this information with some other mechanism. But it does support it in the core ...

You'd have to create your own authentication endpoint to return a cookie though. This is not as hard as it seems though, and we'll probably provide out of the box cookie auth in the near future ...

            .AddJwtBearer(x =>
            {
                x.Events = new JwtBearerEvents
                {
                    OnMessageReceived = (context) =>
                    {
                        /*
                         * If token exists in cookie, we default to using cookie instead of Authorization header.
                         * This allows individual installations to use cookies to transmit JWT tokens, which
                         * arguably is more secure.
                         *
                         * Notice, we also need to allow for sockets requests to authenticate using QUERY parameters,
                         * at which point we set token to value from 'access_token' QUERY param.
                         */
                        var cookie = context.Request.Cookies["ticket"];
                        if (!string.IsNullOrEmpty(cookie))
                            context.Token = cookie;
                        else if (context.HttpContext.Request.Path.StartsWithSegments("/sockets") && context.Request.Query.ContainsKey("access_token"))
                            context.Token = context.Request.Query["access_token"];
                        return Task.CompletedTask;
                    },
                };

[AlkenD]

Nice will give it a go since i still have to learn on work magic functions internally ill try this. Btw amazing job with this project ✌️

[polterguy]

Thx Alken, let us know how it's going, and if you need help :)