Make auth JWTs http-only cookies (by default) #12303
Replies: 7 comments
-
I'd like to +1 this, although I don't need http-only cookie auth by default. I've needed cookie-based auth before and Supabase doesn't provide much easy support for that, last time I checked. I need my session cookies to come from my API server (same server I host my webapp on) and not the Supabase GoTrue server. Perhaps on my API server I could make requests to GoTrue to create and check session info and then put it in a cookie to send to the client? It would be helpful if Supabase streamlined this. I did end up creating my own session cookie system, but at that point I feel like I'm fighting against Supabase. |
Beta Was this translation helpful? Give feedback.
-
let me know if this helps https://chat.elapse.ai/conversation/7da14426-e0cd-40ac-9485-709ccacc55bd |
Beta Was this translation helpful? Give feedback.
-
I also noticed this and when I checked the docs, it's state that it is not need. I wonder how they handle the security issues relating to setting cookie httpOnly option to false https://supabase.com/docs/guides/auth/server-side-rendering#how-do-i-make-the-cookies-httponly- |
Beta Was this translation helpful? Give feedback.
-
I think I need HTTP-only cookies to work around the size limit (see this issue for details). Does anyone have any pointers to setting that up? @omarelshiltawi your link now 404s. |
Beta Was this translation helpful? Give feedback.
-
I am using supabase for authentication with nextjs and writing my backend API in express But the main question is how to chang the configuration?So that I can access the token set in the cookies in express to verify a middleware |
Beta Was this translation helpful? Give feedback.
-
HTTP-Only cookies are not an option unless you're making a very traditional web app using frameworks like Rails, Laravel, Django, traditional Express etc. Even then, use of JavaScript on the frontend should be limited and not be interactive (i.e. no third-party API calls to Supabase Data APIs for example). If that's the case, you must use Supabase Auth on the server only and configure the |
Beta Was this translation helpful? Give feedback.
-
Yeah, likely never gonna be the default in Supabase. I recently played around with this, and it's easy to do a basic implementation using Supabase's SSR package: https://discord.com/channels/839993398554656828/1240082081183436830/1240082081183436830 |
Beta Was this translation helpful? Give feedback.
-
Correct me if i am mistaken but the default way of sending cookies to the client is using local storage. If i want to setup http-only cookies, i have to add another webserver as a middleware that would take the Supabase response and replace the header being sent with an http-only cookie.
This is a major concern for me. I tend to use JWT tokens as data carriers for ABAC authorization on my services (the signing key is first verified then a service-scoped policy uses the JWT claims to handle authZ locally and without making a call to an IAM server or to a gateway) and i don't want this data to be exposed to the client.
Is there a way to send http-only cookies directly from Supabase? If not, could you please add that feature to the app as soon as possible? I could add a middleware webserver but that would kill the purpose of using Supabase for authN. When it comes to session security, providing at least an option to configure http-only tokens which cannot be access from client scripts is a must, especially when many Supabase users are entry level developers. The lack of this feature might expose a large number of applications to vulnerabilities (mostly to XSS attacks but not limited to that).
Beta Was this translation helpful? Give feedback.
All reactions