docs: csrf handling
This commit is contained in:
parent
42409429e6
commit
2dde8d7942
GPG Key ID:
995EFD5C1B532B3E
@ -18,9 +18,10 @@ Endpoints protected with `requireAccessToken` middleware:
|
||||
- `GET /auth/admin/all`: As an administrator, list all users stored in the system (adjustable with pagination URL parameters) -> Array of `userResponse` DTOs
|
||||
- `DELETE /auth/admin/{userID}`: As an administrator, delete a specific user -> HTTP 204 response
|
||||
|
||||
Endpoints protected with `requireRefreshToken` middleware:
|
||||
Endpoints protected with `requireRefreshToken` and `gorilla/csrf` middlewares:
|
||||
|
||||
- `POST /auth/refresh`: Perform token rotation (revokes the old refresh token server-side) -> Cookie with new refresh token and response with access token
|
||||
- `GET /auth/cookie/csrf`: Get new CSRF token -> HTTP 204 response with the token set in the `X-CSRF-Token` response header
|
||||
- `POST /auth/cookie/refresh`: Perform token rotation (revokes the old refresh token server-side) -> Cookie with new refresh token and response with access token
|
||||
|
||||
## Notes
|
||||
|
||||
@ -40,7 +41,7 @@ All notes related endpoints are protected with `requireAccessToken` middleware,
|
||||
|
||||
|
||||
|
||||
- Store access token in memory (never in `localStorage`)
|
||||
- Store access and CSRF tokens in memory (never in `localStorage`)
|
||||
- Automatically handle 401 responses by attempting token refresh
|
||||
- Queue pending requests during token refresh, if necessary
|
||||
- Clear local tokens on logout (`POST /auth/logout`)
|
||||
|
||||
File diff suppressed because one or more lines are too long
|
Before Width: | Height: | Size: 193 KiB After Width: | Height: | Size: 224 KiB |
File diff suppressed because one or more lines are too long
|
Before Width: | Height: | Size: 194 KiB After Width: | Height: | Size: 268 KiB |
Loading…
x
Reference in New Issue
Block a user