jwt-token and server session based authentication co-exist?
Hi,
I'll try my best to describe the situation. Most of the app I am working on was built based on sessions. Then jwt-token based authentication was added in so it can serve as API backend of mobile app. Now what I am trying to do is, use ajax to call APIs which is based on jwt from session based side of app. How do go about this?
Those APIs will expect a jwt-token, but session based webpages don't have one. And I don't think having a meta data field jwt-token like the way to get around csrf verification is a good idea.
Any suggestions?
Thanks in advance.
Update: as for now, I will set token into cookie to get around this.
I think you need to add a handler/controller which returns JWT for current user. Then this JWT will be used to call protected API.
So the first call might look like this:
browser -- (GET /auth/jwt) --> Session Middleware (authenticate user by cookie) --> Controller (return JWT for current user)
Further calls to API will use the JWT (e.g. add to Authorization header as 'Bearer ' + jwt). You might have an issue with CRSF for API. IMHO it would be better to force all such requests to use some custom header (which makes all them CORS) and use CORS instead of CSRF token. It's especially true if you plan to use this API cross-origin.
If you go with CORS with this package you can add it in less than 3 mins
