Add JWT httpOnly cookie storage.

README.rst

@@ -132,6 +132,64 @@ refresh token to obtain another access token:
   ...
   {"access":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX3BrIjoxLCJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiY29sZF9zdHVmZiI6IuKYgyIsImV4cCI6MTIzNTY3LCJqdGkiOiJjNzE4ZTVkNjgzZWQ0NTQyYTU0NWJkM2VmMGI0ZGQ0ZSJ9.ekxRxgb9OKmHkfy-zs1Ro_xs1eMLXiR17dIDBVxeT-w"}
 
+JWT httpOnly cookie storage
+---------------------------
+
+JWT tokens can be stored in cookies for web applications. Cookies, when used
+with the HttpOnly cookie flag, are not accessible through JavaScript, and are
+immune to XSS. To guarantee the cookie is sent only over HTTPS, set Secure
+cookie flag.
+
+To enable cookie storage set ``AUTH_COOKIE`` name:
+
+.. code-block:: python
+
+    SIMPLE_JWT = {
+        'AUTH_COOKIE': 'Authorization',
+    }
+
+Since httpOnly cookies are not accessible via JavaScript, cookies must be deleted by a server request to log out.
+
+In your root ``urls.py`` file (or any other url config), include routes for
+``TokenCookieDeleteView``:
+
+.. code-block:: python
+
+  urlpatterns = [
+      ...
+      path('api/token/delete/', TokenCookieDeleteView.as_view(), name='token_delete'),
+      ...
+  ]
+
+To prevent Cross-Site Request Forgery, the ``csrftoken`` (specified by ``CSRF_COOKIE_NAME`` setting) cookie will also be
+set when issuing the JWT authentication cookie. This works in conjunction with django csrf middleware. The cookie
+contains another token which should be included in the ``X-CSRFToken`` header (as specified by the ``CSRF_HEADER_NAME``
+setting) on every requests via unsafe methods, such as POST, PUT, PATCH and DELETE.
+
+Usage
+-----
+
+To verify that cookies are working, you can use curl to issue a couple of test requests:
+
+.. code-block:: bash
+
+  curl \
+    -X POST \
+    -H "Content-Type: application/json" \
+    -d '{"username": "davidattenborough", "password": "boatymcboatface"}' \
+    --cookie-jar cookies.txt \
+    http://localhost:8000/api/token/
+
+Copy returned csrftoken cookie value from cookies.txt file (while using curl) to X-CSRFToken header:
+
+.. code-block:: bash
+
+  curl \
+    -X POST \
+    -H "X-CSRFToken: fUgacGTt55Cq8Gzp9lz1rxSxa9CoSB9mYPIGgne35FuVC2g7doAjQSupZQkFh4H9" \
+    --cookie ./cookies.txt \
+    http://localhost:8000/api/some-protected-view/
+
 Settings
 --------
 
@@ -170,6 +228,12 @@ Some of Simple JWT's behavior can be customized through settings variables in
       'SLIDING_TOKEN_REFRESH_EXP_CLAIM': 'refresh_exp',
       'SLIDING_TOKEN_LIFETIME': timedelta(minutes=5),
       'SLIDING_TOKEN_REFRESH_LIFETIME': timedelta(days=1),
+
+      'AUTH_COOKIE': None,
+      'AUTH_COOKIE_DOMAIN': None,
+      'AUTH_COOKIE_SECURE': False,
+      'AUTH_COOKIE_PATH': '/',
+      'AUTH_COOKIE_SAMESITE': 'Lax',
   }
 
 Above, the default values for these settings are shown.
@@ -301,6 +365,24 @@ SLIDING_TOKEN_REFRESH_EXP_CLAIM
   The claim name that is used to store the expiration time of a sliding token's
   refresh period.  More about this in the "Sliding tokens" section below.
 
+AUTH_COOKIE
+  Cookie name. Enables auth cookies if value is set.
+
+AUTH_COOKIE_DOMAIN
+  A string like "example.com", or None for standard domain cookie.
+
+AUTH_COOKIE_SECURE
+  Whether to use a secure cookie for the session cookie. If this is set to
+  True, the cookie will be marked as secure, which means browsers may ensure
+  that the cookie is only sent under an HTTPS connection.
+
+AUTH_COOKIE_PATH
+  The path of the auth cookie.
+
+AUTH_COOKIE_SAMESITE
+  Whether to set the flag restricting cookie leaks on cross-site requests.
+  This can be 'Lax', 'Strict', or None to disable the flag.
+
 Customizing token claims
 ------------------------
 

rest_framework_simplejwt/authentication.py

@@ -1,5 +1,6 @@
 from django.utils.translation import gettext_lazy as _
-from rest_framework import HTTP_HEADER_ENCODING, authentication
+from rest_framework import HTTP_HEADER_ENCODING, authentication, exceptions
+from rest_framework.authentication import CSRFCheck
 
 from .exceptions import AuthenticationFailed, InvalidToken, TokenError
 from .settings import api_settings
@@ -16,6 +17,19 @@
 )
 
 
+def enforce_csrf(request):
+    """
+    Enforce CSRF validation.
+    """
+    check = CSRFCheck()
+    # populates request.META['CSRF_COOKIE'], which is used in process_view()
+    check.process_request(request)
+    reason = check.process_view(request, None, (), {})
+    if reason:
+        # CSRF failed, bail with explicit error message
+        raise exceptions.PermissionDenied('CSRF Failed: %s' % reason)
+
+
 class JWTAuthentication(authentication.BaseAuthentication):
     """
     An authentication plugin that authenticates requests through a JSON web
@@ -26,15 +40,25 @@ class JWTAuthentication(authentication.BaseAuthentication):
     def authenticate(self, request):
         header = self.get_header(request)
         if header is None:
-            return None
-
-        raw_token = self.get_raw_token(header)
+            if not api_settings.AUTH_COOKIE:
+                return None
+            else:
+                raw_token = request.COOKIES.get(api_settings.AUTH_COOKIE) or None
+        else:
+            raw_token = self.get_raw_token(header)
         if raw_token is None:
             return None
 
         validated_token = self.get_validated_token(raw_token)
 
-        return self.get_user(validated_token), validated_token
+        user = self.get_user(validated_token)
+        if not user or not user.is_active:
+            return None
+
+        if api_settings.AUTH_COOKIE:
+            enforce_csrf(request)
+
+        return user, validated_token
 
     def authenticate_header(self, request):
         return '{0} realm="{1}"'.format(

rest_framework_simplejwt/settings.py

@@ -34,6 +34,18 @@
     'SLIDING_TOKEN_REFRESH_EXP_CLAIM': 'refresh_exp',
     'SLIDING_TOKEN_LIFETIME': timedelta(minutes=5),
     'SLIDING_TOKEN_REFRESH_LIFETIME': timedelta(days=1),
+
+    # Cookie name. Enables cookies if value is set.
+    'AUTH_COOKIE': None,
+    # A string like "example.com", or None for standard domain cookie.
+    'AUTH_COOKIE_DOMAIN': None,
+    # Whether the auth cookies should be secure (https:// only).
+    'AUTH_COOKIE_SECURE': False,
+    # The path of the auth cookie.
+    'AUTH_COOKIE_PATH': '/',
+    # Whether to set the flag restricting cookie leaks on cross-site requests.
+    # This can be 'Lax', 'Strict', or None to disable the flag.
+    'AUTH_COOKIE_SAMESITE': 'Lax',
 }
 
 IMPORT_STRINGS = (

rest_framework_simplejwt/views.py

@@ -1,6 +1,15 @@
+from datetime import datetime
+
+from django.middleware import csrf
+from django.utils.translation import ugettext_lazy as _
 from rest_framework import generics, status
+from rest_framework.exceptions import NotAuthenticated
 from rest_framework.response import Response
+from rest_framework.reverse import reverse
+from rest_framework.views import APIView
 
+from rest_framework_simplejwt.settings import api_settings
+from rest_framework_simplejwt.tokens import RefreshToken
 from . import serializers
 from .authentication import AUTH_HEADER_TYPES
 from .exceptions import InvalidToken, TokenError
@@ -28,10 +37,69 @@ def post(self, request, *args, **kwargs):
         except TokenError as e:
             raise InvalidToken(e.args[0])
 
-        return Response(serializer.validated_data, status=status.HTTP_200_OK)
+        response = Response(serializer.validated_data, status=status.HTTP_200_OK)
+
+        if api_settings.AUTH_COOKIE:
+            csrf.get_token(self.request)
+            response = self.set_auth_cookies(response, serializer.validated_data)
+
+        return response
+
+    def set_auth_cookies(self, response, data):
+        return response
 
 
-class TokenObtainPairView(TokenViewBase):
+class TokenRefreshViewBase(TokenViewBase):
+    def extract_token_from_cookie(self, request):
+        return request
+
+    def post(self, request, *args, **kwargs):
+        if api_settings.AUTH_COOKIE:
+            request = self.extract_token_from_cookie(request)
+        return super().post(request, *args, **kwargs)
+
+
+class TokenCookieViewMixin:
+    token_refresh_view_name = 'token_refresh'
+
+    def extract_token_from_cookie(self, request):
+        """Extracts token from cookie and sets it in request.data as it would be sent by the user"""
+        if not request.data:
+            token = request.COOKIES.get('{}_refresh'.format(api_settings.AUTH_COOKIE))
+            if not token:
+                raise NotAuthenticated(detail=_('Refresh cookie not set. Try to authenticate first.'))
+            else:
+                request.data['refresh'] = token
+        return request
+
+    def set_auth_cookies(self, response, data):
+        expires = self.get_refresh_token_expiration()
+        response.set_cookie(
+            api_settings.AUTH_COOKIE, data['access'],
+            expires=expires,
+            domain=api_settings.AUTH_COOKIE_DOMAIN,
+            path=api_settings.AUTH_COOKIE_PATH,
+            secure=api_settings.AUTH_COOKIE_SECURE or None,
+            httponly=True,
+            samesite=api_settings.AUTH_COOKIE_SAMESITE,
+        )
+        if 'refresh' in data:
+            response.set_cookie(
+                '{}_refresh'.format(api_settings.AUTH_COOKIE), data['refresh'],
+                expires=expires,
+                domain=None,
+                path=reverse(self.token_refresh_view_name),
+                secure=api_settings.AUTH_COOKIE_SECURE or None,
+                httponly=True,
+                samesite='Strict',
+            )
+        return response
+
+    def get_refresh_token_expiration(self):
+        return datetime.now() + api_settings.REFRESH_TOKEN_LIFETIME
+
+
+class TokenObtainPairView(TokenCookieViewMixin, TokenViewBase):
     """
     Takes a set of user credentials and returns an access and refresh JSON web
     token pair to prove the authentication of those credentials.
@@ -42,18 +110,48 @@ class TokenObtainPairView(TokenViewBase):
 token_obtain_pair = TokenObtainPairView.as_view()
 
 
-class TokenRefreshView(TokenViewBase):
+class TokenRefreshView(TokenCookieViewMixin, TokenRefreshViewBase):
     """
     Takes a refresh type JSON web token and returns an access type JSON web
     token if the refresh token is valid.
     """
     serializer_class = serializers.TokenRefreshSerializer
 
+    def get_refresh_token_expiration(self):
+        if api_settings.ROTATE_REFRESH_TOKENS:
+            return super().get_refresh_token_expiration()
+        token = RefreshToken(self.request.data['refresh'])
+        return datetime.fromtimestamp(token.payload['exp'])
+
 
 token_refresh = TokenRefreshView.as_view()
 
 
-class TokenObtainSlidingView(TokenViewBase):
+class SlidingTokenCookieViewMixin:
+    def extract_token_from_cookie(self, request):
+        """Extracts token from cookie and sets it in request.data as it would be sent by the user"""
+        if not request.data:
+            token = request.COOKIES.get(api_settings.AUTH_COOKIE)
+            if not token:
+                raise NotAuthenticated(detail=_('Refresh cookie not set. Try to authenticate first.'))
+            else:
+                request.data['token'] = token
+        return request
+
+    def set_auth_cookies(self, response, data):
+        response.set_cookie(
+            api_settings.AUTH_COOKIE, data['token'],
+            expires=datetime.now() + api_settings.REFRESH_TOKEN_LIFETIME,
+            domain=api_settings.AUTH_COOKIE_DOMAIN,
+            path=api_settings.AUTH_COOKIE_PATH,
+            secure=api_settings.AUTH_COOKIE_SECURE or None,
+            httponly=True,
+            samesite=api_settings.AUTH_COOKIE_SAMESITE,
+        )
+        return response
+
+
+class TokenObtainSlidingView(SlidingTokenCookieViewMixin, TokenViewBase):
     """
     Takes a set of user credentials and returns a sliding JSON web token to
     prove the authentication of those credentials.
@@ -64,7 +162,7 @@ class TokenObtainSlidingView(TokenViewBase):
 token_obtain_sliding = TokenObtainSlidingView.as_view()
 
 
-class TokenRefreshSlidingView(TokenViewBase):
+class TokenRefreshSlidingView(SlidingTokenCookieViewMixin, TokenRefreshViewBase):
     """
     Takes a sliding JSON web token and returns a new, refreshed version if the
     token's refresh period has not expired.
@@ -84,3 +182,36 @@ class TokenVerifyView(TokenViewBase):
 
 
 token_verify = TokenVerifyView.as_view()
+
+
+class TokenCookieDeleteView(APIView):
+    """
+    Deletes httpOnly auth cookies.
+    Used as logout view while using AUTH_COOKIE
+    """
+    token_refresh_view_name = 'token_refresh'
+    authentication_classes = ()
+    permission_classes = ()
+
+    def post(self, request):
+        response = Response({})
+
+        if api_settings.AUTH_COOKIE:
+            self.delete_auth_cookies(response)
+
+        return response
+
+    def delete_auth_cookies(self, response):
+        response.delete_cookie(
+            api_settings.AUTH_COOKIE,
+            domain=api_settings.AUTH_COOKIE_DOMAIN,
+            path=api_settings.AUTH_COOKIE_PATH
+        )
+        response.delete_cookie(
+            '{}_refresh'.format(api_settings.AUTH_COOKIE),
+            domain=None,
+            path=reverse(self.token_refresh_view_name),
+        )
+
+
+token_delete = TokenCookieDeleteView.as_view()