feat: implement secure HTTP-only cookie-based refresh token authentication

2026-05-04 08:56:52 +00:00 · 2026-04-10 17:54:49 +05:30
parent 083936d036
commit 0d37242f0d
3 changed files with 42 additions and 1 deletions
@@ -20,3 +20,19 @@ def send_activation_email(user):
        If you did not create this account, please ignore this email."""
    send_mail(subject, message, settings.FROM_EMAIL, [user.email], fail_silently=False)
    return True
+
+
+def set_response_cookies(response, refresh_token):
+    _response = response
+    if "refresh" in _response.data:
+        del _response.data["refresh"]  # remove refresh token from response body
+    _response.set_cookie(
+        key=settings.SIMPLE_JWT["AUTH_COOKIE"],
+        value=refresh_token,
+        max_age=settings.SIMPLE_JWT["REFRESH_TOKEN_LIFETIME"].total_seconds(),
+        httponly=settings.SIMPLE_JWT["AUTH_COOKIE_HTTPONLY"],
+        secure=settings.SIMPLE_JWT["AUTH_COOKIE_SECURE"],
+        samesite=settings.SIMPLE_JWT["AUTH_COOKIE_SAMESITE"],
+        domain=settings.SIMPLE_JWT["AUTH_COOKIE_DOMAIN"],
+    )
+    return _response