use httpOnly cookies for authentication tokens

aryaniyaps · Mar 5, 2024 · 204e407 · 204e407
1 parent e6d1689
commit 204e407
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 1 deletion.
diff --git a/client/app/(authentication)/register/page.tsx b/client/app/(authentication)/register/page.tsx
@@ -22,7 +22,8 @@ export default async function RegisterPage() {
         flowData = data;
       }
     } catch (err) {
-      console.log('ERR: ', err);
+      console.log(typeof err);
+      console.log(JSON.stringify(err, null, 4));
       // TODO: handle errs better
       // TODO: delete register flow ID cookie if it is invalid
       // cookieStore.delete(REGISTER_FLOW_ID_COOKIE);

diff --git a/server/app/lib/error_handlers.py b/server/app/lib/error_handlers.py
@@ -40,6 +40,7 @@ async def handle_validation_error(
     exception: RequestValidationError,
 ) -> Response:
     """Handle ValidationError exceptions."""
+    print("ERROR: ", exception)
     return _create_error_response(
         error_result=ValidationErrorResult(
             message="Invalid input detected.",

diff --git a/server/app/routes/auth.py b/server/app/routes/auth.py
@@ -316,6 +316,7 @@ async def finish_webauthn_register_flow(
         key=AUTHENTICATION_TOKEN_COOKIE,
         value=authentication_token,
         secure=settings.is_production(),
+        httponly=True,
     )
 
     return user
@@ -375,6 +376,7 @@ async def verify_authentication_response(
         key=AUTHENTICATION_TOKEN_COOKIE,
         value=authentication_token,
         secure=settings.is_production(),
+        httponly=True,
     )
 
     return user
@@ -424,6 +426,7 @@ async def delete_current_user_session(
     response.delete_cookie(
         key=AUTHENTICATION_TOKEN_COOKIE,
         secure=settings.is_production(),
+        httponly=True,
     )