• @[email protected]
    link
    fedilink
    English
    511 year ago

    …so allow…either?

    What’s so hard about checking two headers (Authorization: and Cookie:) for the authtoken?

    • @[email protected]
      link
      fedilink
      311 year ago

      It’s a security thing. The HttpOnly cookie can’t be stolen using XSS or something like that, while a bearer token must be stored somewhere where javascript can see it.

      • @gornius
        link
        241 year ago

        Then again, cookie auth is vulnerable to CSRF. Pick your poison.

        Although CSRF protection just adds a minor inconvenience, while there is never a guarantee your code is XSS vulnerability free.

      • lemmyvore
        link
        fedilink
        English
        91 year ago

        That’s assuming the client wants to make a web app. They may need to connect something else to that API.

        It’s perfectly normal to be able to cater to more authentication scenarios than “web app logging in directly to the target API and using its cookies”.

        If they want to make a web app they should use the cookie mechanism but ultimately each client app is responsible for how it secures its access.

      • @[email protected]
        link
        fedilink
        English
        8
        edit-2
        1 year ago

        Okay.

        So make your webpage send the authtoken in a cookie and leave off the Authorization header, and have your third party (presumably native) clients send an Authorization header but not any cookies, and write your server software to check for both.

        This seems trivial. What am I missing?

        • @9point6
          link
          -41 year ago

          The point of the cookies being HttpOnly is that it makes them completely inaccessible to client side JavaScript, making a whole load of session hijack/XSS attacks impossible.

          The request for a bearer token here circumvents this protection because then there’s a way for a client to avoid cookies all together, making the API vulnerable again.

          • @[email protected]
            link
            fedilink
            English
            11
            edit-2
            1 year ago

            Under what circumstance would a web client need to send an Authorization header at all? The browser sends the cookie and the server treats that as equivalent.

            Malicious JavaScript in that case could theoretically forge a request using an auth token it acquired some other way by sending it as Authorization: Bearer in addition to the cookie, but 1) this would be extremely easy to defend against (just check for the cookie before you check the Authorization header) and 2) it would still not allow malicious JS code to access the user’s auth token which was still stored in an HTTP only cookie, or really do anything that server side code (read: script kiddie scripts) couldn’t, apart from sending a request from the web client’s IP address.

          • @[email protected]
            link
            fedilink
            91 year ago

            it makes them completely inaccessible to client side JavaScript

            Dude literally said to do this for browser clients, and only support bearer tokens for non browser clients.