Httponly Cookie

[unlearnt]

Is there a reason why we are not using httponly cookie?

this is my sample code

#[debug_handler]
async fn login(State(ctx): State<AppContext>,
               cookies: Cookies,
               Json(params): Json<LoginParams>) -> Result<Response> {
    let user = users::Model::find_by_email(&ctx.db, &params.email).await?;

    let valid = user.verify_password(&params.password);

    if !valid {
        return unauthorized("unauthorized!");
    }

    let jwt_secret = ctx.config.get_jwt_config()?;

    let token = user
        .generate_jwt(&jwt_secret.secret, jwt_secret.expiration)
        .or_else(|_| unauthorized("unauthorized!"))?;

    // Create the response with the token in the body (keep existing behavior)
    let response = format::json(LoginResponse::new(&user, &token))?;

    // Add the cookie using Cookies extractor instead of with_cookie
    // Create a cookie with proper settings
    let mut cookie = Cookie::new("auth_token", token.clone());
    cookie.set_path("/");
    cookie.set_http_only(true);
    cookie.set_secure(true);
    cookie.set_same_site(Some(SameSite::Strict));
    
    cookie.set_max_age(Some(time::Duration::seconds(jwt_secret.expiration as i64 * 3600)));
    
    cookies.add(cookie);

    // Return the response (cookies are handled automatically)
    Ok(response)
    // format::json(LoginResponse::new(&user, &token))
}

But problem is, what would be the correct way to validate the cookie?

the current way used in loco can't seem to swap to a cookie based authentication

#[debug_handler]
async fn current(auth: auth::JWT, State(ctx): State<AppContext>) -> Result<Response> {
    tracing::info!("current user {:?}", auth);
    let user = users::Model::find_by_pid(&ctx.db, &auth.claims.pid).await?;
    format::json(CurrentResponse::new(&user))
}

[unlearnt]

Okay..

We can use the existing logic,

#[debug_handler]
async fn current(auth: auth::JWT, State(ctx): State<AppContext>) -> Result<Response> {
    tracing::info!("current user {:?}", auth);
    let user = users::Model::find_by_pid(&ctx.db, &auth.claims.pid).await?;
    format::json(CurrentResponse::new(&user))
}

just need to update configuration.yml

auth:
...
  jwt:
    location:
      from: Cookie
      name: auth_token