• AVincentInSpace@pawb.social
    link
    fedilink
    English
    arrow-up
    2
    ·
    11 months ago

    …so allow…either?

    What’s so hard about checking two headers (Authorization: and Cookie:) for the authtoken?

    • immortaly007@feddit.nl
      link
      fedilink
      arrow-up
      2
      ·
      11 months ago

      It’s a security thing. The HttpOnly cookie can’t be stolen using XSS or something like that, while a bearer token must be stored somewhere where javascript can see it.

      • AVincentInSpace@pawb.social
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        11 months ago

        Okay.

        So make your webpage send the authtoken in a cookie and leave off the Authorization header, and have your third party (presumably native) clients send an Authorization header but not any cookies, and write your server software to check for both.

        This seems trivial. What am I missing?

      • gornius@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        11 months ago

        Then again, cookie auth is vulnerable to CSRF. Pick your poison.

        Although CSRF protection just adds a minor inconvenience, while there is never a guarantee your code is XSS vulnerability free.

      • lemmyvore@feddit.nl
        link
        fedilink
        English
        arrow-up
        1
        ·
        11 months ago

        That’s assuming the client wants to make a web app. They may need to connect something else to that API.

        It’s perfectly normal to be able to cater to more authentication scenarios than “web app logging in directly to the target API and using its cookies”.

        If they want to make a web app they should use the cookie mechanism but ultimately each client app is responsible for how it secures its access.