adding the implemention of cookies only

Gemfile.lock

@@ -75,15 +75,15 @@ GEM
     factory_bot_rails (6.1.0)
       factory_bot (~> 6.1.0)
       railties (>= 5.0.0)
-    ffi (1.13.1)
+    ffi (1.15.5)
     globalid (0.4.2)
       activesupport (>= 4.2.0)
     i18n (1.8.5)
       concurrent-ruby (~> 1.0)
     jaro_winkler (1.5.4)
     json (2.3.1)
     jwt (2.2.2)
-    listen (3.2.1)
+    listen (3.7.1)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
     loofah (2.7.0)
@@ -139,7 +139,7 @@ GEM
       thor (>= 0.20.3, < 2.0)
     rainbow (3.0.0)
     rake (13.0.1)
-    rb-fsevent (0.10.4)
+    rb-fsevent (0.11.2)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
     rspec-core (3.9.2)
@@ -205,4 +205,4 @@ DEPENDENCIES
   sqlite3 (~> 1.4)
 
 BUNDLED WITH
-   2.1.4
+   2.3.7

app/controllers/api_guard/tokens_controller.rb

@@ -19,8 +19,19 @@ def create
     private
 
     def find_refresh_token
-      refresh_token_from_header = request.headers['Refresh-Token']
+      unless ApiGuard.enable_cookies_response
+        refresh_token_from_header = request.headers['Refresh-Token']
 
+        if refresh_token_from_header
+          @refresh_token = find_refresh_token_of(current_resource, refresh_token_from_header)
+          return render_error(401, message: I18n.t('api_guard.refresh_token.invalid')) unless @refresh_token
+        else
+          render_error(401, message: I18n.t('api_guard.refresh_token.missing'))
+        end
+
+      end
+
+      refresh_token_from_header = request.cookies.signed[:kebbah]
       if refresh_token_from_header
         @refresh_token = find_refresh_token_of(current_resource, refresh_token_from_header)
         return render_error(401, message: I18n.t('api_guard.refresh_token.invalid')) unless @refresh_token

lib/api_guard.rb

@@ -11,6 +11,18 @@ module Test
     autoload :ControllerHelper, 'api_guard/test/controller_helper'
   end
 
+  mattr_accessor :enable_response_headers
+  self.enable_response_headers = true
+
+  mattr_accessor :add_domain_for_refresh_token
+  self.add_domain_for_refresh_token = nil
+
+  mattr_accessor :enable_response_body
+  self.enable_response_body = false
+
+  mattr_accessor :enable_cookies_response
+  self.enable_cookies_response = false
+
   mattr_accessor :token_validity
   self.token_validity = 1.day
 

lib/api_guard/jwt_auth/authentication.rb

@@ -24,7 +24,12 @@ def respond_to_missing?(method_name, include_private = false)
       def authenticate_and_set_resources(resource_names)
         @resource_names = resource_names
 
-        @token = request.headers['Authorization']&.split('Bearer ')&.last
+        if ApiGuard.enable_response_headers
+          @token = request.headers['Authorization']&.split('Bearer ')&.last
+        elsif ApiGuard.enable_cookies_response
+          @token = request.cookies.signed[:access_token][:access_token]
+        end
+
         return render_error(401, message: I18n.t('api_guard.access_token.missing')) unless @token
 
         authenticate_token

lib/api_guard/jwt_auth/json_web_token.rb

@@ -45,6 +45,7 @@ def jwt_and_refresh_token(resource, resource_name, expired_token = false, expire
         # Add custom data in the JWT token payload
         payload.merge!(resource.jwt_token_payload) if resource.respond_to?(:jwt_token_payload)
 
+        # generate the access token and refresh token
         [encode(payload), new_refresh_token(resource, expired_refresh_token)]
       end
 
@@ -54,13 +55,48 @@ def create_token_and_set_header(resource, resource_name)
         set_token_headers(access_token, refresh_token)
       end
 
+      def create_token_and_set_in_strategy(resource, resource_name)
+        access_token, refresh_token = jwt_and_refresh_token(resource, resource_name)
+
+        if ApiGuard.enable_response_headers
+          set_token_headers(access_token, refresh_token)
+        elsif ApiGuard.enable_cookies_response
+          set_token_cookies(access_token, refresh_token)
+        end
+      end
+
       # Set token details in response headers
       def set_token_headers(token, refresh_token = nil)
         response.headers['Access-Token'] = token
         response.headers['Refresh-Token'] = refresh_token if refresh_token
         response.headers['Expire-At'] = token_expire_at.to_s
       end
 
+      def set_token_cookies(token, refresh_token)
+        # the secure way is just storing the refresh token in the cookies
+        # and leave the access token in the headers, but in your frontend,
+        # you need to make a accessor to the a variable called access token
+        # you can do this approche, or just store access token and refresh
+        # token in the headers
+        cookies.signed[:access_token] = {
+          value: { access_token: access_token, expires_at: token_expire_at.to_s},
+          http_only: true,
+          expires: ApiGuard.token_validity,
+          domain: ApiGuard.add_domain_for_refresh_token,
+          secure: true,
+          same_site: 'strict'
+        }
+
+        cookies.signed[:kebbah] = {
+          value: refresh_token,
+          http_only: true,
+          expires: ApiGuard.refresh_token_validity,
+          domain: ApiGuard.add_domain_for_refresh_token,
+          secure: true,
+          same_site: 'strict'
+        } if refresh_token        
+      end
+
       # Set token issued at to current timestamp
       # to restrict access to old access(JWT) tokens
       def invalidate_old_jwt_tokens(resource)

lib/api_guard/jwt_auth/refresh_jwt_token.rb

@@ -47,6 +47,7 @@ def destroy_all_refresh_tokens(resource)
 
         refresh_tokens_for(resource).destroy_all
       end
+
     end
   end
 end

lib/api_guard/response_formatters/renderer.rb

@@ -5,8 +5,8 @@ module ResponseFormatters
     module Renderer
       def render_success(data: nil, message: nil)
         resp_data = { status: I18n.t('api_guard.response.success') }
-        resp_data[:message] = message if message
         resp_data[:data] = data if data
+        resp_data[:message] = message if message
 
         render json: resp_data, status: 200
       end
@@ -20,3 +20,7 @@ def render_error(status, options = {})
     end
   end
 end
+
+class App
+  mattr_accessor :message 
+end

lib/generators/api_guard/controllers/templates/tokens_controller.rb

@@ -15,7 +15,11 @@ class TokensController < ApiGuard::TokensController
     # private
 
     # def find_refresh_token
-    #   refresh_token_from_header = request.headers['Refresh-Token']
+    #   if ApiGuard.enable_response_headers
+    #      refresh_token_from_header = request.headers['Refresh-Token']
+    #   elsif ApiGuard.enable_cookies_response
+    #      refresh_token_from_header = request.cookies.signed[:kebbah]
+    #   end
     #
     #   if refresh_token_from_header
     #     @refresh_token = find_refresh_token_of(current_resource, refresh_token_from_header)