- Backend: Django / Django Rest Framework, would be hosted at GCP k8s
- Frontend: Angular, would be hosted at some CDN e.g Vercel
- Authentication: JWT (https://github.com/jazzband/djangorestframework-simplejwt)
The frontend and backend would have different domains. (could be on same domain but different sub-domains)
My flow:
- Get CSRF token (as a cookie) from an endpoint
- Attaches that token with any unsafe request as cookie as well as a header e.g X-CSRFToken with value that is mentioned in the cookie.
- Take credentials from client and pass it to login endpoint.
- Login endpoint returns an JWT access token inside response and refresh token as a httpOnly cookie.
- Store JWT access token in a private data or a function closure
- Any further requests would include
- JWT access token as Authorization token value
- CSRF cookie
- CSRF cookie values as X-CSRFToken value
My question is, whether the flow seems okay from security standpoint CSRF/XSS and whether we really need CSRF? What about login CSRF, does the above covers it?
Edits
- Clarifications
- I have overridden the obtain token endpoint (of simplejwt) to return refresh token not inside the response but as a cookie with httpOnly attribute set to true and path attribute set to that of token refresh endpoint.
- I have overridden the token refresh endpoint to expect the refresh token inside a cookie.
