Options
All
  • Public
  • Public/Protected
  • All
Menu

Interface UserSessionOptions

Hierarchy

  • UserSessionOptions

Properties

Properties

Readonly cache-control

cache-control: boolean

Whether to set Cache-Control: no-cache="Set-Cookie, Set-Cookie2" response header for the requests that deliver access and refresh tokens to client (i.e. JwtUserSessionMiddleware.create and JwtUserSessionMiddleware.refresh operations).
This option is available only for requests coming from browser.

Readonly cookies

cookies: UserSessionCookiesOptions

User session cookies options.
These options will be used for requests coming from browser devices.

Readonly csrfHeader

csrfHeader: object

CSRF header options.
CSRF will be validated when UserSessionOptions.deliveryOfJwtPayloadViaCookie has value true or when refresh token is sent to server.
This option is available only for requests coming from browser.

Type declaration

  • Readonly name: string

    Lowercase name of the CSRF header.

    example


    x-requested-with

  • Readonly value: HttpHeaderValue

    Value of the the CSRF header.
    This value will be used for comparison with the one from HTTP request. In case they not match, an error is thrown and request will be aborted.

    example


    XmlHttpRequest

Readonly deliveryOfJwtPayloadViaCookie

deliveryOfJwtPayloadViaCookie: boolean

This option kicks in only when requests are made from browser devices.
Depending on the provided value, the following behaviours will happen:

  • true - this will cause JWT header.payload to be sent via {@link UserSessionCookiesOptions.name.payload} cookie.
    After that, all subsequent requests will need to include {@link UserSessionOptions.csrfHeader.name} header with value {@link UserSessionOptions.csrfHeader.value}.
    This is needed for CSRF mitigation.
  • false - this will cause JWT header.payload to be sent to client via {@link UserSessionOptions.headers.access} header.
    After that, all subsequent requests will need to include Authorization header with Bearer ${header.payload} value.

Notice that on requests made from browsers, JWT signature will always be sent via {@link UserSessionCookiesOptions.name.signature} cookie, no matter of the value for this option.

Readonly headers

headers: object

HTTP headers used for passing Access & Refresh tokens.
This option will be used for requests coming from non-browser devices.

Type declaration

  • Readonly access: string

    Lowercase name of header in the HTTP response which will contain Access Token.
    This header name will be used in the following situations:
    - when sending Access Token after creating session
    - when sending Access Token after renewing session
    - when sending JWT payload to browser clients which won't send CSRF header, as they usually store payload in localStorage.

    Notice that on further subsequent requests, not matter of the situations above, Access Token (or it's payload part) will need to be included in the Authorization header.

    example


    x-access-token

  • Readonly refresh: string

    Lowercase name header in the HTTP response which will contain Refresh Token.
    Notice that renew and delete session HTTP requests will need to include header with this name containing Refresh Token.

    example


    x-refresh-token