Hey, helpful library but thought I should point out the following (apologies if I've missed some mitigation you've added).
By allowing a cookie to be used as the authentication mechanism, you are opening up implementations to XSRF attacks.
https://auth0.com/blog/2014/01/27/ten-things-you-should-know-about-tokens-and-cookies/#token-storage
As discussed in the above post, storing a JWT in a cookie is fine as long as it can't be used for authentication. Whilst there may be an unusual use case for this, it is more likely that without an additional XSRF token, this particular feature is just opening up a security hole.
Hope this helps.
Hey, helpful library but thought I should point out the following (apologies if I've missed some mitigation you've added).
By allowing a cookie to be used as the authentication mechanism, you are opening up implementations to XSRF attacks.
https://auth0.com/blog/2014/01/27/ten-things-you-should-know-about-tokens-and-cookies/#token-storage
As discussed in the above post, storing a JWT in a cookie is fine as long as it can't be used for authentication. Whilst there may be an unusual use case for this, it is more likely that without an additional XSRF token, this particular feature is just opening up a security hole.
Hope this helps.