Hey Carlton, Thanks! There's actually already a package (django-webpack-loader) designed to handle exactly what I did, but being a maintainer of SimpleJWT made me realize most Django devs weren't using it. I basically almost completely blame all the tutorials that keep using SimpleJWT to do the task. This article: https://www.valentinog.com/blog/webpack-django/ talks about two reasons (besides people bandwagoning off SimpleJWT tutorials and making their own): webpack maintainability and in general the JS bundles growing too big and thus slowing dev time. I think *even if* there is wide adoption for webpack, because of the JS bundles continuously growing (being a huge turn-off once you have a semi-production-grade SPA repository), I proposed a moderate idea:
To fix this, I'm going to develop a middleware as described in issue #3 here: https://github.com/Andrew-Chen-Wang/SPA-with-httponly-sessions/issues/3 It'll use JWT when you're delivering on Node and SessionMiddleware when delivering your bundles via staticfiles. That way, a webpack loader is not needed and development time is extremely fast. Deploy your staticfiles on GitHub pages with the provided action; use React hot-reloading during development so you don't need a webpack loader, split chunking, etc.. But thanks for taking a look! I'll update this thread once more when I develop a package or just create that middleware. Cheers, Andrew On Tue, Jan 19, 2021 at 9:55 AM Carlton Gibson <carlton.gib...@gmail.com> wrote: > Hi Andrew, > > Thanks for updating — that's really interesting to look at. I think a few > more examples like this around the community would be handy to break the > "Must use JWT" presumption that I think there is. > > Kind Regards, > > Carlton > > > On Saturday, 16 January 2021 at 16:46:35 UTC+1 Andrew Wang wrote: > >> Hi all, I know this is an old thread, but I have a solution for SPAs >> using httpOnly session cookies. Here is a demo with React and Django >> WITHOUT JWTs with httpOnly cookies for session and csrf: >> https://acwpython.pythonanywhere.com/authenticated/. The tutorial and >> open source repository is found here: >> https://github.com/Andrew-Chen-Wang/SPA-with-httponly-sessions . >> >> The original purpose of this thread was for SPA development, not really >> for JWTs. I'm a maintainer at SimpleJWT, a repository that almost all >> tutorials use to show React/SPA/JS Frameworks and Django integration. I >> also agree with the security concerns for JWT usage on the browser. So I >> made this demo and tutorial overnight to make sure everyone stops using >> JWTs instead of sessions. >> >> Thanks for taking a look. Please spread the word to get people to stop >> using JWTs instead of sessions. >> Cheers >> >> On Monday, May 11, 2020 at 7:19:33 PM UTC-4 dans...@gmail.com wrote: >> >>> The place where JWT begins to get useful and important is when federated >>> login capabilities end-up in your app. That sort of thing seems more >>> the domain of python-social-auth packages like social-auth-core and >>> social-auth-app-django. Generating an authentication cookie doesn't >>> require JWT - Django already does that. >>> >>> On Mon, May 11, 2020 at 9:37 AM Derek Adair <d...@derekadair.com> wrote: >>> >>>> Maybe we can update the docs to show how you you would might use some >>>>> of the signing primitives instead of JWTs, but this also sounds a bit >>>>> dangerous 🤷♂️ >>>>> >>>> >>>> As someone hoodwinked into believing JWT was the way... I'd absolutely >>>> LOVE a clear and concise write up on how I might get my single page js apps >>>> to communicate securely with projects like Django Rest. >>>> >>>> Thanks for closing the door on JWT for me James. >>>> >>>> -- >>>> >>> You received this message because you are subscribed to the Google >>>> Groups "Django developers (Contributions to Django itself)" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to django-develop...@googlegroups.com. >>>> >>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/django-developers/adc7a8eb-6100-4639-af98-4bca9afaad0b%40googlegroups.com >>>> <https://groups.google.com/d/msgid/django-developers/adc7a8eb-6100-4639-af98-4bca9afaad0b%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- > You received this message because you are subscribed to a topic in the > Google Groups "Django developers (Contributions to Django itself)" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/django-developers/6oS9R2GwO4k/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > django-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/5f14dd99-f73c-4415-ac94-95c6560f7d74n%40googlegroups.com > <https://groups.google.com/d/msgid/django-developers/5f14dd99-f73c-4415-ac94-95c6560f7d74n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABnU4Rq1_RSnAU5H7jDsUh2gZQsQTGtCPL%3DxdabP5DtJ%3D0-N%2Bg%40mail.gmail.com.
