HTTP Only Cookies Authentication

Installation

Via npm

npm install strapi-v5-http-only-auth

Via yarn

yarn add strapi-v5-http-only-auth

Configuration

To configure the plugin, add the following code to your config file:

1// config/plugins.ts
2
3export default () => ({
4  'strapi-v5-http-only-auth': {
5    enabled: true,
6    config: {
7      // Default cookie settings
8      cookieOptions: {
9        secure: process.env.NODE_ENV === 'production',
10        maxAge: 30 * 24 * 60 * 60 * 1000, // 30 days
11        sameSite: 'lax',
12        domain: process.env.CLIENT_DOMAIN,
13        path: '/',
14      },
15      // If set to true, the JWT will be removed from the response
16      // after a successful login or registration
17      deleteJwtFromResponse: true,
18    },
19  },
20});

How It Works

The plugin sets the user’s JWT token from the /api/auth/local response into an HTTP-only cookie. When processing a request to the /api path, it intercepts the HTTP-only cookie and assigns its value to the Authorization header.

This plugin also provides a logout feature. To enable it, grant permissions to the logout endpoint in:

Admin Panel → Settings → Roles → Authenticated → Users-permissions

The logout route is available at:

1DELETE /api/auth/local

Successful Logout Response:

1{
2  "message": "You have been logged out successfully."
3}

Enjoy!