Strapi plugin logo for HTTP Only Cookies Authentication

HTTP Only Cookies Authentication

The plugin manages authentication using HTTP-only cookies, protecting JWT tokens and providing a logout feature for users.

HTTP Only Cookies Authentication

Installation

Via npm

npm install strapi-v5-http-only-auth

Via yarn

yarn add strapi-v5-http-only-auth

Configuration

To configure the plugin, add the following code to your config file:

1// config/plugins.ts
2
3export default () => ({
4  'strapi-v5-http-only-auth': {
5    enabled: true,
6    config: {
7      // Default cookie settings
8      cookieOptions: {
9        secure: process.env.NODE_ENV === 'production',
10        maxAge: 30 * 24 * 60 * 60 * 1000, // 30 days
11        sameSite: 'lax',
12        domain: process.env.CLIENT_DOMAIN,
13        path: '/',
14      },
15      // If set to true, the JWT will be removed from the response
16      // after a successful login or registration
17      deleteJwtFromResponse: true,
18    },
19  },
20});

How It Works

The plugin sets the user’s JWT token from the /api/auth/local response into an HTTP-only cookie. When processing a request to the /api path, it intercepts the HTTP-only cookie and assigns its value to the Authorization header.

This plugin also provides a logout feature. To enable it, grant permissions to the logout endpoint in:

Admin Panel → Settings → Roles → Authenticated → Users-permissions

The logout route is available at:

1DELETE /api/auth/local

Successful Logout Response:

1{
2  "message": "You have been logged out successfully."
3}

Enjoy!

Install now

npm install strapi-v5-http-only-auth

STATS

1 GitHub star5 weekly downloads

Last updated

94 days ago

Strapi Version

5.9.0 and above

Author

github profile image for xN8Tx
xN8Tx

Useful links

Create your own plugin

Check out the available plugin resources that will help you to develop your plugin or provider and get it listed on the marketplace.