CSRF issue when using session based authentication for json APIs

My current authentication system looks like this:

  1. On entering username and password, the login endpoint is called (not a form action) that authenticates the user.
  2. A new session (row in an internal table) is created for this user, and this session id is put in the session cookie.
  3. On every request, I fetch the session from cookie, get the session id, do a lookup to identify the user.

On running sobelow, I get the CSRF error because is uses the :fetch_session plug. On adding the :protect_from_forgery, naturally it throws an error because I do not have a CSRF token set for my APIs.

The alternative is to use a bearer token mechanism for authentication of APIs. I also need the user to be logged in for an extended period of time. This means along with the bearer token I need to use a refresh token mechanism as well. I also figured out storing the refresh token on the client side is a bad idea. I came across the solution to use a HttpOnly cookie to store the refresh token.

But I am confused by the overall flow here:

  1. Obtain a CSRF token for the client.
  2. Send the CSRF token along with the login credentials.
  3. Once authenticated, generate refresh token and bearer token. Put refresh token in the HttpOnly cookie and send back bearer token.
  4. For every API call use the bearer token for authentication.
  5. Once the bearer token expires, what do I do? To get access to the refresh token I need access to the cookies, which again means I need a CSRF token?

What am I missing here? I feel like there has to be a simpler way.
Would really appreciate any help / guidance on this :smile:


Before the token expires, a request is made to an endpoint that is responsible for generating another access token. The server does have access to the refresh token, so once it receives the request, it verifies the refresh token stored in the cookies, and if everything is fine, it returns a new access token to the client, and now the client uses that.

This is a simple way to accomplish it, there are other more advanced and secure measures such as using a fingerprint. This guide is very comprehensive, although it is somewhat focused on GraphQL, it explains all the concepts very well: The Ultimate Guide to handling JWTs on frontend clients (GraphQL)


This is helpful, thank you!!