My current authentication system looks like this:
- On entering username and password, the login endpoint is called (not a form action) that authenticates the user.
- A new session (row in an internal table) is created for this user, and this session id is put in the session cookie.
- On every request, I fetch the session from cookie, get the session id, do a lookup to identify the user.
On running sobelow, I get the CSRF error because is uses the :fetch_session plug. On adding the :protect_from_forgery, naturally it throws an error because I do not have a CSRF token set for my APIs.
The alternative is to use a bearer token mechanism for authentication of APIs. I also need the user to be logged in for an extended period of time. This means along with the bearer token I need to use a refresh token mechanism as well. I also figured out storing the refresh token on the client side is a bad idea. I came across the solution to use a HttpOnly cookie to store the refresh token.
But I am confused by the overall flow here:
- Obtain a CSRF token for the client.
- Send the CSRF token along with the login credentials.
- Once authenticated, generate refresh token and bearer token. Put refresh token in the HttpOnly cookie and send back bearer token.
- For every API call use the bearer token for authentication.
- Once the bearer token expires, what do I do? To get access to the refresh token I need access to the cookies, which again means I need a CSRF token?
What am I missing here? I feel like there has to be a simpler way.
Would really appreciate any help / guidance on this 
References:
