Module: Spree::Api::V3::Admin::AuthCookies
- Extended by:
- ActiveSupport::Concern
- Included in:
- AuthController, InvitationAcceptancesController
- Defined in:
- app/controllers/concerns/spree/api/v3/admin/auth_cookies.rb
Overview
Cookie-based delivery for admin refresh tokens.
Refresh token: HttpOnly signed cookie at /api/v3/admin/auth — invisible to JS,
tamper-evident via Rails' cookie signing.
CSRF protection:
We deliberately do NOT use a CSRF token here. The threat model is fully
covered by the combination of:
- SameSite=Lax (dev) / SameSite=None; Secure (prod) on the refresh cookie
- Spree::AllowedOrigin allowlist enforced via Rack::Cors with credentials: true
- CORS preflight blocking cross-origin requests from non-allowlisted Origins
A double-submit CSRF token would only add value if the AllowedOrigin allowlist
were misconfigured or if an XSS happened on a different allowlisted origin —
both scenarios where a defender's deeper problem outweighs CSRF mitigation.
See docs/plans/5.5-admin-auth-cookie-refresh.md for the full reasoning.
Constant Summary collapse
- REFRESH_COOKIE_NAME =
:spree_admin_refresh_token- COOKIE_PATH =
'/api/v3/admin/auth'.freeze