Extract JWT from Cookie

[ismell]

I would like to secure a webapp. It would be nice if the JWT access token could be stored in a cookie instead of requiring the Authorization HTTP header.

A configuration like JWT_COOKIE_NAME=AuthToken would configure the auth function to look at the cookie.

[tarekrached]

+1 on this. Without it, I don't see how to secure static assets that are not accessed via XMLHttpRequest or fetch, where we don't have control of the request headers.

[neurofoo]

+1. recently run into the same issue as @tarekrached re: static pages

[wstam88]

// if there is no auth header
if auth_header == nil then
        // check cookie for token
        if ngx.var.cookie_token ~= nil then
            token = ngx.var.cookie_token;
        elseif ngx.var.arg_token == nil then
            ngx.exit(ngx.HTTP_UNAUTHORIZED)
        else
            // also check voor token in query params (?token=...)
            token = ngx.var.arg_token;
        end
    else
        // use auth header if there
        token = auth_header;
    end