Feature Request: Optional Configuration to Exclude JWT from Authorization Header

[Eknopp]

Hi,

This is regarding the devise-jwt gem, I'm not sure whether this is the correct place to open this discussion, but this is where the devise-jwt Feature Request led me to. If this is the wrong place, I would gladly have some help knowing where this discussion is supposed ton be done.

I’m currently using cookies to store the JWT token instead of relying on local/session storage. This approach enhances security by mitigating the risk of XSS attacks since the token isn’t exposed to JavaScript.

However, I noticed that the JWT token is still included in the Authorization header of successful responses by default. Since I’m not using the token from the header, I’d like to remove it to avoid redundant data transmission and ensure the response is as minimal as possible.

I couldn’t find an option in the documentation to disable the inclusion of the token in the Authorization header. If this functionality already exists, I’d greatly appreciate guidance on how to configure it.

If not, I’d like to suggest adding an optional configuration that allows users to exclude the JWT from the Authorization header. This flexibility would benefit developers who are using alternative storage mechanisms like cookies while maintaining compatibility with devise-jwt.

Thank you for considering this feature request, and I’m happy to provide further context or contribute if needed!

Kind regards,
Eitan

[jarednorman]

I think you were pointed here erroneously. My guess is that @waiting-for-dev copied the GitHub config from Solidus. I'd open an issue on the devise-jwt repo.

[waiting-for-dev]

Sorry for the noise. Looks like I forked the .github repo back when I was working on Solidus, probably to submit some changes. I’ve just removed it, so we shouldn’t run into this issue again in the future.

[jarednorman]

Thanks!