Restrict refresh token to auth/token path

kiwi-josh · Dec 19, 2016 · 03cec0e · 03cec0e
1 parent 32f26ba
commit 03cec0e
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/app/components/auth/auth.ctrl.js b/app/components/auth/auth.ctrl.js
@@ -87,6 +87,7 @@ module.exports = {
 
         //Get locals
         const COOKIE_MAX_AGE = req.app.locals.REFRESH_TOKEN_COOKIE_MAX_AGE;
+        const API_BASE_PATH = req.app.locals.API_BASE_PATH;
 
         //Create refresh token and set cookie
         const payload = user.getClaims();
@@ -96,6 +97,7 @@ module.exports = {
           maxAge: COOKIE_MAX_AGE * 1000, //in ms
           secure: req.secure,
           httpOnly: true,
+          path: API_BASE_PATH + '/auth/token',
         });
       }