From 03cec0eb48ddb69488831b51fdf43f8d0f9b2d1d Mon Sep 17 00:00:00 2001
From: Adam Reis <adam@reis.nz>
Date: Mon, 19 Dec 2016 18:34:12 +1300
Subject: [PATCH] Restrict refresh token to auth/token path

---
 app/components/auth/auth.ctrl.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app/components/auth/auth.ctrl.js b/app/components/auth/auth.ctrl.js
index f83d647..d891aa5 100644
--- a/app/components/auth/auth.ctrl.js
+++ b/app/components/auth/auth.ctrl.js
@@ -87,6 +87,7 @@ module.exports = {
 
         //Get locals
         const COOKIE_MAX_AGE = req.app.locals.REFRESH_TOKEN_COOKIE_MAX_AGE;
+        const API_BASE_PATH = req.app.locals.API_BASE_PATH;
 
         //Create refresh token and set cookie
         const payload = user.getClaims();
@@ -96,6 +97,7 @@ module.exports = {
           maxAge: COOKIE_MAX_AGE * 1000, //in ms
           secure: req.secure,
           httpOnly: true,
+          path: API_BASE_PATH + '/auth/token',
         });
       }