authentication

[cgsdev0]

here's some notes from me poking around the authentication code

• bcrypt is considered legacy, consider using argon2id instead (according to https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#maximum-password-lengths)
• consider implementing password requirements following these practices: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#implement-proper-password-strength-controls
• refresh tokens are typically not a JWT; this kinda defeats the purpose of using refresh tokens. usually it's just a random string that you store in db
• storing access token in a client side cookie can be a no-no because then it's vulnerable to XSS, but in practice, a lot of people do this. i try to store access token in-memory only, and just follow the refresh token to obtain one whenever the app is loaded
• refreshToken cookie should probably have Secure flag
• returning access token in the Authorization header of the response is a bit unorthodox; consider moving it to the response body