Lil-Nugs

> yes so I'm planning to refresh the refresh token as well, Is that a bad idea? Found [this stackoverflow post](https://stackoverflow.com/questions/64708231/refresh-token-rotation-is-it-really-enough) in my research on jwt auth. I think you're...

Cookies should be httponly for access and refresh tokens to protect from XSS attacks. Per the API documentation, you can define the max_age for your cookies when you set them.

I tried using the Kick implementation from #31576 and it was working at first, but then started getting 403's as well. Probably still due to the cloudflare fingerprinting I'm guessing....

Hmm tests pass locally for me, unsure of why it's timing out here. I'll try to figure it out.

Ah yep- added! Edit: Also, the contribution docs' API section only mention `api/` here for the tests: https://contribute.freecodecamp.org/#/codebase-best-practices?id=api Would it be good to add a section mentioning the `api-server/` folder...

Oh right I wasn't even thinking about the migration you'd have to do to sync things up. Yeah just having it generated on the client and have it link to...

Hi, I'm working on this right now but was wondering if there's a certain way we should handle redirects and how you got the page downloaded, @dirkf? I'm running into...

Hm looking at some other issues actually, seems like this could be bypassed by grabbing the cookies after visiting those URL's