enables refresh route to safely update httpOnly cookie

src/auth/operations/refresh.js

@@ -21,7 +21,7 @@ const refresh = async (args) => {
     // 2. Perform refresh
     // /////////////////////////////////////
 
-    const { secret } = options.config;
+    const { secret, cookiePrefix } = options.config;
     const opts = {};
     opts.expiresIn = options.collection.config.auth.tokenExpiration;
 
@@ -33,6 +33,10 @@ const refresh = async (args) => {
     delete payload.exp;
     const refreshedToken = jwt.sign(payload, secret, opts);
 
+    if (args.res) {
+      args.res.cookie(`${cookiePrefix}-token`, refreshedToken, { path: '/', httpOnly: true });
+    }
+
     // /////////////////////////////////////
     // 3. Execute after login hook
     // /////////////////////////////////////

src/auth/requestHandlers/refresh.js

@@ -6,6 +6,7 @@ const refreshHandler = config => async (req, res) => {
   try {
     const result = await refresh({
       req,
+      res,
       collection: req.collection,
       config,
       authorization: req.headers.authorization,