It's the bit where you use localStorage to store it. It's vulnerable to XSS yet there are a lot of articles out there again and again using localStorage.

The problem is, not just articles, but packages like django-rest-simplejwt and solutions like saleor are using it this way (for the record, Saleor has this as a high priority issue for the next release). It's not only these, the default behavior for almost every framework out there is the same.

Shouldn't the default behavior be an Http-only cookie returned rather than a json object containing the access and refresh token? Because if it's not secure, why do I even need it as plain text?

What do you think?