Hey everyone!
I'm doing a small project to learn myself a new technologies and I started to implementing the app auth stuff and I wonder if you can share the best practices for that.
To narrow down what I'm doing is the simple web app with Node.js + GraphQL with Apollo Client + Mongo as database + React as a client. Also, I'm thinking about JWT tokens and email + password for Sign_up and Sign_in.
What I'm looking is how better to store the tokens, in browser in database? When to check them? What process of generating token and expiration practices? etc.
Would love to hear anything you have!
Top comments (4)
I've also used Reddit to discuss this topic and I just copy one answer which I found really helpful and maybe it'll be useful for someone else:
Kudos to this gentleman: reddit.com/r/node/comments/dx2g93/...
Use Redis for session storage.
I think the best solution is to store the token in the localStorage of the browser if you want to keep the user logged in ,otherwise use session storage.
Then send the token with every API request and check the validation of the token in every endpoint that needs authentication or authorisation ( create a middleware for that and add it to routes ).
You can check that repository I create a time ago
ridaeh / Handmade
Dynamic website
Please do not store session tokens in local storage
auth0.com/docs/security/store-toke...
stackoverflow.com/questions/441335...
medium.com/redteam/stealing-jwts-i...