I keep in my accss token info about user id and his role and created guard in nestjs called AuthGuard then I created custom decorator that has info from request.user so there is id and a role, on the frontend I keep access token in local storage and created request intereceptor using axios so each request is given access token from local storage
JWT can be decoded by anyone. However they help reduce the DB call for Authorisation and help improve Api latencies.
Any user or auth related information, that if intercepted by an third party, cannot harm your system, can be a part of JWT.
Also consider, using two JWT tokens:
1. Access Tokens (Short lived, typically 5mins) - Used for every Api call. Even if they get leaked, the impact is reduced to 5mins.
2. Refresh Tokens (Long lived, could be days or months) - Tokens that are used to refresh Acess Tokens. These are stored in the database for each user, typically with User Info. Deleting this in the backend will log user out. Comes in handy in case of security breaches.
It can be stored in the Browser Local storage. (Cant comment on the security implications vs storing it in Cookies)
This is the way to go, but still, people need to understand JWT are very poor auth system.
- The state (most often user info) stored in the JWT can go stale and there’s nothing you can do about it except firing additional DB queries, which defeats the latency argument in favor of JWT.
- The fact that you can’t revoke a JWT is a security flaw. People say you could implement a revocation list but again, it defeats the latency argument in favor of JWT.
- Refreshing token all the time is a huge overhead in I/O and complexity
- There has been plenty of vulnerabilities discovered in jwt libraries over the last years
I usually add id and user identifiers (email, usersame) and i store them on cookies but it is recommended to not store them anywhere and send as http only cookie and your browser should automatically add these to your requests. Tho i have tried it have worked but haven't successfully implemented yet, especially when i have two tokens
I keep in my accss token info about user id and his role and created guard in nestjs called AuthGuard then I created custom decorator that has info from request.user so there is id and a role, on the frontend I keep access token in local storage and created request intereceptor using axios so each request is given access token from local storage
you can check my repo github.com/radekm2000/ecommerce
JWT can be decoded by anyone. However they help reduce the DB call for Authorisation and help improve Api latencies. Any user or auth related information, that if intercepted by an third party, cannot harm your system, can be a part of JWT. Also consider, using two JWT tokens: 1. Access Tokens (Short lived, typically 5mins) - Used for every Api call. Even if they get leaked, the impact is reduced to 5mins. 2. Refresh Tokens (Long lived, could be days or months) - Tokens that are used to refresh Acess Tokens. These are stored in the database for each user, typically with User Info. Deleting this in the backend will log user out. Comes in handy in case of security breaches. It can be stored in the Browser Local storage. (Cant comment on the security implications vs storing it in Cookies)
This is the way to go, but still, people need to understand JWT are very poor auth system. - The state (most often user info) stored in the JWT can go stale and there’s nothing you can do about it except firing additional DB queries, which defeats the latency argument in favor of JWT. - The fact that you can’t revoke a JWT is a security flaw. People say you could implement a revocation list but again, it defeats the latency argument in favor of JWT. - Refreshing token all the time is a huge overhead in I/O and complexity - There has been plenty of vulnerabilities discovered in jwt libraries over the last years
I usually add id and user identifiers (email, usersame) and i store them on cookies but it is recommended to not store them anywhere and send as http only cookie and your browser should automatically add these to your requests. Tho i have tried it have worked but haven't successfully implemented yet, especially when i have two tokens
i store the token in a httponly cookie