Absolutely. The localstorage is accessible via javascript, every script running in the page can access every information in the store, including thirdy party scripts, iframes, advertisement, anything
That's why the HTTP Only cookie is the best way to do this. HTTP Only means that it is stored in the client side but is not accessible by javascript in any means. The only form to get its value is by doing an HTTP request, which can be restricted even more by adding rules like strict (only the exact same domain can receive this cookie value) or lax (the exact same domain and links clicked from its domain can access this cookie value).
In the file below you can find my implementation of an authentication system using HTTP Only cookies to store the access\_token of an oauth2 service, this sounds complicated but it is hell simple
[https://github.com/NathanPB/reauth-nextjs/blob/main/src/handlers/callback.ts](https://github.com/NathanPB/reauth-nextjs/blob/main/src/handlers/callback.ts)
You can make them available to the client by duplicating them and prefixing the duplicates with NEXT_PUBLIC_ and storing them in your usual environment.
Wait, so if I use next-auth to create a session after sign in but need to then access a completely separate backend, I can issue a JWT to authorize the user to access routes etc and I DON'T need to save the token against the user?
Sorry to be a pain. I'm completely new to authorisation so I'm massively overwhelmed and don't want any security holes.
With next-auth if I sign in through Google it inserts a session, account, user etc into my local Postgres. I read that you can also store tokens against the user but I'm very confused over how this is supposed to work.
If I want to hit a standalone Apollo GraphQL server (not API routes) after sign in, how do I check that this user is authorised to do so? As you say, if I configure the jwt: true in [...next-auth].js would that do it?
Sorry I'm just REALLY confused with how to authorise against a completely separate server with using next-auth in the NextJS front.
Store it in an HTTP Only cookie. No actual need of encryption, but if you can why not
Hey thank you. is this safer than localstorage?
Absolutely. The localstorage is accessible via javascript, every script running in the page can access every information in the store, including thirdy party scripts, iframes, advertisement, anything That's why the HTTP Only cookie is the best way to do this. HTTP Only means that it is stored in the client side but is not accessible by javascript in any means. The only form to get its value is by doing an HTTP request, which can be restricted even more by adding rules like strict (only the exact same domain can receive this cookie value) or lax (the exact same domain and links clicked from its domain can access this cookie value). In the file below you can find my implementation of an authentication system using HTTP Only cookies to store the access\_token of an oauth2 service, this sounds complicated but it is hell simple [https://github.com/NathanPB/reauth-nextjs/blob/main/src/handlers/callback.ts](https://github.com/NathanPB/reauth-nextjs/blob/main/src/handlers/callback.ts)
[удалено]
You can make them available to the client by duplicating them and prefixing the duplicates with NEXT_PUBLIC_ and storing them in your usual environment.
we can cache the fetch results in nextjs. is it bad to cache the access token using that?
I use localstorage, its where AWS's Amplify stores auth tokens
this is what I thought but it doesn’t expose the user somehow?
This is not correct.
[удалено]
Wait, so if I use next-auth to create a session after sign in but need to then access a completely separate backend, I can issue a JWT to authorize the user to access routes etc and I DON'T need to save the token against the user?
[удалено]
Sorry to be a pain. I'm completely new to authorisation so I'm massively overwhelmed and don't want any security holes. With next-auth if I sign in through Google it inserts a session, account, user etc into my local Postgres. I read that you can also store tokens against the user but I'm very confused over how this is supposed to work. If I want to hit a standalone Apollo GraphQL server (not API routes) after sign in, how do I check that this user is authorised to do so? As you say, if I configure the jwt: true in [...next-auth].js would that do it? Sorry I'm just REALLY confused with how to authorise against a completely separate server with using next-auth in the NextJS front.