I have stored JWT token in the cookie. How to use nuxt js authentication. Should I use cookie authentication ??
Related
I have an Asp.Net Core 6 GraphQL API app. Server setup with Hot Chocolate and endpoints are served at localhost/graphql.
When a user logs in GraphQL resolver generates both - access and refresh tokens, and sends in response as HttpOnly cookies.
An access token cookie has a path - "/", and a refresh token cookie has a path - "/graphql/refreshtoken".
The idea is that the browser in every request should send an access token, but a refresh token must be sent only when a client hits "/graphql/refreshtoken" endpoint.
I could not find any example with my scenario. And those that I found store refresh tokens in local storage, but not the cookie.
How can I setup the GraphQL server to serve /graphql/refreshtoken endpoint?
Note: I don't want to additionally use REST for refresh tokens.
If the above approach is not achievable, how can I refresh cookie-stored tokens with GraphQL? What is the best practice?
JWT Token is generated in our application and using the same token within the expiration time I can call my API from postman also. I need to restrict that , so how can we identify if the API call with JWT token is coming from Postman or from browser and how to authenticate it in .net core ?
I'm searching for simple tutorials or examples for Flutter authentication using, authentication token and refresh token workflow using JWT. (How to make Login with auth token and refresh token)
I'm using Node.js for the backend and JWT.
You have to just generate the token using the jsonwebtoken npm library. You can also adjust the expiry time of the token (refer to the documentation of the library). After the token is generated persist the token to the client (in your case flutter app) then save the token in the local device, you can use shared preference library of flutter to store key value pairs in local storage of device.Using this token you can make simpe login and logout system and also authentcate all your requesta to server.
Normally in the current authentication we’re using, after the user name and password is entered from login UI, the credentials are checked at server side and if the user is authorized then a JWT token is sent back to client and this JWT token is saved in localstorage. The [Authorize] tag is doing the authorization in the middleware.
I want to use Blazor’s CascadingAuthenticationState, AuthorizeView and JWT authentication without using Identity library, is this possible? Now I used Blazored.LocalStorage.IlocalStorageService and saved the token to localstorage. How can I add token to each requests. Most of examples are blazor webassembly. I could not find similar scenario like mine. Is Using Identity the only way to authentication blazor server app. I have to use my own server and middleware so I wont use Identity? Or maybe I should create hybrit way to use both of them. What is your suggestion?
I'd like to secure my SPA private routes with JWT authentication. To make everything as much secure as it's possible, I wanted to use httpOnly cookie to store my access_token on the client-side.
Using httpOnly cookies protect me a lot from XSS attacks, but unfortunately this approach does not allow me to check if the cookie actually exists in the browser.
In this case - how can I implement some logic to prevent unlogged users to visit private, secure routes of my SPA?
Am I forced to use non-httpOnly cookies or localStorage for this?
Am I forced to use non-httpOnly cookies or localStorage for this?
No. Keep your access_token in a cookie with the httpOnly flag, and (if possible) with the secure flag.
Let's call this cookie session_cookie.
When a user does a successful login you could return 2 cookies: the session_cookie and another one which informs to JS the user has been authenticated (let's call as SPA cookie).
Your session_cookie is not accessible by JS so it's not vulnerable to XSS. This cookie is sent on each request to the server, which checks is a valid token, otherwise an unauthorized error is returned.
Your SPA cookie hasn't httpOnly flag so it's accessible by JS but the server doesn't use it to authenticate the user, so fake this cookie is useless.
Whenever you receive an unauthorized error on your SPA you can remove the SPA cookie.