I've been using the localStorage to store the JWT token and do the authentication, it works fine because the backend is protected, what is not, are the front end pages in Vue.js and its components, anyone can create a false token in the browser and access the pages, the panel menu, but the data is not loaded because the token is invalidated by the backend. Did you realize that the user will be able to navigate the pages normally? How can I avoid this? Only allowing back-end validated users to navigate the site.
I'm using Vuex and I can not think of a solution. The isLogged state receives the localStorage token, so the user can easily circumvent the browser.
I thought of a solution, do not judge me. Before entering each route, send a request to the back end to check the token, if false, remove the localStorage, would this be a good one?
I'd say your solution is a pretty decent one to start with, but I think you can improve it a bit.
Because you're using VueX, what you could do is store the user (or some other variable) in the Vuex Store. Then before each route you can check if the Store has a user.
If the Store doesn't have a user, check if the localStorage has a token. If there is no token, then the user is not authorised to go to the route.
If the localStorage does have a token, call the back-end and check if the token is valid. If the token is valid, store the user in the Vuex Store and continue. If the token is not valid, than the user is not authorised to go to the route.
This will prevent you from creating unnecessary calls to the back-end whilst still having the validation.
Or you could for example in your store state have a user object that has something like 'userRole' this way you could check for Authentication/Token/Role.
Related
Basically,
I have SPA app with JWT authentication. Now my question is, there is a page that has follow button, so on the first load of page, I need to know if user is logged in or not, so I can disable/enable button.
Approach 1: Before page load send access token and if it is successful render like user is logged in, if it fails render like user is logged out
Approach 2: When user is logged in, keep that state in LocalStorage and just check local storage and render page from that
Is it correct to just keep state of logged in user in LocalStorage? I think that is where you should store ID token (if you use them) that only has user profile information?
Of course I will check access token on each request and from response I can change state in LocalStorage. Problem is that on initial load of page, should I check access token server-side before rendering?
If I keep state in LocalStorage than that user will be logged in on that device basically indefinitely, until he clicks "log out" or tokens fail?
Can anybody see potential problems with keeping state in LocalStorage?
It's OK to keep this information in the local storage. I mean, you can keep a variable there, that will just tell you "this user is logged in as userX". You can then safely utilize this information to display information on your page (e.g. Hi userX!). Even if someone manages to steal that information, it doesn't give them much information.
As you said, you will have to check the credentials on every request anyway (access token, session cookie, etc.), so it's not an issue to have this non-sensitive data in the local storage.
You can of course go with approach 1, but in my opinion, it's just adding unnecessary traffic.
If it bugs you that it will seem that the user is logged in for ever, then you can also persist some TTL in the local storage, and after that TTL treat the user as logged out.
I am managing performing a login and the login state using Vuex. It is a standard procedure of:
User submits their login details on a form
The form dispatches a Vuex action to make an axios API call to a Node/Express endpoint /api/login with the credentials
The response from the API if successful will send back the user's data which is stored in the state.user object through a setUser mutation. A flag of state.user.isLoggedIn is also set to true.
A JWT access token is sent to the user's browser and stored in a secure cookie to use over and over again until it expires. If it expires, a refresh token is used to generate a new JWT access token.
The site's header displays the user's login information .e.g name
The above all works as expected. However if the user refreshes their browser, then Vuex state gets emptied and the site header no longer shows the user information. To overcome this I stored state.user into localStorage in the browser as persisted data and repopulate the Vuex store using the data in localStorage on page refresh. If the user logs out, the localStorage is cleared.
There are many routes that require checking if the user is logged in. I cannot rely on localStorage because it can be manipulated by the user. If the user deletes their cookies which contains a JWT, then localStorage is not being emptied and the site header still displays their log-in information. Therefore I need to do an API call on almost every page to check if the user is logged in and if not then to delete the localStorage as well.
My question is:
Where do I perform a log-in check every time a page/view is accessed? Is it whenever the Vue app is mounted or within vue-router using the beforeEach navigation guard?
If I use beforeEach in vue-router, is it going to crash the site by making an API call to /api/login every time a user changes route? Is it normal practice to do this on every route?
Are there any other alternative patterns to keeping track of if the user is logged in or not?
Application decisions like this tend to be subjective because every application is different, with different requirements and different architectures. It sounds like this is a single page application, so I'll go from there.
First, the fact that your JWT is set up and working is great - that can be a lot of hard work, so be proud that you made it that far.
If your application has certain pages that are accessible without first being logged in (like a login page, or an access denied page, etc.), then you have to consider that in the design as well. In this case, a beforeEach route guard is the perfect solution to keep a route from loading or to catch those not-logged-in users before they attempt to request content that will likely just give them an error.
You probably shouldn't have to make an API call to the server each time the user navigates to a new page. That would probably be a little slow. Because your application uses JWT, complete with refresh tokens, you should be able to rely on them, so that if a user is logged in, they will continue to be logged in until they close their browser and walk away.
This is why you should not use localStorage. When a tab closes or even after a reboot, the user will still appear to be logged in. Instead of using localStorage, use sessionStorage - Helpful MDN link.
Now, the login event to retrieve the user object should only happen once per browser tab, but stay active during the visit.
I wonder why you don't just request a new user object from the server when the browser is refreshed. It's not strange to force a re-check to the server for a full page load. Doing that would mean you wouldn't have to use anything outside of Vuex to store the user's state
Next, is there a way to check the validity of their JWT during the navigation event? Depending on the way you handle the JWT, you may have access to it, and can possibly decode it (like through the oidc-client-js library), and that way determine for yourself if the token is expired. However, if the token is expired, your token refresh system may just refresh it and not tell you about it.
You can also watch your HTTP requests and look out for 401 or 403 responses (however your back-end handles logged-out users), and direct the user back to the login screen if you see one of those. You can use Axios' global interceptors to catch them, or do it yourself if you centralized the location from where Axios is called.
Overall, you're on your way, and clearly have a good grasp on this. Great progress so far, having done probably 90% of the heavy lifting already.
I am building a single page app with vue js/vuex and Laravel backend, I need the users have different roles. I am authenticating on the backend, and using a jwt token for API calls, I am not concerned that we will allow CRUD operations to be performed by a user without the appropriate permissions. What I need to have is the ability for vue to know the role of the user and maintain statelessness without tampering.
I am using vuex-persistedstate with js-cookie and it works but the cookie is clear text and if I change the "role" in the cookie then refresh the page vuex uses the new value. Obviously the data will come from the API and therefore when the token sent is for a user with role = user for data restricted to role = admin it will return 401. Am I overthinking this? If they really wont get, nor be able to change any data they aren't allowed to, just let the "hackerish" users do what they will?
I'm in the process of implementing auth0 login in my project, and to be as fast as possible I'm using a hosted login page. Following the auth0 vue docs I've got up and running quickly and I can login and logout users.
Now, I'm trying to create a user profile page with a route of user/:id. For the :id part I want to use the user_id of the user profile, but I'm having issues understanding the optimal way to get it. I realize I can use the auth0 api users endpoint but I'm not sure that's the correct way. Do I actually need to make an API call to the users endpoint each time an user clicks their profile? Is there no better way to get the user_id, maybe from the id_token which is set in localStorage upon login?
Even better, is there a way to get actual user ids? I know that if I would setup my own login with my own db, I'd have an auto incrementing id which I'd use for user id. This does not seem possible with Auth0, or am I wrong about that?
Disclosure: I work for Auth0.
The idToken returned at the end of the authentication / authorization is a JSON Web Token. This token contains the Auth0 user_id as the sub (subject) claim (property).
If you are using Auth0.js or our AuthService tutorial, Auth0.js will decode this token and give it to you as idTokenPayload object in the authResult. This can be used to identify the user as idTokenPayload.sub.
You can store this object as a whole in localStorage or simply decode the token that you accquired from localStorage. However, please note that you should validate the token after accquiring it from localStorage aswell.
To avoid all the above, you can simply use the checkSession method each time your application bootstraps to get a new copy of the accessToken / idToken and rely on that directly :)
how to keep my store if i refresh a web page ?
let store = new Vuex.Store( {
modules: {
demo, auth
},
strict: true
} );
let router = new VueRouter( {
mode: 'history',
saveScrollPosition: true,
routes: routes
} )
I use the history mode but If i reload my webpage, my store is empty.
There is a solution ?
To persist state data after app refresh, you can either use localStorage or sessionStorage.
XSS: The problems with storing tokens in localStorage as you say is about the app being vulnerable to XSS (cross-site-scripting) attacks. Apart from that, it is quite safe. The localStorage is bound to the domain, so the data of www.yourapp.com will stay there even after the browser is closed also unlike cookies, you won't have to manage which site made the request. All the tabs on the browser with the same domain will be able to use the data in the localStorage
If the said behaviour is not needed, you can go for sessionStorage, it works almost the same way but the data gets cleared when the browser is closed.
Going for cookies, sure they will help saving your token being taken away by an XSS but then you will have to ensure you also provide a csrf-token to protect against CSRF (Cross Site Request Forgery) attacks.
If you plan on going forward with cookies, then make sure they have the httpOnly flag set to true in the headers, else they are no good.
Overall I have seen that localStorage has been a very commonly recommended solution for maintaining tokens and other app data.
I'll add sources to this answer for reference.
CSRF Token necessary when using Stateless(= Sessionless) Authentication?
Check the accepted answer and others as well.
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTML5_Security_Cheat_Sheet.md
https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage
https://www.whitehatsec.com/blog/web-storage-security/ This would let you know about the pitfalls and how-to for using localStorage.
If you refresh the page (F5) you are re-running your app, so unless you initialize the store with some data, it will get empty as it is when app starts.
You can decide what states you want to keep in this case and save them into the cookie/LocalStorage and then in your app.js load them from cookie/LocalStorage into the store. It would be common practice for things like auth token etc as you want to keep user logged in in case of page refresh.
Nice post from Stormpath about storing the tokens: https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage
If Vuex store and whole app is being reloaded when you are navigating from route to route - there is something wrong with your application, probably you are not using VueRouter navigation properly.
You can cache your state to the sessionStorage, which will survive page(tab) refresh events, but will be cleaned when the page or browser is closed.
Docs about sessionStorage