Yes, you read it well, Cookies :)Hey gang, in order to get in touch with some backend I started to build small Node Express APIs, so I got introduced to headers, csrf and xss attacks, the use of JWT, local storage and etc. I've spent the whole weekend reading ppls opinions and solutions all over stackoverflow, this is not for production use, I just want to know how all that "sorcery" works and if everything I've reading is well asimilated in my brain.One of the API I'm building is a user authentication system wich front end I aim to build using a SPA (vuejs*). I won't use sessions.I've read that in order to avoid XSS attacks, tokens should not be stored in localStorage or similar web api, somewhere it's also mentioned that it's a good practice to store it in a response header httpOnly secure cookie, so it will be automatically included in every request.QUESTION 1: I don't have a secure protocol from dev enviroment on localhost, so I can't set that cookie to secure. I might do it just before deployment to a secure host (Heroku maybe..?) Am I right?QUESTION 2: I read that if it's an REST API, it should not handle session or cookies, mobile apps are out of my interest in this case, so this API would be only for web apps (SPAs), so I could use cookies in this case. Do I get it right till here??Using only cookies (I read...) has not protection against csrf attackts, that's when a token in every request will be needed. So my idea was to implement Passport.js authentication using JWT strategy to read the token sent in the Authorization header in every request. At this point, every request will receive a cookie and a token...QUESTION 3: Does it make sense to have in my routes two middlewares (checkCookie and passport jwt) between my protected route and my controller method? So I check both before invoking the controller?Authentication would fail because not valid cooke was sent or not valid token as well.I don't know a thing about attacts, but on that case an attacker would need to have access to ahttpOnly cookie plus the tocken needed in every request.As I said, this is only for learning purposes, I want to learn how thos topics are handled. Feel free to correct me in any concept I've tried to learn this weekend.Cheers!
Submitted October 14, 2018 at 03:31PM by josewhitetower
No comments:
Post a Comment