dssolutioninc / dss_gke Goto Github PK

Ref: https://hasura.io/blog/best-practices-of-using-jwt-with-graphql/

1. Where to save JWT on client side

• Local storage
  This is prone to XSS attacks.

• Saving it in a cookie
  Creating cookies on the client to save the JWT will also be prone to XSS. If it can be read on the client from Javascript outside of your app - it can be stolen. You might think an HttpOnly cookie (created by the server instead of the client) will help, but cookies are vulnerable to CSRF attacks. It is important to note that HttpOnly and sensible CORS policies cannot prevent CSRF form-submit attacks and using cookies require a proper CSRF mitigation strategy.

• In memory
  It is still better option in comparing with 2 above options

2. Note solutions for Saving in memory option

• Expiry time
  Common practice is to keep it around 15 minutes. And refresh token when it get expired.

• Silent refresh
  Recommend using this method.
  Server need managing refresh token in their database.
  Client need counting down and call refresh token before JWT get expired.

• Logout
  Client: Delete JWT in memory
  Server: Revoke and delete refresh token in database

• Logout for all devices
  Client: Delete JWT in memory (could not delete JWT token in other devices, no way. But they will get expired soon)
  Server: Revoke and delete all refresh tokens belong to the user.

FROM alpine:latest
RUN apk --no-cache add ca-certificates

FROM google/cloud-sdk:alpine

FROM centos:7
RUN curl -sSL https://sdk.cloud.google.com | bash
ENV PATH $PATH:/root/google-cloud-sdk/bin