Comments (4)
Related issue: now that the auth operations have been switched from REST calls to GraphQL, errors are no longer being reported correctly.
This seems to be due to the switch from apollo-angular-link-http
to apollo-upload-client
, which has had the result that the http interceptor no longer gets executed on http calls.
from vendure.
Video guide on implementing a refresh token flow for JWT / express: https://www.youtube.com/watch?v=UA0AIkjI85c
Plus the front-end code used to set and update tokens: https://github.com/benawad/gello-world/blob/7_advanced_jwt_auth/src/index.js
from vendure.
Why use refresh tokens?
While researching this I had the question of "what is the point of refresh tokens?"
From what I read, the auth token should have a short life (say, 5 - 15 mins) whereas the refresh token has a longer life (say, 1 - 2 weeks). User logs in, then the auth token expires after 5 mins and so the refresh token is checked, validated, and a new auth token is issued. The refresh token is presumably stored in the same fashion as the auth token (localStorage, for example). If an attacker can get the auth token, they can also get the refresh token. So where is the additional security?
Answer from https://security.stackexchange.com/a/119392:
Without frequent refreshing, it is very difficult to remove access rights once they've been granted to a token. If you make the lifetime of a token a week, you will likely need to implement another means to handle, for example, the deletion of a user account, changing of a password (or other event requiring relogin), and a change in access permissions for the user.
From reading that whole thread, it seems that the clear purpose of a refresh token is to:
- Provide a way of having long-running user sessions while simultaneously
- allowing access to be revoked at short notice.
from vendure.
Where to store tokens? localStorage vs sessionStorage vs cookies
https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage
Stormpath recommends that you store your JWT in cookies for web applications, because of the additional security they provide, and the simplicity of protecting against CSRF with modern web frameworks. HTML5 Web Storage is vulnerable to XSS, has a larger attack surface area, and can impact all application users on a successful attack.
From https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Local_Storage
- Also known as Offline Storage, Web Storage. Underlying storage mechanism may vary from one user agent to the next. In other words, any authentication your application requires can be bypassed by a user with local privileges to the machine on which the data is stored. Therefore, it's recommended not to store any sensitive information in local storage.
- Use the object sessionStorage instead of localStorage if persistent storage is not needed. sessionStorage object is available only to that window/tab until the window is closed.
- A single Cross Site Scripting can be used to steal all the data in these objects, so again it's recommended not to store sensitive information in local storage.
- A single Cross Site Scripting can be used to load malicious data into these objects too, so don't consider objects in these to be trusted.
- Do not store session identifiers in local storage as the data is always accesible by JavaScript. Cookies can mitigate this risk using the httpOnly flag.
From: https://www.whitehatsec.com/blog/web-storage-security/
Never store sensitive data using Web Storage: Web Storage is not secure storage. It is not “more secure” than cookies because it isn’t transmitted over the wire. It is not encrypted. There is no Secure or HTTP only flag so this is not a place to keep session or other security tokens.
Thoughts
Cookies seem to be the better option but the main issue is CSRF attacks. Angular's HttpClient has built-in CSRF mitigations, see https://angular.io/guide/security#xsrf, so this could be the best way to go. It may also simplify the token transfer/refresh process.
Todo: watch this https://www.youtube.com/watch?v=sHKyMwIK9F0
from vendure.
Related Issues (20)
- Ability to encrypt custom field / config arg data at rest
- Better support for shipping method providers (single method, multiple prices / options) HOT 5
- Pause, Resume, Kill/Cancel a Running Job HOT 3
- Option to Sync Variant Prices on Multiple Channels HOT 2
- Custom fields on ProductVariantPrice HOT 1
- Admin UI creates duplicate facet values HOT 4
- Overriding existing nav items bug
- Tax calculations incorrectly rounding HOT 4
- OrderByCodeAccessStrategy and DefaultOrderByCodeAccessStrategy are not exported HOT 2
- I can't initialize vendure HOT 3
- [elastic-plugin] Improve the plugin adding the possibility to make a customquery to fetch a certain list of data HOT 1
- On admin-ui the picture of the product is not centered so it seem is missing HOT 1
- Exclusion filter for Search HOT 3
- Admin only custom field
- order.customer.group is undefined HOT 1
- Create an order without any customer personal details HOT 2
- Attempting to add manual payment to order with multiple modifications result in 'duplicate key' error HOT 2
- Add items to Order Detail dropdown menu, instead of the action bar HOT 1
- Product name update fails with variant auto-rename feature
- I want to be able to use a subdomain and main route to use the Admin UI
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vendure.