Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Best practice for storing auth tokens in VueJS?

My backend is a REST API served up by Django-Rest-Framework. I am using VueJS for the front end and trying to figure out what is the best practice for doing authentication/login. This is probably terrible code, but it works (in a component called Login.vue):

    methods: {
        login () {
            axios.post('/api-token-auth/login/', {
                username: this.username,
                password: this.pwd1
            }).then(response => {
                localStorage.setItem('token', response.data.token)
            }).catch(error => {
                console.log("Error login")
                console.log(error)
            })
            this.dialog = false
        }
    }

Does it make sense to use localStorage this way? Also, I'm wondering when the user wants to sign out, and I call /api-token-auth/logout, do I still need to remove the token from localStorage? It's not actually clear to me what goes on with the tokens either on Django's end or the browser/Vue.

like image 766
Evan Zamir Avatar asked Jul 29 '17 00:07

Evan Zamir


People also ask

Where should authentication tokens be stored?

If any of the third-party scripts you include in your page is compromised, it can access all your users' tokens. To keep them secure, you should always store JWTs inside an httpOnly cookie. This is a special kind of cookie that's only sent in HTTP requests to the server.

How do I store access token securely?

Most guidelines, while advising against storing access tokens in the session or local storage, recommend the use of session cookies. However, we can use session cookies only with the domain that sets the cookie. Another popular suggestion is to store access tokens in the browser's memory.

How do I manage my tokens?

Select the User Settings icon > Manage Token. Access to FME Server is controlled through security tokens. Use the Token Management page to work with security tokens in the following ways: API Tokens: For development purposes, you can create and manage tokens that allow unauthenticated access to FME Server.


2 Answers

Application-wide data, such as authentication and user information, should go into centralized state. You can use Vuex or a simple shared state. Vuex is awesome but it does add complication so you have to count the cost. If you use Vuex, you can use Vuex persisted state to keep it in localStorage. This should be much faster to access than localStorage. In my experience, localStorage is not reliable and can cause problems. State is the way to go.

For example, modifying your current code to send it to Vuex:

    methods: {
    login () {
        axios.post('/api-token-auth/login/', {
            username: this.username,
            password: this.pwd1
        }).then(response => {
            that.$store.commit('LOGIN_SUCCESS', response)
        }).catch(error => {
            console.log("Error login")
            console.log(error)
        })
        this.dialog = false
    }
}

Then over in Vuex (like /store/modules/user.js if using modules):

Vue.use(Vuex)
const state = { token: null}
const mutations = {

LOGIN_SUCCESS(state, response) {
    state.token = response.token
}
export default {
    state,
    mutations
}

And call the token either by a Getter or directly:

this.$store.state.user.token

This assumes store is used by Vue. For example, in main.js you would have:

import store from './store/index.js'

new Vue({
  el: '#app',
  store
})
like image 86
For the Name Avatar answered Sep 28 '22 21:09

For the Name


I have a web app that store token/refresh token inside Vuex and load data from localStorage only when the store is init. It work well until our users report that they keep got 403 error. Found out they was using 2 (or more) browser tabs open. After the refresh token is fetch our new token is saved to state and local storage, but the other tab is not notice of data change, so they use the old token/refresh token to fetch, and fails :'(

It took me several hours of re-produce and debugging, now I will never put token inside Vuex again

like image 36
Nguyễn Hồng Phát Avatar answered Sep 28 '22 20:09

Nguyễn Hồng Phát