Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Save jwt to local storage

Tags:

authentication

node.js

frontend

jwt

pugjs

I'm currently developing a node express postgresql application, and I'm trying to implement Jsonwebtokens as authentication. I've seen multiple tutorials on how to implement it and I get how to do it on the backend part, but the frontend is usually skipped and apparently everyone just tests their code with Postman.

I have also read online that the recommended way to implement jwt authentication is to store the generated token in localstorage, and, when needed, to send it on the header. But I wasn't able to find how this is done...

Thus, my questions are:

  1. How do you store the token on the front-end once it's generated by the backend? (an example would help a lot, because I don't really get how am I supposed to get the token on a front-end javascript program)
  2. How do you send the token on the headers when making an http request that needs it once you have it stored?
like image 452
Juan Francisco Carías Álvarez Avatar asked May 25 '18 19:05

Juan Francisco Carías Álvarez

People also ask

Can I store JWT in session storage?

A JWT needs to be stored in a safe place inside the user's browser. Any way,you shouldn't store a JWT in local storage (or session storage). If you store it in a LocalStorage/SessionStorage then it can be easily grabbed by an XSS attack.

How do I store JWT tokens?

Use cookies to store JWT tokens – always secure, always httpOnly, and with the proper same site flag. This configuration will secure your client's data, it will prevent XSS and CSRF attack and also should simplify web application, because you do not have to care about using tokens manually on frontend code anymore.

Do we need to store JWT in database?

You could store the JWT in the db but you lose some of the benefits of a JWT. The JWT gives you the advantage of not needing to check the token in a db every time since you can just use cryptography to verify that the token is legitimate.

Should token be stored in local storage?

Storing tokens in browser local storage provides persistence across page refreshes and browser tabs, however if an attacker can achieve running JavaScript in the SPA using a cross-site scripting (XSS) attack, they can retrieve the tokens stored in local storage.

1 Answers

On the server side, once you have created the token and logged the user in, you send the token via res.send(), example below, note that you may have different approach to functions findByCredentials ad genereateAuthToken, they are custom:

app.post("/users/login", async (req, res) => {
  try {
    const user = await User.findByCredentials(
      req.body.email,
      req.body.password
    );
    const token = await user.generateAuthToken();

    res.send({ token: user.tasks });
  } catch (e) {
    res.status(400).send();
  }
});

On the frontend you can use html5's fetch() to send the token in the header. For example, if you would like to access '/users/me' that needs authentication you follow the steps below (make sure you however you save the token to localstorage first so you can access that via getItem:

localStorage.setItem('userInfo', JSON.stringify(userInfo));

document.getElementById("my-profile").addEventListener("click", getMe);

then:

function getMe(e) {
    e.preventDefault();
    var token = JSON.parse(localStorage.getItem('token'));
    console.log(`Authorization=Bearer ${token}`)
    fetch('/users/me', {
        method: 'GET',
        headers: {
            'Authorization': 'Bearer ' + token
        }
    })
        .then(res => res.json())
        .then(data => {
            console.log(data)
            // window.location.href = 'http://localhost:3000/dashboard';
        })
        .catch(err => { console.log(err) })
}
like image 116
ttfreeman Avatar answered Sep 20 '22 16:09

ttfreeman
Sign in to Comment

Related questions

node.js stream pipe asynchronous or synchronous
VoIP Integration in App & Web
Using logstash and elasticseach
Dynamic dropping of handlers in restify
Parse SDK JavaScript with Node.js ENOTFOUND
Run async code before entire mocha test
Inform browser clients when Lambda function is done using Amazon SQS
using aws-sdk to upload images to s3 using nodejs
Why do arrays of numbers, more data sort faster than arrays of objects, fewer data in Javascript?
TypeScript: Can I mix using "import * from" and "require(*)"
Running a simple HTTPS Node JS Server on Amazon EC2
Generated definition file (.d.ts) by typescript not working with package.json typings
Can I develop a new Laravel project displaying a 'Missing npm modules' warning in Netbeans?
require() node module from Electron renderer process served over HTTP
Understanding Laravel Mix
Simulating going online/offline with JSDOM
Permissions to created directories using Yarn
How to debug "Missing Authentication Token" in AWS API Gateway?
NPM fails to install types
Nuxt.js refresh url get 404 not found

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!