[ENHANCEMENT] Use Jason Web Token (JWT) for verification

[SethCram]

Is your feature request related to a problem? Please describe.

• Yes, user access should be more secure

Describe the solution you'd like

• Use Jason Web Token (JWT) for verification instead of userid

Describe alternatives you've considered

• Keeping the api as-is

Additional context

• useful tutorial: https://www.youtube.com/watch?v=Yh5Lil03tpI

Development

• watch and take notes JWT

  • https://www.youtube.com/watch?v=Yh5Lil03tpI
    • need client side storage for Context API
    • can auth user connection to API via Session Cookie
      • session stored on server
        • problematic if several servers used for an app
    • can auth user performance of particular actions via JWT
      • JWT consists of headers, user payload info, and verification signature
    • JWT stored by user
    • JWT can be reused for diff servers
    • impl'd rest on my own personal project below
      • way he implemented token refresh didn't work for me
      • since every rerender triggered the addition of another request middleware method

• impl JWT for deletion + updating

  • Currently, can change user username since stored on client side in local storage
    • would allow another user to delete anyone's post/comment since auth's thru username compare
  • Created new JWT everytime user logs in and rets it to them
    • includes important user info in JWT like user id and whether they're the admin
  • JWT sent as an Authorization header
  • For some reason, included "Bearer " before jwt value
  • since access and refresh token not stored in db besides refreshtoken in user's arr
    • have to combine updated user ret'd from db with local user to keep local tokens
  • Attached "verify" middleware to post, comment, and vote updating and deletion
    • no vote deletion currently
    • comment deletion can't be reached from frontend yet
    • should verify these
  • added token fresh API method
    • send a refresh token and if it's verified as urs
    • it's rm'd from ur db arr and a new one's added
    • rets new response token and new access token
  • added username to jwt for easier auth w/ can't use just id
    • decreases # of db retrieval calls this way
  • was trying to use AXIOS middleware to add headers during applicable api calls
    • tried to refresh the access token w/ it'd expired too
    • but api call made to refresh token called axios middleware again + inf looped
    • so, stopped invoking headers on axios post calls
  • axios middleware kept being double invoked every API call
    • changed config auth header to only be set w/ access token updated but that didn't help
    • only thing that solved it was changing to no longer use StrictMode
    • but now also being double-invoked if page not refreshed after first submission attempt
  • user via context api isn't getting their accessToken properly updated
    • possibly bc of placement in root component?
  • scrapped axios middleware and just imported retrieval of axios headers everytime they're needed
    • only had to update local tokens w/ updating user
    • would retrieve a new refresh + access token if needed

• fix wrong accessToken being sent as auth header occasionally

  • possibly bc of how auth header configed globally
  • page refresh usually solves problem
  • stopped using axios middleware which solved this

• shorten token expire to 5-15s before push to prod

  • added an env var to indicate whether in DEV or PROD
    • in DEV, tokens take 15 mins to expire
    • in PROD, tokens take 5s to expire
  • verified dev issued jwt using https://jwt.io/
  • Will need to change ENV var

• check users jwt to enable post, comment, and vote posting

  • didn't do so for category & badge posting bc models don't have any user data storage
    • they don't necessarily require auth
  • ensured new tokens were propogated to updated user
    • untested but similar to previous changes

[SethCram]

Stopping usage of Strictmode recommended as answer but didn't work so told of my solution axios/axios#2825 (comment)

[SethCram]

Same interceptor problem mentioned here axios/axios#2315 (comment) but no good solutions

[SethCram]

From now on, gonna have to login as user to get access JWT if want to update or delete a resource