You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After further discussion with some other parties, the solution discussed above would only protect any data you are storing in the cookie itself (in this case JWT). Malicious users with access to XSS are still able to execute as the valid users browser meaning the only real prevention is to not have an XSS vulnerability from the get go.
Once I am done with a few things on my end in a month or two I will cycle back and help in any way I am able though.
Related to #550
JWT in local storage is not secure. I recommend updating the authentication page here: https://www.howtographql.com/graphql-python/4-authentication/ Discussed in more depth here, graphql-python/graphene-django#593 (comment)
The relevant points: adding the library https://github.com/flavors/django-graphql-jwt and the code:
from graphql_jwt.decorators import jwt_cookie
This creates a JWT token in a cookie named "JWT" allowing the browser to act as a go-between for secure authentication between js client/backend.
django-graphql-jwt then has decorators to provide security:
https://django-graphql-jwt.domake.io/en/stable/decorators.html
In this way, a javascript front end can securely access a backend data without exposure to XSS (CORS/CSRF settings required).
The text was updated successfully, but these errors were encountered: