Security considerations with JWT being passed to the client #33
Comments
|
Ok, I see the point now, some requests are proxied through sapper and some go straight to the API, (ie in the articles). I think either it should be one way or the other to be more clear? |
|
Closing as I decided as long as we are not storing the token in local storage then things should be ok. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Why do we pass the JWT token to the client given that it is saved in the express-session? Maybe we could pass the sessionid to the client instead, and then do a comparison on that, and if it matches then proceed to use the token thats stored in express?
Passing to the client: (user contains the token) https://github.com/sveltejs/realworld/blob/master/src/routes/auth/register.js#L8
When we actually consume the token from the /auth folder we retrieve it from the express session, not the client:
https://github.com/sveltejs/realworld/blob/master/src/routes/auth/save.js#L6
maybe I'm missing something
The text was updated successfully, but these errors were encountered: