5

Basically I am building a serverless next.js app with mongodb.

Idea 1 : React prevents most of the XSS already , so should I just store user login info in web storage ? this way I do not need to worry about CSRF.

Idea 2 : If I use httpOnly cookie based auth , since httpOnly and sameorigin already prevents XSS(and some CSRF), I can proceed with my design without worries ? do you think it is enough for a beginner eCommerce site ?

Idea 3: Add a CSRF token to the cookie based auth

  1. user logged in , in the /api/login, I check for username/password then generate a cookie with CSRF token in it and also res.end(CSRF). after receiving this , we store CSRF in useContext to make it available for all components.
  2. so whenever i fetch with POST i attach this global CSRF token to the req.body , lastly , in /api/ we compare this CSRF in the req.body with CSRF in the cookie .

is there any better ideas for serverless app ? or am i missing something ? what do you recommend ?

idea 4: use CSRF built-in framework like express.js ....

UPDATED : next-auth is supported , but i want to learn about auth so really want to build on on my own

sleeping ZZ
  • 99
  • 2
  • 6
  • Hi there, happy to confirm issues with Serverless support in NextAuth.js v1 were resolved with the release of NextAuth.js v2 which was formally released (out of beta) this week. NextAuth.js is a good choice if all you need it for is authentication though. If you need it for other routes, the bad news is CSRF is awkward to implement. The Double Submit Cookie method works well for Serverless apps - when used with signed cookies and the right cookie policy and cookie prefixes for additional security. – Iain Collins Jun 27 '20 at 00:00

0 Answers0