I am making a social media project and I am using JWT tokens for authentication, I am worried if my JWT token can be stolen away from my user's browser and can be used for malicious purpose.
Asked
Active
Viewed 32 times
0
-
If you are using JWT token, then you shouldn't worry. All you need to do is set a minimum TTL like 1/2 minutes and set 1 week TTL for a refresh token and make sure to protected private in server with some permissions. If you want standard way of doing the authentication/authorization then have a look at this https://oauth.net/2/ – Lakshmaji Aug 13 '20 at 17:35
-
add expiration time for JWT . For perhaps better security , check out cognito by aws , OAuth2 (passport.js). – Ankush Verma Aug 13 '20 at 17:37
-
@Lakshmaji If I'll keep a small TTL time like 1/2 minute as you suggest, then wouldn't it end my logged in user's session too quickly? – Nikhil Aug 13 '20 at 17:50
-
Yes, the TTL should be small if you see OAuth implementations of Google / Facebook they do have a small TTL. The idea behind this minimum TTL is that anyone who acquires the key is having a minimum TTL. Refresh TTL will rescue from this situation, The client that you implement should handle the access_token / refresh token TTL. The client should fetch a new access_token if the current active access_token was expired with a existing refresh_token. – Lakshmaji Aug 13 '20 at 17:58
-
As everyone said, short-lived JWT, semi-long lived refresh token. It's a lot of extra work though. Storing JWT tokens in localstorage is much less secure, but your phrasing makes it sound kind of like a hobbyist project. If this is the case, imo, you probably have bigger fish to fry than implementing refresh tokens. – Andrew Aug 13 '20 at 19:35