0

I am currently using Nuxt Auth for my login and session management. Everything is going smoothly. However, I have a problem with the way my set up is handling cookies. I am not sure where I went wrong. Whenever I set the auth._token.local in the application tab of dev tools, it sets the logged in status to true. Here are my configurations:

nuxt.config.js

auth: {
    // cookie: false,
    watchLoggedIn: false,
    redirect: {
      callback: false,
      login: '/',
      logout: '/',
      home: '/home'
    },
    strategies: {
      local: {
        token: {
          property: 'token',
          type: 'Bearer ',
          maxAge: 7200
        },
        user: {
          property: false
        },
        endpoints: {
          login: {
            url: '/api/authenticate',
            method: 'post'
            propertyName: 'data.token'
          },
          logout: false,
          user: false
        },
        autoLogout: true
      }
    }
  },
  router: {
    middleware: [ 'auth' ]
  }

setting the highlighted cookie to true will let the user browse the protected pages.

enter image description here

kissu
  • 40,416
  • 14
  • 65
  • 133
chemical_elii
  • 155
  • 1
  • 11

1 Answers1

1

Having the front-end state being at true may tell to your Vue app that you do have the rights to access the protected pages but your user will actually need to have a valid Bearer token (to fetch the actual sensitive data).
You can't really fake this one because it needs to match the one on the backend.

TLDR: you're safe because what only matters is the backend validation when you ask for sensitive data. Frontend is just a fancy shell that can be "hacked" with no real implications.

Of course, if you hard-code sensitive data in your .vue files (no need to fetch them), yep it's an issue. But I suppose you're not doing that.

kissu
  • 40,416
  • 14
  • 65
  • 133
  • it is weird though since I am also using this implementation in another project, but the doing the scenario, the cookies are set to what vuex store values are. While it does protect other data in my project, it still is not a good behavior to have in a frontend app. I have been scouring online if anyone else experience this. But I have no luck. – chemical_elii Apr 06 '22 at 09:20
  • It is the only way actually. A front-end app will always be "public" because you cannot hide the code you're shipping to the client. Everything is pretty much visible/editable. You will not find anything else regarding an alternative because there is no such thing. Still, it's totally fine if this works that way. If you want something totally secure, don't use any JS framework on the client (like React, Vue) and use just plain old Node.js templates (or PHP, Python whatever) with only server side generated code. Still, there's no real issue here where you would be forced to do so @chemical_elii – kissu Apr 06 '22 at 09:33