2

I used Nodejs Express and ejs and passprot jwt.

I saved jwt token in the cookie by httpOnly the attribute.

And before the page is rendered,router.get('/',isauth.verifyToken(), adminController.checkUser); ,check if the token is valid.

If the token is not valid, redirect it to the login page.

exports.verifyToken = ()=>{
    return passport.authenticate('cookie', { session: false, failureRedirect: '/users/login' });   
}

Now, I want to use not only the access token but also the refresh token.

where should I save the refresh token?.

In my opinion, saving both access token and refresh token in cookies is not the answer.

Is it right to store refresh token in local storage?.

If local storage is correct, where should the logic of refreshing token?

rhrhgut
  • 57
  • 1
  • 7

1 Answers1

1

If you have one backend that authenticates, issues tokens, and then consumes them, then there's no need to issue a separate refresh token. You can just rely on the access token. In fact, in such a setup, you're using an HTTP session, so you don't even need a JWT. If you have a separate authorization service that issues tokens, then it's best to store refresh tokens in your backend - in the service that will eventually call the authorization service to get new tokens.

In any way, don't store refresh tokens in the local storage. It's not safe to keep tokens there as they are vulnerable to XSS attacks.

Michal Trojanowski
  • 10,641
  • 2
  • 22
  • 41