Temporary tokens are missing

[atten]

It seems that tokens are persistent in current realization. That means there is no logout feature. Session invalidation after resetting password is also missing. Do you plan to implement this features?

[nolandg]

I have a fork going that uses secure httpOnly cookies to exchange the token. It solves security, SSR, and logout problems.

I think this is the best way to do it for SSR. Using localStorage to store the token and then send in headers can never be done on the first request so logged in users have the wrong page rendered on the server. Other than cookies, the only other way around this is using service workers.

Using cookies also helps mitigate xss attacks since they are httpOnly. I implement CSRF protection by using x-requested-with header and proper CORS setup on the backend.

The logout problem is solved with the dual cookie method. One is secure and one is not and each carry a unique token signed with a different key. The presence of both is required to authenticate. The browser can clear the insecure cookie thus logging out without hitting the server and risk of failure due to connection loss etc. An attacker cannot login through xss because they lack the 2nd signed token. Reloading the page on a public computer for instance will still have the secure cookie but will fail authentication because it lacks the insecure one.

[P4trik]

@nolandg
Could you share these parts of implementation with dual cookies?
I'm very interested in this technique.
I've seen some examples with http-only cookies and localStorage in combination.

[nolandg]

I'm working on this project again this weekend, will try to post some stuff then.