Vlad Suciu
unread,May 17, 2017, 8:38:33 AM5/17/17You do not have permission to delete messages in this group
Sign in to report message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to
I'm currently implementing auth using JWT and I'm having some concerns about security. The application is written in react + golang(backend API)
Given the password grant flow this is how the application works:
User logins with his credentials and he is returned a short-lived JWT (without any sensitive informations) and a refresh token(long-lived). The refresh token is saved in the db(so that it can be revoked if necessary).
Given the fact that i store the tokens in local storage and the app is served via SSL, and the submitted form data on the client is santinized on the backend for protection against XSS, are there any other major security risks?
Alternatively i was also thinking to store the access token on local storage and the refresh token in a http only cookie(protected against CSRF). That way, if an attacker manages to get his hands on the access token, he will have a short window to perform his actions.