5

I am currently working on a website using React where I want to be able to have user login. Right now my strategy is to send form data to the server (express) on submit, and if the info matches a user in my DB, the server sends back a signed JWT with no sensitive information (just the username).

Once the client receives the JWT, I am adding it to localStorage as well as adding the decoded data of it to my redux store. I plan to have my redux store holding the currently logged in user.

I believe there may be a security issue in my site because currently I have it so when the user first arrives at the site, If there is a JWT, it is added to my axios headers and the decoded JWT is set to be the current user. The code looks like this:

if(localStorage.jwtToken) { // If token present, most likely a user is signed in

  setAuthorizationToken(localStorage.jwtToken) // Set that token to head all api calls

  store.dispatch(setCurrentUser(jwt.decode(localStorage.jwtToken))) // Set user in redux store
}

Currently I've found that if someone just goes into my localStorage, copies my JWT and adds it to their localStorage then bam, they are me. I'm unsure if this is really a security flaw because the only way I've recreated this myself is by physically copying the token from one browser to another. But in general this seems very unsafe that just taking my token steals my identity.

If anyone knows a way to make this more secure or if there is a better strategy, or at least tell me what I'm doing wrong that would be highly appreciated.

BrandonKarl
  • 51
  • 3
  • 2
    https://stackoverflow.com/questions/34259248/what-if-jwt-is-stolen the answer may shed some light. – Chaim Friedman Aug 09 '17 at 15:55
  • @promisified I actually did find that post earlier, but by the way I'm reading makes me think that there really isn't much I can do to stop someone from physically taking the key from my localStorage, I mean physically being on my machine, and my best defense is to have an expiring token. The SSL explanation was helpful though, thanks. – BrandonKarl Aug 09 '17 at 16:07
  • If you use https, the only way to get your token is having access to your computer, but if this happens I believe you would have more serious problems. As you said, you should expire your token and create a refresh-token to generate a new token – aquilesb Jan 09 '19 at 01:08

1 Answers1

1

How can another person get your token? Give expire time to token needed. Maybe try different way for securing token, especially give more security in API side. When logging in, store log activity in database and create unique field to identificate it such ip address or user-agent, or maybe detect is that user have been hit login endpoint before or not.

Mudzia Hutama
  • 414
  • 3
  • 8