0

Our ReactJS application will be using JWT (JSON Web Token) for all the REST operations, but the login page is non-react based, so I am curious as to an appropriate way is to make a JWT available to the application, that takes into account security considerations?

The login page just has a form of type:

<form action="/auth/login" method="POST">
   User: <input type="text" name="username" />
   Password: <input type="password" name="password" />
   <input type="submit" name="submit" />
</form>

This page doesn't have any Javascript for sending the credentials.

On success the user is presented with the page containing the React based application. Some approaches that have been considered:

  • Use a short lived session and then provided a REST endpoint that returns the JWT during the life of that session.
  • Include a Javascript block in the returned HTML page, that specifies the token as a variable.
  • Put it in a cookie that can be read by the ReactJS application?
  • Something else?

Note, I did look at the question 'Do sessions really violate RESTfulness?', but that does not seem to cover the scenario where the token needs to be part of the header, such as in the 'Authorization' field. At the same time, maybe using storing the token in as httpOnly cookie could be an approach, since the React application would not need to interact with it?

Edit: edited based on comments and to try avoiding 'opinion' based answers.

Andre M
  • 6,649
  • 7
  • 52
  • 93
  • You should probably avoid JS needing to access the cookie, indeed you should probably mark it httpOnly to mitigate XSS attacks. JS XHR requests will automatically inherit the relevant cookies. – Oliver Charlesworth Aug 13 '17 at 15:11
  • Reading this other question: https://stackoverflow.com/questions/6068113/do-sessions-really-violate-restfulness suggests I could just store the JWT in a cookie and not have to deal with this issue at all. The only issue is if we must send this value as part of the 'Authorization' header? – Andre M Aug 13 '17 at 15:19
  • I suppose the question would then be why would you *need* to send it in the `Authorization` header? – Oliver Charlesworth Aug 13 '17 at 16:10
  • It had been the expectation of the REST service architect, so I am trying to see if there is a way to compromise? – Andre M Aug 13 '17 at 20:11
  • That's fine if you're making XHR requests from JS, as you can set the header. If you need to make authenticated requests from the browser itself, then it's impossible. – Oliver Charlesworth Aug 13 '17 at 20:13

0 Answers0