Source code?

Hi @cosdensolutions Thanks for the detailed explanation. One edge case though, if the user refresh the react app, then the access token string should be null as it lives in-memory only, so how do you track which user sends the request as the token payload had the user information and it is null/undefined now? Thanks!

​@@jubairhossain6991 That is the case where Refresh Token comes in. The server will get Refresh Token from Cookie as it was set on http-only cookie, verify Refresh Token and we'll get User payload, use it to generate new Access Token and return it to Frontend.

@@jubairhossain6991 you will need to setup redux toolkit or zustand

I love that approach too. It makes it easier to play around with the code without fear or confusion.

Correct. That was confusing and then I read about http-only cookie.

Ya, he should have put it beside the client in the graph... not the server.. even though both know it.

yep, he should have mentioned that

Token generate server site jwt through and then send to the client

What about refresh tokens rotation?

@@matis9783 what is the question?

confused as well

Agreed, the refresh token gets sent to the client to be stored as a HTTP-only cookie by the browser and sent on each request (or at least on each request to the path specified by the cookie)

We're preventing XSS and CSRF. Attackers can easily access localStorage. Unlike http-cookie we prevent javascript to access refresh token

Exactly my question. If not storing something to identify the user by, how does the server know it's the same user to use the refresh token for?

Ah, http-only cookies are actually stored locally with a set Cookie. The only thing is that they are not accessible through scripts but on subsequent http requests

I handle it this way. You see, if you're using jwt, you encode user data (e.g: email, roles) to it by passing it as a jwt payload when generating a new token. Same thing with refresh token. The only thing is you store refresh token in database in your user entity before setting it in request cookies. Then when handling the refresh route, you extract refresh token from the cookies and first find a user in the database who has the same refresh token, then you decode it, which will allow you to extract encrypted data(as I said before: email, roles). If the user from the database (one you found via refresh token) shares the same email and roles then it is the same person sending a request for a new access token so you generate new one for him and send it, otherwise you throw an error with 403 status code

I think this is what’s missing in the video. I'm not a backend developer, and I noticed there was no code to save the HTTP-only cookie, so I was left wondering, "What magic is happening here?" I did some further research and I think I understand it now. However, a detailed backend explanation would be very useful so we know exactly what's going on. In the process described, two tokens are created: a refresh token and an access token. The refresh token is sent in an HTTP-only cookie as a header, while the access token is included in the response of the request. The browser automatically saves the cookie when the backend sends it as an HTTP-only cookie, provided that CORS (Cross-Origin Resource Sharing) is properly configured on both the frontend and backend (with credentials allowed). This ensures the cookie is saved and shared with every request. Therefore, if we don't have an access token when a refresh is needed, the refresh token, which exists as a cookie in the browser, will be sent to obtain a new access token. Maybe it was just me who didn’t fully grasp the concept initially and it was obvious from the start, but asking the question and getting answers helped point me in the right direction. Initially I though the HTTP-only cookie existed only in the server which lead me to misunderstandings.

@@HeinerAngarita Hi, if you need a detailed backend code for handling user authentication and authorization, I can provide you with a link to my github repo. I used express js with typescript, prisma, and postgres for the db. And, if you need one for non-relational db such as MongoDb, I have a second repo for that as well. They're nealy identical in terms of handling the business logic, only difference is the way I query the database

yes when user close window will need to login again

@@mohamedmaher2981 no, on every initial render we send a request to api/me, which checks the refresh token and sends an access token if there is a valid refresh token.

No, refresh token will renew access token so you dont need to relogin, just call renew somewhere in root like base layout

@@tuanvumaihuynh brother tuanvumaihuynh, damn your name is hard... anyhow, can you please elaborate more on how to do that? is there a name for such implementation?

​@@ysmr1843 interceptor

[11:12]

If you find it ,let me know

have you found it?

you should, cause all the logic main point is on the client side

I did that in my application

I handle it this way. You see, if you're using jwt, you encode user data (e.g: email, roles) to it by passing it as a jwt payload when generating a new token. Same thing with refresh token. The only thing is you store refresh token in database in your user entity before setting it in request cookies. Then when handling the refresh route, you extract refresh token from the cookies and first find a user in the database who has the same refresh token, then you decode it, which will allow you to extract encrypted data(as I said before: email, roles). If the user from the database (one you found via refresh token) shares the same email and roles then it is the same person sending a request for a new access token so you generate new one for him and send it, otherwise you throw an error with 403 status code

We don't create access token using refresh token, we generate new access token if refresh token is still not expired that's why refresh token is there.

agree

​@@owofrostyy8840then why shouldn't we just use single access token with longer duration? You can store it as safe as refresh token anyway

after your user is logged in, the user is given an access token. The token is either stored in a secure cookie or localstorage. each future request for more content would pass that access token back to backend. cookies are easy because they are automatically sent with the request, but if its in local storage the app would have to pass it in the requests manually

ok so i just saw this is not the pattern this video is using. Sorry about that. When validating the refresh token, the refresh token is binded to an access token in some way. Either the refresh token is saved alongside the access token onto the users table in DB, or I imagine the refresh token could possibly carry the user id in the JWT. Not sure if he specified that in this video.

user 1 and user 2 have different refreshtokens and this refreshtoken is stored in an http-only cookie, which is accessible to the backend via the request's cookies.

+

Yes in that example it’s redundant. I guess you would only need it when you pass any user information on the client in that token. For example current UserId

you need to know if the user is logged in without having to fetch it constantly. For like displaying a manage account button, sign out, etc. or even for sending it with the request on button click

@@cosdensolutions ok, this sounds valid, but still I need to fetch every 15 minutes to check token, it will equally work with refresh token

​@@PiotrMarkiewicz i believe this method is called an asynchronous token. the key point is to make accesstoken maxage as little as possible and refreshtoken maxage long enough for the user to login to our app. the only reason i guess is security purpose.

I have the same question! Everywhere I look I see the same explanation but not a direct answer! If it’s in memory it should mean that refreshing the page will lead to losing the access token lol how are we supposed to keep the user logged in??? 😢

@@MarlonEnglemam Honestly, I was noticing the same thing. Of course memory will be 'safer' but I don't believe he designed this video with user-experience in mind. From my experience, saving a token to an HTTP-only cookie is safe as well. If you are worried about a token being 'leaked' then I would consider using another method of authentication/authorization simply because in order to save the token to memory, the token would have to be readable and therefore sent from the server which makes it just as prone to being leaked as if you save it in an HTTP-only cookie.

why will we refresh the page ? simply when token is expired that will be notify to react app from server than instantly we hit refresh token api sending our expired token as payload , then in refresh token api : we will check that token received from payload is expired (firstly) than we will also check the data in it (email, id) in database or match with refresh token (it will be same ) if it matches then we will simply generate the new token for the user whom we got the payload (email, id etc..) and then send to react app , in react app it will again set state.

@@baasirashraf8291 When you even switch tabs away from a React app and then come back later, it will still refresh itself so the 'refreshes' will happen a lot more often than one would think. What you are explaining is the typical auth workflow where the token is stored in a persisted way (cookies, localstorage etc.). What the author is explaining is to store the token in memory (which is not persisted through any form of refresh whatsoever - think of useState and trying to toggle it to a different state and then refresh to see it go back to its default state). When a token is stored in memory, it is deleted as soon as the app refreshes and with the token being deleted you have no way of 'sending' any credentials whatsoever to even 'refresh' your session. Yes this is more secure as it is harder to locate the token but it is also a bad user experience. Its not a knock on the author but it really should be clarified that sessions in this design will not persist. Memory is very secure but there is a reason a LOT of apps opt for HTTP-only cookies over memory.

Hi, Im no expert but I think it depends. With this approach you are avoiding sending the refresh token in every request, and I think this is important because refresh token being intercepted would be VERY bad for the user. The drawback of this is that every time that you need to refresh the token (you can say around 10 min) the user has to sent 3 requests (1 for trying to do whatever he wants, 1 for refreshing the token when the first request fails and the last one for trying to do again the actual work , this time successfully). I think its a choice between security or reducing that 3 request). In my opinion, those request are not really going to fuck too much your performance and Ive seen that the usual thing to do is as in the video. Hope it helps!

I was about to comment the same concern. When user refreshes the Application, the token state becomes undefined. In that case how will the server know if its a valid user without the token or credentials ?

@@SaifullahZubair I found the answer. Refresh token should be stored as "http only". This is the common approach afaik and you can access the token on the server securely without losing it on refresh.

@@SaifullahZubair I found the solution. The refresh token should be stored as 'http only'. With this common way, the server can access the token securely.

when user logs in, server sets refresh token as http only cookie to response header. so browser stores it in cookies but any js code can not read it. refresh token will be included to every request by browser but you should provide access token by yourself. server checks access token first. if server can not verify access token, then checks refresh token in request’s cookies header. access token is needed for ui to identify the user is authenticated. because ui can not access refresh token. i think it is clear now.

@shubhamchandel-gs4so Same question

refresh token not only reside on the server but sent to the client. The refresh token always send along every request to the server.

You will get a new access token using the refresh endpoint. The refresh token is stored as a cookie (with expiration 30 days for example), and your backend can use it to generate a new access token, which will be returned. You can then use it for subsequent requests.

Exactly!

yes, google cross-site scripting

There are a few considerations here. If you only sent a really long lived access token: - You cannot put the token in the Auth header, because you are not able to access httpOnly cookies from the React app. - If someone stoles your token he is going to be able to access to your account for (whatever lifetime the token has). About the second point, you can think, well, but the refresh token could also be stolen. Thats right, but you are only sending the token in the cookies of /refreshToken request, so less chances. And you can keep a table of "active refresh tokens" for checking if the refresh token has already been used to avoid risks. At the end of the day, you can secure as much as you want the auth system, but I think for most applications this approach (accestoken /refreshToken/ active refreshTokens table) has a good security-performance ratio. At least is what I use in my apps

suppose you have 3 steps , in this case i will create a parent component that contains 3 childrens components (the 3 steps) i will declare each step's state in the parent component and pass the setter to the child and for rendering the steps just use conditional rendering (using a counter or something ) i hope this help you

any solution to this?

If you found an answer please let me know

hi did you find any thing yet ?

I was on project I had to handle authentication.. you can use the react way or just use the next middleware ..next have params functionality and use global state to pass the authentication details tell middleware what route you want to authenticate.. make functions with your logic what sorta role you want to authorise.. then it will be way simpler than react .

that's why you don't keep yourself logged in on public computers! Usually there's a checkbox that says "remember me" or "trust this computer" that enables the refresh token or not. If it's set to false, every 15min you need to re-type credentials

@@cosdensolutions of course, users always do this kind of things and its our fault haha, but yes, and we can make more layers of security if our app has some personal/wealth content. Thank you

No, and if you want to presist login even when dom tree wont exists (closing browser etc) you must use cookies or local storage. I suggest using cookies.

Why not local storage? - if someone can login to your local machine to extract the JWT then you have bigger problems. Because the JWT is encoded, if its manipulated then the server will reject it.

@@markbarton There's a security concern where, if you use any external scripts, someone could compromise one of those and load malicious code onto your website that first just sends all local storage to an external source before loading the actual script. I think this could also be done with something like a browser extension, but I'm not sure about that. Since I don't think JWTs can be revoked, that's a big problem.

@@ptolemyhenson6838 Ok thats good to know - not using external scripts is good practice anyway but its good to understand the attack vectors and would make sense why you would use http cookies - thanks

@@ptolemyhenson6838 the reason why refresh token is supposed to be stored in database is for revocation use. JWT token is supposed to be stateless, stateless means you don't have to store userinfo or something in the backend to verify it later with those stored infos. When you store jwt tokens in the backend it is not stateless anymore.

No, it is just gonna load and get the access token and start using it normally, user won't notice anything

@@hazemkhaled9416 As much its "secure" don't we have any other more convenient way?

@@hazemkhaled9416 what I thought.

Yes

@@Priva_C so it isn't feasible to store and retrieve token in memory as refreshing the page will reset the state/variable

that's what comes to my mind too, on page refresh the states or variable will be gone

Unless you keep sending refresh token request to backend before state is destroyed

@@deekandau4596 what dom EVENT to use to do that?

you need it in the frontend to know if the user is logged in or not! and it expiring every 15 mins is safe enough

redux is fine!

Because in the access token we will have user information like email, name, profile image, role, etc. So we will decode the access token in the client and use the user info.

when successfully log in you initially get access and refresh tokens,access is short lived and refresh one have longer expiration date, and then based on that refresh token new access token is issued after one you have is expired.

same question here

yes, i am confused as well

Just got some clarification after reading about http-only cookie and answer to my question - "An HTTP-only cookie is a type of cookie that is inaccessible to JavaScript running in the browser" so need to correct some part in the video I think. Refresh token also goes to client side. 🤔

Hey, for this case i think you would have to bypass the authorization for those particular API's , typically they will be get only api to give you the info to render it on the UI, and all other backend routes will be going through the authorization so they will be protected.

@@naveenjain417 thank you for the reply! we came to the same conclusion with my backend colleague!

Indeed, if user refreshes page they will be unauthorized

you need to know if the user is signed in or not in the UI. can't do that with the http-only cookie

+

You don't. The backend stores the refresh token in a http-only cookie for 30 days. That lives on the browser but is inaccessible by JS

Don't ask. He's trying to charge for that source code snippet now