This scares me

wtf, why would they do that. Must be one of the permissions that it asks for that I never look at.

there are counter measures for this though, stuff like JWE instead of regular JWS tokens. Paired with a double submit cookie pattern to prevent CRSF.

I didn’t build it!!! All the T3-OSS team

@@t3dotgg ahhh I might misunderstood it then, thanks for clarifying. Although I wouldn't have known it without you so cheers for you and the whole T3-OSS Team 😄

could you link the repo pls

Same, man.

This is a very good point. But if you store the token in memory, you won't be able to "remember the user" if they close and repoen the client?

You're not wrong about the vulnerability, and I almost gave you credit on this because it was something I hadn't put much thought into. But honestly this falls apart with just a little inspection. Consider: most sites want to 1. share a session between tabs, and 2. keep users logged in on return visits. The first one you might be able to work around with some hacky postMessage, but the second one requires that you persist from memory to a (non httpOnly) cookie or browser storage.

Cross site scripting is easy to mitigate. You can block request from a browser that doesn't come from your front end source. Plus there several other ways to mitigate XXS... like another is adding CSRF-tokens to forms that submit request. So without those new token when your form renders, your request would be rejected.

Yes I agree about the “remember the user” issue of storing tokens in memory. Mostly I think where you store your tokens depends on the trade offs you are willing to make vs the functionality required for your use case. Also, good point in the CSRF and XSS mitigation. CSRF doesn’t protect you if the stored XSS target is the page with the CSRF token. Encoding untrusted data will help here. On larger dev teams I’ve always run into places where a dev hasn’t done anything to protect themselves. So having fuzzing tests and auto pen-tests are helpful.

The video was videoing

ratio

Look into containers and kubernetes

going kubernetes is too much@@ManoToor

try using middleware in nextjs

Depends on where you're planning to work and what you're planning on working with. There are different fields even within frontend, just as there is with backend. Generally I'd recommend having a decent grasp on PHP and JavaScript when it comes to languages. Knowing the basics of SQL is also good, no need to dig too deep into that though. CSS is a given if you're working with design, and you'll need a really good understanding of that if it's the thing you want to work with. I'd also recommend learning some basic design patterns for OOP, as that is still very common. It's also just good knowledge to carry around when it comes to thinking about how to structure code. Even if you don't use the exact pattern, it'll often give you some ideas on how to do things. Learn the basics of MVC; you probably won't need to understand a lot about it, but it's an easy concept to comprehend. These are basically the things I'd recommend knowing, no need to be an expert though. Nothing too heavy, honestly. You should look at some job listings to see what they want you to know as well. Other than this, it's all just accumulating experience. Get used to writing code, try using loads of patterns. Even if you're using functional programming, there are patterns you can use there, even OOP patterns (which are often very simplified, or at least less code) which just makes you a bit more comfortable with different ways of writing code. Another recommendation is to just stay off KZbin and write code instead. While it's tempting to look at a tutorial and just follow along, think of something simple to do first, try to do it, then you can see if someone has a better solution. Because it's all problem solving at the end of the day, and that's a skill you need to train.

I think some front end validation is good so that you don’t send an obvious bad request to the server. The server should perform validation because the client can not be trusted and there may be clients in the future you have no control over.

@@andrewTaylorCodes I have no problem with front end validation, I have problem with only validating data on front-end. I totally agree with you.

I don't understand the question. create-t3-app only supports TS, in general coding in JS is asking for trouble. If you come from Kotlin, Typescript should be a piece of cake :)

Look at job listings for roles you want, list down their requirements. Do not spend time investing in bleeding edge unproven tech such as trpc. There’s an infinite amount to learn when it comes to new and shiny shit, but the basics are always the bed rock. Get good with html/css and js/react, learn how to interact with an api and fetch data etc. apply like shit for jobs and learn on the job, don’t wait until you’re “ready”.

Fully agree with Mike. Try to ignore my channel til you get that first job 🙏

@@t3dotgg Haha, cool. Thanks, yeah I don't know. A lot of it goes by me, as I'm not quite there yet, but just trying to get what I need to start getting hired somewhere. Thanks for the advice.

@@harvenius Sure, I just wasn't sure if it was still worth learning express / node and mongo if I would later be using Prisma or Firebase or whatever. And even still what the point of learning them is with wanting to focus on Front End, but I've had difficulty doing projects because I've found that stuff needs a backend and so it's caused some frustration with feeling I need to learn backend to make projects even when I only want to be a frontend dev. blargh

@@walkingin6375 For learning purposes you can easily use existing APIs. Having said that following a simple express tutorial will probably set you up with most of what you need backend wise for personal projects while still getting to practice TS.

We use it in production since middleware went stable. Since the middleware gets executed inside the reverse proxy at the Edge there is no way it isnt secure. But you must have validation of JWT etc. Never blindly check a cookie, always make sure its encrypted right

​@@philheathslegalteam Yeah since middleware is stable now I would love to use it for restricted paths :) I would generate a hash (server-side) after a successful user auth. A new session would be create in the database and only the hash would be stored in a cookie. When a user visits a restricted path, the middleware sends a request to the server and checks if the session hash is valid. Would it still be better to encrypt the cookie in this scenario?

@@lindor94 yep that is essentially session auth. Next Auth using cookies is great for this, same with any other cookie library. We use JWTs so this is our workflow. 1. Securely create jwt cookie. 2. Refresh token often in client 3. Middleware on restricted route uses JWT verify with our JWT secret. If it has expired we hit up our OAuth system (sup abase) and use the refresh token to get a new JWT. If that fails we block the request and redirect to / Also, middleware is not just limited to auth etc. We call several RPC Functions in our database from it on a different endpoint to make sure the user has access. Possibly the most useful technology Next.js has come out with for us. We can now SSG the restricted routes without worrying abt security. And won’t even have to manually do useEffect redirects anymore. Next is great

@@lindor94 I don’t see encrypting the cookie to be very meaningful. Encode it yes. But an attacker will have the means to attack either way. Only prevents leaking of personal info if the cookie is a JWT. I’m no security expert so I wouldn’t be able to tell you tbh. We just use standard base64 encoded JWTs in cookie

Both servers must respect the same secret. JWTs makes this super easy (hence why nearly all OAuth systems uses it)

It would look a lot like this example but with a hell of a time dealing w/ DNS

@@t3dotgg it's actually for my work, so they're using NextJs as a front-end and Express in the backend. I know that's not ideal, but they like to decouple front and backend. We started with trpc and it works like a charm, but the auth is still a manual mess (custom Google and Twitter logins) so I'm still hoping to convince them to use Next-auth. Or make an exception to call the Prisma DB in the front-end

You can use Next auth with a custom provider, on this provider you just implement the authorization method pointing to your express server route

@@eduardosotero Thanks for the tip!

Make your own ;)

i don't think that JWTs are insecure, is more that people abuse the format and fill it up with a lot of data that are not used for the particular request you're making (sometimes is metadata, nothing to do with authentication), so you end up having a heavy overhead in every request because of the token, RBAC can hel mitigate this, but yeah as someone working with auth0 jwts i can see how it can really quickly end up as a mess... another thing is that if you store some info on the token to save trips to databases or another BE request you still need to sync the info on the token with the source of data, so another worry to have, these are not easy/fun things to do so i think that's what he was talking about

I think it would be dependent on your rendering. Not 100% sure but hopefully someone else will chime in here as I am super curious about this as well.

Depends on how you split the code but essentially yes if you have a giant bundle it all goes along for the ride. The point is though that the backend should reject any requests to stuff you aren’t allowed to do, so it doesn’t really matter. Never trust the client. IMHO

@@jameshamilton2015 Brother of I have indigestion and the only thing I'm splitting is turds

Its still 100% safe to leave it that way if Your server stops the requests to any admin related endpoints. Frontend code id never secure.

you move the auth to middleware that executes before matching routes that you specify

Because your client can’t know. “Logged in” is a snapshot, not a status

​@@t3dotgg Right, it can't know. But it can assume, or make educated guesses. Handle cases based on those guesses, verify on the server, and handle accordingly.

This is incredibly important. Drop Credentials i favor of Magic email link if you wanna provide email login.

Thought the same thing the first time I saw him! xD

JWT is perfectly fine for using database less Authentication. Just store only user id or user name in them. Sign it with a secret on the server. Store the token in the cookie. Make it small. Literally just pass data, that you need on the *server* to be able to authtorize the user efectively (which might just be users id). The key is that you do not have to store sessions in the database this way. Also the "expires at" claim can be used for good FE experience when you can show a message to a user that his session is going to expire, so that he can renew it while it's valid, without login. Of course everything I wrote can be done without JWTs (rolling your own solution) but why not use the standard?...

Can you explain how it's lazy, less secure and annoying? My understanding aligns with Daniel's - the advantage of it is that you don't need to store a "session" in the database. I do think it's confusing because libs like NextAuth will talk about using both sessions and JWTs (i.e. sessions with "strategy: JWT" - what does that mean). And some sites talk about sessions being stored in cookies while JWTs are stored in local storage so it can be reused as a Authorization Bearer token when making requests as if that was the only possibility, but in reality, JWTs can also be stored in cookies too.

@@Nil-js4bf Yep, I'll clarify. If you only store userid and name in it and stick it in the cookies, that's perfectly fine. Lazy and less secure is when they want to store a lot of data in them. A larje JSON user object, their shopping cart (or any applicable app-specific info), their theme preferences, etc. Cookies have a small max size, and session storage doesn't persist between tabs, so then you stick it into local storage. Effectively it's out in the open. The signature is strong enough encryption that you cannot (apart from very specific use cases) tamper with the content, but any JS can read that data. Even worse, any other site can grab that token, send it back home, and with that token anyone else can pretend to be you, and the server would be non the wiser. This is clearly not good practice, but it is very quick to implement, so many 'we are paying for features' mindset orgs prefer it. And if you are already making the sensible choice not to use a bloated JWT, but only store user id in it, and put it in the cookies, at that point you might as well have a session DB and put the session id in the cookies, there is not much difference there (either is fine).

@@Szergej33 only chrome extensions can pull JWT, same with XSS attack. If Your app cannot mitigate XSS you have a much larger problem than localstorage. Chrome extensions can also read secure cookies.

lol

Embrace the honour system!