How do I store access and refresh tokens on a SPA without summoning Chutulu?
-
I have a REST API that uses access tokens for auth, no cookies whatsoever. To log in the username and password is sent via POST, and the access token and refresh tokens are returned back in the body. The access token is sent via Bearer auth in following requests. The access token expires after 15 minutes, when that happens the access token and the refresh token are sent via POST to get a new access token. The client app is a desktop Winforms app that stores both tokens in the Windows registry encrypted with NPAPI.
Now I have to write a new web app that consumes the same API. However it is recommended to store access tokens in cookies to prevent XSS attacks. Unfortunately that would make it impossible for the SPA to refresh access tokens in the same way the desktop app does. Also if I add cookie auth I have to find a way for the desktop app to ignore cookies completely. What would be the least insecure way to store access tokens on a SPA?
-
According to this article, you should just use localStorage and protect against XSS attacks by other means.
-
@magnusmaster said in How do I store access and refresh tokens on a SPA without summoning Chutulu?:
Now I have to write a new web app that consumes the same API. However it is recommended to store access tokens in cookies to prevent XSS attacks. Unfortunately that would make it impossible for the SPA to refresh access tokens in the same way the desktop app does.
Uhm, why? You just need to send the refresh request before expiration and you will receive a new cookie.
Assuming that the cookie is actually sent as part of HTTP Response. If you're talking about setting cookies from the JS, then yes - that should be avoided at all costs.
-
@Kamil-Podlesak Currently the way the API works is that I ask for a new access token when the previous one expires. I figured that it was easier than setting a timer. Also the API currently does not use cookies at all. For the time being I'll just store the tokens in localStorage and work out how to improve security later.
-
@magnusmaster said in How do I store access and refresh tokens on a SPA without summoning Chutulu?:
work out how to improve security later
Calling it now: no you won't
Filed Under: technical debt
-
-
@magnusmaster I hope those refresh tokens are protected by some other measures, because having an indefinite-lifetime refresh token that's sent to a client seems like a bit of a security hole otherwise. A user, or a malicious script, can save that token and use it to get a new session as that user without logging in again.
-
@bobjanova Refresh tokens generally have a fixed expiry time as well, longer than the access token but still finite.