Best practice for storing JWT token
Hi all!
Currently I'm developing an internal organization nuxt 3 web app that is not exposed to internet. I have backend api implemented in golang and another mobile app that is exposed to internet. (ie. 1 web app (private), 1 backend api (public), 1 mobile app (public))
Originally, backend api sent the jwt (access/refresh token) in response body to mobile app but now that I'm adding web app, I wasn't sure if I should use session cookie to store the JWT instead of including the token in response body.
How do you usually store token in browser? Given that this is internal organization web app, will it be alright to store the token in local/session storage? What kind of risks do i have for storing it in local/session storage for private web app?
Also, I wasn't sure if I wanted to use other nuxt 3 modules like sidebase auth. I took a look at an example from sidebase it seemed like it was implementing auth logic in server side of nuxt app instead of using custom backend api solution (like golang for my case). I mainly wanted to use auth library because I wasn't sure if my own implementation would be secure enough.
So tldr:
1. Is it secure to store jwt in local/session storage (for private app not exposed to internet)
2. Any recommendation for auth library for custom backend api
3. Advice on best practices for authentication using JWT (not oauth) for SSR application
5 Replies
Just as a side note, I mainly wanted to use local/session storage for storing JWT because that way, I can keep the same backend api logic that returned token in response body (instead of using session cookie) for mobile application.
I heard about architecture called backend for frontend so maybe I can make different apis for different clients but that seemed like more work and more maintenance overhead.
have you considered Lucia? https://lucia-auth.com/
Lucia
Lucia documentation
Lucia is an open source auth library that abstracts away the complexity of handling sessions.
I did see it recommended in somewhere but haven't really looked into it yet
Isn't it for server side auth logic for typescript?
it's both. I guess you could try rolling your own and storing using UseCookie with secure enabled
I see.. thanks for recommendation haha
I'll take a look at it!