Nasr galal
Localstorage + JWT
That's correct, on server, we can have a more granular control over the data. Since the browser is not the secure place to store the data in.
As per OWASP security standards, It is highly recommended not to store any confidential or privacy data as it is exposed to be breached.
https://owasp.org/www-project-mobile-top-10/2014-risks/m2-insecure-data-storage
Sometimes, one little code mistake in the client code could lead to data leakage somehow. That's why I do strongly agree with your thoughts around making it on server side.
However, some simple apps don't need server-side approach, that's why I am trying to be wise when choosing which matches which. As a world class level approach, for sure it should be a back-and-forth between client and server.
15 replies
Localstorage + JWT
hmm, yeah, I think you may choose the best fit depending on the highest priorities.
Both approaches have pros and cons. Sometimes it puts us on a trap trying to choose between both of them.
I would say if your app is a Data-Driven one, we may think of Server-sided way.
In the mean time, I came across Web Application Firewall (WAF) which sounds a nice addon for adding a protection layer.
may be something like this: https://github.com/timokoessler/easy-waf
and here is the thinking emojie of mine 🤔 😄
15 replies
Localstorage + JWT
hmm, using XSS attacks, yes, if an attacker tries to get it, he can go through.
Your approach has advantages though:
- Improved Security: Not storing access tokens or refresh tokens on the server reduces the attack surface and potential data breaches.
- Scalability: This approach can be more scalable as it doesn't require server-side storage for user tokens.
Talking about disadvantages:
- Security Concerns:
a. Cookie Theft: If an attacker steals the JWT cookie, they can potentially impersonate the user.
b. XSS Attacks: Cross-site scripting vulnerabilities could allow attackers to steal the JWT from the client-side.
c. Limited Functionality: Storing only the Discord ID in the database limits what information you can access about the user without making additional API calls to Discord.
d. Revocation Challenges: Revoking stolen JWTs can be more difficult as they are stored on the client-side.
---
For now, on the client-side, Here are some ways to mitigate the security risks:
---
1.
HttpOnly
Flag: Set the HttpOnly
flag on the cookie to prevent JavaScript from accessing it directly, reducing the risk of XSS attacks.
2. Secure Flag (HTTPS): Ensure your website uses HTTPS to encrypt communication between the browser and server, protecting the cookie during transmission.
3. Shorter Expiration: Set a shorter expiration time for the JWT to limit the potential damage if it's stolen.
4. Refresh Token Management: Implement a mechanism to refresh the access token before it expires using the refresh token obtained from Discord. Store the refresh token securely on the server (not in a cookie).
there are alternatives, but will need server side work though 🙂15 replies
nuxt-i18n dynamically load translations
If you need to have a JSON editor as a front-end solution, you may check these libraries:
--> JSONEditor (https://jsoneditoronline.org/)
--> Monaco Editor (https://microsoft.github.io/monaco-editor/) (more complex but offers advanced features)
-----
On the other hand 🙂
If your site is open-source, and you need a fancy solution, I highly recommend Crowdin
https://crowdin.com/
You can have one private project there. Vuetify team are using this platform to translate the documentation
hope this might help giving some keys to what you are looking for, please forgive If I misunderstood your question 🙂
23 replies
Localstorage + JWT
oh interesting!
so in Server side, we could use the
localStorage.setItem('set_name_token_here')
method, this should save the token in a key-pair value
and if you like to get the stored token, just use localStorage.getItem('the-name-we-specified-before')
----
If you care about security, here are few other alternative approaches you may look into:
1. Session Storage: provides temporary storage for data specific to a browser tab or window. Data is cleared when the user closes the tab or window.
Implementation:
2. Cookies: They are small pieces of data sent from the server to the user's browser and stored locally. They are often used for session management and can be configured with specific expiration times and security flags like HttpOnly.
Implementation (requires backend integration to set and retrieve cookies):
3. IndexedDB: It is a more robust client-side database that allows structured data storage with indexes for efficient retrieval. It's suitable for storing larger amounts of user data or complex objects.
Implementation(requires using a library like idb-keyval
for easier use):
15 replies
NuxtImg Image Shrinking
To make it simple:
- If you want to control how the image scales within a container while maintaining aspect ratio, use
fit
prop.
You can check here: https://image.nuxt.com/usage/nuxt-img#fit
- If you need responsive image sizing based on screen size, use sizes
prop.
You can check here: https://image.nuxt.com/usage/nuxt-img#sizes
- And finally, If you want to display the images at a specific static size (which I think you might not want), use width
and height
props.
Hope this helps 🙂5 replies
useNuxtApp inside pinia action
you can access
useNuxtApp()
in the following locations:
- Any Vue component/page
- Any Composable function
- Any Middleware function
so I guess, you may utilize that as it is not possible to use composables outside the specified locations3 replies
New at nuxt.. and frontend as a whole.
Here is the playgorund
local
example: https://github.com/sidebase/nuxt-auth/tree/main/playground-local
in the server endpoint of login, all you need to do is to get the token from your backend and return it.
usually the format look like this:
If you would like to check the authenticated status, you can use the status
composable for that:
once the token is returned in the proposed format, nuxt auth captures it and stores the session in a session
composable42 replies