🌐 AI搜索 & 代理 主页
Skip to content
/ Next-Auth-with-Express-backend Public

Improve the JWT auth security of an Express back-end, with server-side http-only cookies set in the Next API.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

stefaleon/Next-Auth-with-Express-backend

BranchesTags

Repository files navigation

Auth with Next.js

A known problem with JWT authentication is that persisting to local storage introduces a security issue. An improvement is made by using HTTP-only cookies on the server side. The Next.js native API provides a means to easily implement this feature.

The topics below refer to the project commits with the same name

Register and login from the Next API

  • Use the Next back-end as an intermediary for the requests we make from the app, in order to have the same-origin policy applied and avoid CORS related issues.

Register to the Basic Express back-end from the Next API

body

{
  "name" : "test",
  "email": "test@test.com",
  "password": "111111"
}

Login to the Basic Express back-end from the Next API

body

{
  "email": "test@test.com",
  "password": "111111"
}

AuthContext

  • Wrap the app Component in _app.js with AuthProvider in order to have the auth state values available throughout the app

Display nav links conditionally, depending on context user

  • Hide the link to the protected page if "user" is not available in the auth state.
  • Display "Logout" instead of "Login" if "user" is available in the auth state.

Protect the route of the "protected" page

  • Even though the related link is hidden in the navbar, the protected page is currently accessible by entering the related url (http://localhost:3000/protected) manually in the browser's address bar.
  • To fix this, redirect to the login page if "user" is not available in the auth state.

Persist the authenticated user with a server side HTTP-only cookie

Set the JWT in a server side cookie

  • Set the cookie in the response headers as we login. It now becomes available in req.headers.cookie.
  • Confirm the availability for subsequent requests by use of the checkCookie Next API route.

Persist the user on page refresh

  • Check if "user" exists in state on each AuthProvider load. Do so by calling the /api/user route in the Next API, which in turn calls the api/users/me route in the external Express API.
  • The request to the external API contains the JWT in the headers, which is extracted by parsing the req.headers.cookie.
  • If the check fails, set "user" to null and, if we are in a protected route, redirect to login page.

Log out by setting a zero expiration cookie

  • Since the server side HTTP-only cookie persists, the log out functionality is broken. If we refresh, we still have the cookie in the browser storage.
  • In order to properly log out, we need to set antoher cookie with its expiration set to 0.

About

Improve the JWT auth security of an Express back-end, with server-side http-only cookies set in the Next API.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages