psychicbologna/Section 7 Expiry Time Alex Fukui

## Section 7 Expiry Time Alex Fukui
1) Should the client or the server take more security precautions?

The server should take more security precautions because it is the source of data. Although having frontend security measures is important, outgoing and incoming information can be best validated and checked here.

2) What's the difference between local storage and session storage?

Local storage is kept on the browser indefinitely, while session storage is dumped when the browser is closed.

3) What problem does a JWT expiry time solve?

Expiry solves the issue of malicious parties having access to your account if you leave a tab open on your machine. In addition, withou changing the tokens, old JWTs can be used to access the account indefinitely.

4) Is a refresh endpoint protected or public?

A refresh endpoint is protected.

5) What would happen if a refreshed JWT was requested with a JWT that had already expired?

The refresh would not fire, the service would not pass through and the user would be logged out.

6) What does it mean to queue a callback?

To queue a callback means to line up a response for a requested service. In the case of security, is is the temporary access token that will allow the user to refresh the session.

7) What does the clearTimeout function do and what argument do you pass into it?

The clearTimeout function cancels an idle timeout when a user proves they aren't idle, by moving the mouse or otherwise taking action on the browser. The argument passed in is the new timeout.

8) For which of the following events should a refresh request be queued after?

  - A successful user registration request

 The user isn't necessarily logged in, so the refresh request isn't necessary

  - A successful login request

Yes. This is when the refreshing begins!

  - A page load

No. A page load doesn't necessarly indicate that a token has expired.

  - A successful API request to a protected endpoint for posting a comment

No. Same as above.

  - A successful refresh request

Yes, another token should be generated.

  - A push state navigation event

No, doesn't necesssarily indicate the use

  - A user logs out

No, the session is over! No need for it anymore, continuing would proved a security risk.

9) What is OIDC?

OIDC (Open ID Connect) is an id layer that focuses on end-user verification. It allows an authorization server to verify a user identity and provides means for user information to be obtained in a RESTful manner.
	1) Should the client or the server take more security precautions?

	The server should take more security precautions because it is the source of data. Although having frontend security measures is important, outgoing and incoming information can be best validated and checked here.

	2) What's the difference between local storage and session storage?

	Local storage is kept on the browser indefinitely, while session storage is dumped when the browser is closed.

	3) What problem does a JWT expiry time solve?

	Expiry solves the issue of malicious parties having access to your account if you leave a tab open on your machine. In addition, withou changing the tokens, old JWTs can be used to access the account indefinitely.

	4) Is a refresh endpoint protected or public?

	A refresh endpoint is protected.

	5) What would happen if a refreshed JWT was requested with a JWT that had already expired?

	The refresh would not fire, the service would not pass through and the user would be logged out.

	6) What does it mean to queue a callback?

	To queue a callback means to line up a response for a requested service. In the case of security, is is the temporary access token that will allow the user to refresh the session.

	7) What does the clearTimeout function do and what argument do you pass into it?

	The clearTimeout function cancels an idle timeout when a user proves they aren't idle, by moving the mouse or otherwise taking action on the browser. The argument passed in is the new timeout.

	8) For which of the following events should a refresh request be queued after?

	- A successful user registration request

	The user isn't necessarily logged in, so the refresh request isn't necessary

	- A successful login request

	Yes. This is when the refreshing begins!

	- A page load

	No. A page load doesn't necessarly indicate that a token has expired.

	- A successful API request to a protected endpoint for posting a comment

	No. Same as above.

	- A successful refresh request

	Yes, another token should be generated.

	- A push state navigation event

	No, doesn't necesssarily indicate the use

	- A user logs out

	No, the session is over! No need for it anymore, continuing would proved a security risk.

	9) What is OIDC?

	OIDC (Open ID Connect) is an id layer that focuses on end-user verification. It allows an authorization server to verify a user identity and provides means for user information to be obtained in a RESTful manner.