Created
October 22, 2020 14:04
-
-
Save srghma/6894b830f3a5832e3d0a81f0f47941d3 to your computer and use it in GitHub Desktop.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Storing access token/refresh token
first, refresh tokens:
localStorage
is not safe (based on an explanation from hasura/graphql-engine#2205 (comment))localStorage
- is not safe too and https://ionicframework.com/docs/native/secure-storage should be used (but you know that)I would also tell that:
because, suppose our site was XSSed - malicious user (MU) could find how to sniff your token
Web vs mobile UX flows
on web we may want:
on mobile:
access token (AT) / refresh token (RT) - where they came from?
AT/RT approach came from oauth
AT is a cached , short lived (e.g. valid for 15min) result of expensive validating RT (long lived, e.g. 7d).
By this I mean:
user_id
in RT is blacklisted/whitelistedJWT AT/RT vs JWT session-id like approach
on web it's better to use
https://imgur.com/a/K78R1fj
(found in this comment hasura/graphql-engine#2205 (comment))
on Web, it's better to use session-id, unless:
what are other possible clients
bonus: on web - we want to log out