I’m making an app in Node.js & Mongoose which needs to have some way of authentication. I first thought of simple session but then came across JWT’s. I read through many articles but I’m still unsure if I should use them. My questions are:
- Let’s say someone steals a short lived access token that expires in 15 minutes, wouldn’t the refresh token be useless, as 15 minutes is a lot of time to do something?
- Where & How should I store refresh & access tokens? I guess access in client side memory and refresh tokens in database? But what if a attacker hacked the database and got the refresh token? Does he have acccess then?
- Are there any other secure and good ways of authenticate with Node.js?
Thanks in advance!
>Solution :
- Access token always is valid until the expiry date, (you cannot logout, you can only remove token from client side) that is a bit of a downside. But still if someone gets your session cookie and you haven’t clicked log out then they can also access your account if session cookie is not expired. If someone stoles your token you’ve problem no matter what you use, then you’ve to check ip or smth more than just a token
- Backend should only know about refresh token it can verify access token without having any other information. And client side should have stored both refresh and access token. If someone gets access to your db and steals refresh token then they can ask new access token with refresh token.
- I still would recommend using JWT tokens, especially when you’re planning to start using multiple backend servers, it will simplify a lot tokens storing problem (In this post in the beginning it explains a bit longer what problem JWT token tries to solve and how JWT works https://codingally.tech/spring-boot-jwt-authentication/)