3

I'm making a full stack web application. My frontend consists of angular-cli and my backend is built from node + express.

I managed to get authentication (read: register and login) working by using a JWT token. At this moment this token is stored in localStorage. This makes it possible that users can share their token, or the token can be stolen by malicious users.

I use the token to prevent/allow users to follow certain routes in my frontend and also to authorise certain api calls.

Is there a way this JWT token can be made more secure or should I follow a different route for authentication/authorisation?

Thanks in advance.

Giani Noyez
  • 481
  • 3
  • 8
  • 17
  • 1
    Storing the token in localStorage is the standard way. What you can do is, refresh the token more often then you usually do. like refreshing it in every hour or so. – amansoni211 Mar 19 '19 at 05:55
  • Possible duplicate of [What if JWT is stolen?](https://stackoverflow.com/questions/34259248/what-if-jwt-is-stolen) – Paul Kertscher Mar 19 '19 at 05:57

1 Answers1

3

You can refresh the token after every minute. Or else you can get the identity of the user and store the token in the user info.

Link for more info: https://auth0.com/docs/connections/calling-an-external-idp-api

dur
  • 15,689
  • 25
  • 79
  • 125
shrikant joshi
  • 494
  • 4
  • 12
  • But once is the hacker is able to access the token, he will be able to access the refresh token as well the same way he stole the original token in first place. I am not sure how refreshing tokens every minute will help? – kittu Apr 05 '23 at 02:07