Using httponly cookie to send JWT from node REST API to Vue.js SPA

Question

I'm building a web application with a Vue.js frontend and a Node REST API using express. I'm trying to work out authentication, specifically trying to go stateless using JWTs. I have them completely separated on different domains, and am using self-signed SSL certificates on both to work with HTTPS in my local environment. I've been trying to implement the JWT auth strategy outlined here which suggests using quick-expiring JWTs for authorization while having the API also pass the client a "refresh token" via httponly cookie.

The problem, I've come to realize, is that on the client side I'm using axios for submitting requests and handling responses, and httpOnly cookies aren't readable by javascript libraries like axios.

Lengthy searching doesn't seem to have any good resolution for this; all JWT auth strategies seem to suggest using httpOnly cookies in some way or another to persist logins, and there seems to be no secure way to access httpOnly cookies from axios or other javascript REST libraries. Is there any solution here? Is my problem trying to put the frontend and API on two separate domains?

Answer 1

Yes. Cross-origin is seemingly going to be messy (as referenced here).

And yes, you can't access HttpOnly cookies from the javascript context (axios, etc).

When I do Auth w/ Vue, I run on Nuxt and just use their auth plugins. Here's that section of their documentation.

When using Nuxt, you could (depending on your opinions) even host your API as middleware on the same box as your Nuxt webapp.

Answer 2

Maybe you should try this solution, simple authentication with store, expressjs server and httponly cookie https://github.com/ja-klaudiusz/Nuxt.js-HttpOnly-cookie-auth