0

Question - How can I access the logged-in user on the frontend in a way that does not delay the loading time of the application [in a secure way]?

Hi, I'm new to go and I'm building an application with golang on the backend and a create-react-app app on the frontend. I'm not very experienced in authentication either. I'm using goth to implement google authentication using oAuth2.0. I'm using sessions - I heard they are more secure than JWT Tokens.

There are a couple of ways I can think of, but none seem like efficient or secure solutions :

  1. Pass the userID and/or email in the URL when the callback redirects to the success page after login. Problem - this doesn't sound secure since user information like ID, etc will be visible in the URL.

  2. Make a get call to /api/me and request user information, then store it on the state in the frontend - but this delays the loading time of the application. User experience will be affected negatively. I've seen apps achieve almost no loading time when it comes to authentication. How do they do this securely?

  3. I could store user information in local storage or session storage - but again, heard these are really bad choices for authentication.

If any of my above knowledge is wrong, please let me know that too. I'd love to learn.

jgrewal
  • 189
  • 1
  • 2
  • 11

1 Answers1

0

It's always preferable to send crucial or credential information over HTTPS instead of HTTP. It will take away lot of security related headaches.

Do not send credential as GET parameters it might be end up in server logs which is not a good idea.

Authentication should be always happened from backend side though you can do validation from both side and it's recommended approach. Also make the use of session in both side.

Approach1:

You can send userId and email via Authorization header.

For better understanding refer this wikipedia: https://en.wikipedia.org/wiki/Basic_access_authentication and How to send password securely over HTTP?

Approach2:

Encrypt the data using the standard encyption algorithm in backend and send this payload data to the UI and there you can decrypt it.

You can refer encryption/decryption here : https://blog.logrocket.com/learn-golang-encryption-decryption/

Example:

//This is the sample example not an exact one
const MySecret string = "abc&1*~#^2^#s0^=)^^7%b34"
    payload := map[string]interface{}{
        "userId":  25,
        "emailId": "example.com",
    }

    encText, err := Encrypt(payload, MySecret)
    if err != nil {
        fmt.Println("error encrypting your classified text: ", err)
    }

Send this encrypted data as a response with success message in your login API. The algorithm that you are using for encryption use the same algorithm in UI for decryption also remember the secret key.

Approach3:

You can use cookie with secure and HTTPS flag. You can also set the expiry time of the cookie. It will improve the loading. And you have not to store in session storage or local storage.

For Better understanding refer this : Setting cookies with net/http and https://go.dev/src/net/http/cookie.go

Ashutosh Singh
  • 721
  • 3
  • 6
  • how are you going to decrypt in in the frontend? It would mean you have the decyption key in the frontend, so that anyone who can access the frontend and therefore the source of the frontend, can obtain the key. – The Fool Dec 21 '21 at 12:52