How can one implement authentication in React Apps, as every call is a client-side call. All request are vulnerable?How can one pass the token in req?

Question

Simply, I've an React-App (I'am new to this domain , as per my knowledge all the request sent from React apps are visible in the browser's network tab).Their is no provision for a server side request that can be hidden from the browser.

I've to implement an authentication mechanism for this application. But, I've few questions regarding the approach.

1. As all the request are visible. How will my generate-token request be secure? Anyone can inspect and get my token generation parameters.
2. Once token is generated, It is supposed to be used by subsequent requests, Then is'nt it possible for anyone to get my token.

How to make it secure?

I think its not possible to mask/hide any parameters or token. The only way to make it secure is to.

Authentication should be user-login based clubbed with IP/User-Agent and a few more parameters.This way when we identify that someone else who should not be having the token is using the token, he should get unauthorized response.

Answer 1

The Token

The token is stored in the browser's local storage and it is safe for MOST use cases. you can read more about this in this StackOverflow post

Summary of the post: The local storage can be unsecure if the site is vulnerable to Cross Site Scripting (XSS) attacks but there are ways to prevent XSS on your site.

An alternative to the local storage would be to use server-side sessions or use IndexDb. But the local storage is sufficient and secure enough for most cases.

The Request

Generally speaking, most requests in the real world use HTTPS. The S in HTTPS stands for "secure." HTTPS uses TLS (or SSL) to encrypt HTTP requests and even if someone intercepts the request it is encrypted and they would see a bunch of random letters.

Therefore your token is encrypted and no attacker can make use of it.

Learn more about HTTP vs HTTPS

Usually, the localhost uses HTTP so the requests are not encrypted but in the real world, you would use domains like https://customDomain.com/path-to-api-endpoint.

Note how this domain uses HTTPS so any request made to this domain would be encrypted.

axios.post('https://customDomain.com/path-to-api-endpoint', {})

The line above will make an API call using the HTTPS protocol.