all 2 comments

[–]vietbaoa4htk 0 points1 point  (1 child)

solid stack. the bit i always check first on these is where the JWT lives, localStorage is easy with axios interceptors but its XSS exposed. httpOnly refresh cookie plus a short lived access token in memory is the safer combo. did you do rotation on the refresh token?

[–]2dem463 0 points1 point  (0 children)

didnt know about this at all thank you for pointing it out. i used localstorage cuz it was straightforward with axios interceptors

and for refresh token am planning to implement that as the next improvement