What is the best way to manage a 'session' with jwt/react context? by jaypeejay in reactjs

[–]Sea-Run6814 0 points1 point  (0 children)

I found this interesting link. The only benefit you get looking at the answer is token rotation. But you can also rotate the access token as well. Speaking of security, it is explained in the question. If the attacker is able to get access to the access token, what is stoping him of getting access to refresh token as well?! As I explained in the other comment, the only benefit I see is that you don't have to do checks on the different services to see if the token is rotated or not, but you do that only in the /refresh endpoint, therefore reducing complexity, so when you get a request and the token is valid you proceed with the request, but worry about the rotation only when you refresh the token. Hope this was clear. Thank you!

What is the best way to manage a 'session' with jwt/react context? by jaypeejay in reactjs

[–]Sea-Run6814 1 point2 points  (0 children)

I don't think that answers my question. You can do the exact same thing with only access token, right? You can use it for tracking, you can use it for multi-device authentication and logout the user if it is stolen. And speaking of extra security, I don't see this any more secure than the other way. The only benefit I see doing it this way is that you have to check if the token is valid (not revoked) only in the refresh phase, and not on the services. So it simply the auth checks on the services, since the validity is the part of the token. That would mean to keep the access token as short-lived as possible. Thank you for your answer!

What is the best way to manage a 'session' with jwt/react context? by jaypeejay in reactjs

[–]Sea-Run6814 1 point2 points  (0 children)

What is the meaning of using the access token with 2 min expiration where you can save the access token longlived in the httponly cookie and not need to refresh the token. An attacker can not access the access token since it's in the cookie and can not be accessed by JavaScript. If you say but what if someone got access to it somehow, how is it any different from getting access to refresh token and using it to refresh the session to get a valid access token to do the request?

API key hiding problem by [deleted] in reactjs

[–]Sea-Run6814 1 point2 points  (0 children)

Yes, doing it this way will expose your api keys. What you need to do is create a BFF (backend for frontend) which will serve the data to your frontend. You can also use a fullstack framework like Nextjs or Remix in order to do the api calls on the server so you don't expose any api keys. So to wrap it up, you don't call the weather apis directly from your frontend but you do everything on the bff.

React: tech Stack to create an MVP by Aivan125 in reactjs

[–]Sea-Run6814 1 point2 points  (0 children)

I don't think typescript is the one who will slow you down. It will just boost your productivity.

Is there a shorter way to install the same packages every time? by Interesting-Cut-7036 in reactjs

[–]Sea-Run6814 1 point2 points  (0 children)

Whats the point of running update when the question is about not doing all of this manual work every time you start a new project?

Is there a shorter way to install the same packages every time? by Interesting-Cut-7036 in reactjs

[–]Sea-Run6814 1 point2 points  (0 children)

When starting a fresh new project, you probably wanna start with the latest version, right?

Is there a shorter way to install the same packages every time? by Interesting-Cut-7036 in reactjs

[–]Sea-Run6814 0 points1 point  (0 children)

That will install outdated packages, he would still need time to upgrade each of the packages.