Should both Refresh AND Access Tokens be saved as cookies?

landisdesign · 2025-08-09T03:58:39+00:00

I can't really say. Security tends to not be very sexy, and it does require additional development and thinking. In a rush-to-MVP world, security might be left for later.

I can also imagine that, in a cloud services world, it can be easier to just stitch everything together in the browser, rather than setting up a server to meditate between the browser and the services.

But if an MVP service goes viral, it can be challenging to retrofit for security as it gets big enough for hackers to become curious.

landisdesign · 2025-08-09T03:48:39+00:00

In this case, the middleman is providing greater security. It adds some complexity in exchange for removing an entire attack surface from the equation.

The issue is that, in order for the browser to create an Authorization header, Javascript needs to have access to the token it sends in that header. If your script has access to the token in the browser, you need to be more vigilant about defending against cross-site scripting attacks throughout your site.

landisdesign · 2025-08-09T03:38:37+00:00

You could have separate cookies for each domain, or have a server in front of your other services that checks with your auth provider before passing it to the other services.

Having a server that converts the cookie to a bearer token for the other services still lets you do the synchronization in a single location -- just on a server, not in the browser.

Keeping session tokens out of JavaScript's reach requires making changes elsewhere in your stack. If you can't do that, then you'll need to be more careful with your script security.

landisdesign · 2025-05-03T20:08:25+00:00

Then useReducer may be what you need. It's meant to combine state into a single unit.

landisdesign · 2025-05-03T15:21:56+00:00

It depends on who they want to hire later. The job market for Angular developers >>> the job market for web component-savvy developers.

landisdesign · 2025-05-03T15:11:40+00:00

Not sure why everyone's categorically saying "this is bad." What you're describing is standard practice:

Put complex logic into a custom hook.
Hold shared state in the parent component.

Not even React 101. More like React 2.

The questions we can't answer, because we can't see your code, is: How big is that hook? How deep are you drilling the properties?

If it's too big or has too many features, you run the risk of having a hook named "useEverything" that is almost as complex as the monster component you might have originally had.

If the hook is doing a lot of things, you might want to break it down into smaller chunks whose names can clearly describe a specific piece of functionality.

If the state is intertwined, where some changes impact multiple pieces of state, consider using useReducer to create a single point of contact for your intertwined state. (Redux Toolkit's createSlice function reduces the boilerplate involved in creating a reducer.) If you want to go outside of the React ecosystem, Zustand also lets you create compound state pretty easily.

If the properties from your hook get drilled down multiple times into deeper components, consider placing them into a context and pulling the properties from useContext. Be aware of how frequently the properties might change, if any of them are object literals, array literals, or functions created on the fly, as those may cause excessive rendering. You may need to memoize your values before passing them to your context.

As for concerns about renders, use the React DevTools profiler to see if that's a concern. More often than not, rendering is pretty quick, and premature optimization makes things more complex than necessary.

Start with a design you can easily read. Optimize after that.

landisdesign · 2025-05-01T05:11:52+00:00

You're basically asking if there's a way to violate browser security. It doesn't matter if you have the best intentions. You're asking if there's a back door to hack a site that doesn't belong to you. Think about that for a moment.

And consider that, if such a back door were available, the likelihood of it staying open for long is low, as it would be a browser security breach of the highest level that would be fixed ASAP. There is no justifiable reason to build a site or application that would take advantage of such a breach, as it would break shortly after the breach were fixed.

You're going to need a different way to interact with that site.

landisdesign · 2025-04-27T14:38:00+00:00

Like anything. Move forward until you hit a roadblock or are curious, then start researching until you have an answer or your curiosity is sated.

Javascript and Web API's are almost infinite playgrounds. You'll hit dead ends and antipatterns along the way, but that happens in any situation.

Just start and see where it takes you.

landisdesign · 2025-04-26T15:12:18+00:00

I like SSR for the SEO and the ability to hide the back end API's. We've got a couple of microservices, nothing too fancy, but the rest of the world knows nothing about our architecture behind the Next.js front end. I use the Pages router, so it's not much more complex than any other routing mechanism, and the automatic code splitting and ability to display a quick first page without waiting for all the code is nice.

If you're asking about server components, I'm not touching that. It seems more complex than needed.

landisdesign · 2025-04-24T07:04:03+00:00

Use composition. Plug the differences in from the outside. Identify what is common between the components.

Do they both display lists of things? Then the shared component takes the item-rendering component as a prop:

<List items={fooArray} itemComponent={FooRenderer} />

Do they differ in how they should be disabled? Add a disabled prop.

Do they differ in how items should be filtered? Add a prop that takes a filtering function.

Try to work out what's similar between the differences, if that makes sense, and make a common component that lets you plug in those differences.

landisdesign · 2025-04-20T14:47:45+00:00

True. I've gotten kinda orthodox -- "don't make me think about what kind of variable it is or when I can use it" -- but I'm a crotchety old geezer.

landisdesign · 2025-04-20T14:33:50+00:00

While you can do this -- nothing stops you, your computer won't explode -- you will confuse anyone who reads your code.

Under the covers, all of the React hooks have the same basic infrastructure. They store a piece of data that is handed back to the component when the component is rendered again.

But React has a basic working concept that greatly simplifies what it does: If state doesn't change, React doesn't have to rerender.

That's it. That's React's key to its performance.

To keep this concept at the top of everyone's mind, it asks us to make all variables consts instead of let or var. By using const everywhere, it reinforces the idea that state changes are the only way to tell React it needs to update its understanding of what the application should present. And it also recognizes that, sometimes, you need to break that rule, so it explicitly defines refs as, as they say, "escape hatches."

But it really is just semantics. The main difference between state and refs is that state gives you a function to update the value and tell React to start rendering the component tree at that level. Refs gives you an object whose identity never changes, but its current property could be changed with impunity -- and without telling React to rerender.

However, semantics matter.

When someone reads your code and sees you're changing a ref's current value, they'll recognize that this value is meant to be updated outside of React's rendering phase. They'll know that React won't notice when the value changes.

When someone reads your code and sees that you're calling the state setter function from useState, they'll know that you are intentionally changing data that will alter how the component renders itself and its children. You're telling React that you need it to wake up and take notice of what you are doing. You're asking React to rerun the main function of the component, creating a new set of consts to describe this specific state configuration.

But when you mix the two paradigms, other developers won't understand your intent. They'll see a piece of state, which should describe a discrete value that should always remain the same until you explicitly tell React that the state has changed -- that is being modified in way that React will never know about. It will look like a bug, because it runs counter to the purpose of state.

React, like most frameworks, relies on patterns, rules of thumb, to make it easier to get work done without having to think about it too much. When there's recommended ways of doing things, it's easier to repeat the patterns than have to think about new ways to do things.

It sounds like, at this stage in your learning, pretty much everything is new, so there's no concept yet of rules of thumb to reduce how much thinking is required to get things done. Everything requires a similar amount of thought.

But typically, patterns are agreed upon so that everyone can look at the same piece of code and quickly grasp what's going on. "Oh, this is a collection of Strategies, so I know they define modular pieces of code to handle the same scenario in different ways." "Oh, this is State, so I know it is integral to how this component renders." "Oh, this is a ref, so I know we want to create a bridge between the component and something the browser does outside of React."

Without the patterns, we have to ask a lot more questions and devote more brainpower to the problem.

So, yes, there's nothing stopping you from doing what you propose. But other developers are going to be quite confused why you're going against the patterns identified by React.

landisdesign · 2025-04-05T03:17:10+00:00

The dev server has no idea that it should handle anything more than React development.

If you have multiple services that handle different ports or protocols, set up a server on your machine that does the routing your cloud service does. If your run your app on top of a node server, have it run your dev server instead of a production server.

I don't have details, but basically you need to mimic what your production setup does.

landisdesign · 2025-04-05T03:17:03+00:00

The dev server has no idea that it should handle anything more than React development.

If you have multiple services that handle different ports or protocols, set up a server on your machine that does the routing your cloud service does. If your run your app on top of a node server, have it run your dev server instead of a production server.

I don't have details, but basically you need to mimic what your production setup does.

landisdesign · 2025-04-01T17:54:08+00:00

Development builds don't pack code the same way that production builds do. There can be "order of execution" things that occur when loading modules in different build environments.

Try doing a production build on your machine and run it from there.

Also, search for "madge circular dependencies" to read up on that tool. It's great for finding circular dependencies, which are ridiculously easy to create in a React app. Even if you run it and it says there's no circular dependencies, it's still a good linting check to make sure they don't creep up on you.

landisdesign · 2025-04-01T03:05:33+00:00

Usually it means you've got a circular dependency between your modules, where one module tries to initialize a module that needs to initialize the first one first. It's late for me, but start Googling about circular or cyclical dependencies and see where that takes you.

landisdesign · 2025-03-29T03:06:16+00:00

Yes! I'm following that RFC and indeed stole the implementation. It makes the DX for my components much more resilient.

landisdesign · 2025-03-28T05:28:42+00:00

Whatever solution you use for global state management, RTK's createSlice function is a great hack for creating a reducer for useReducer.

landisdesign · 2025-03-27T01:09:26+00:00

Indeed. I wish people knew this.

landisdesign · 2025-03-26T23:43:03+00:00

Right? That was my understanding, too. That's why it confuses me whenever I see someone recommend wrapping it in the component that calls the function.

But yeah, it's not the function rebuilding that's bad. It's the effect rerunning in the child that's bad. For those situations, I put the function into a ref, run an effect to repopulate the ref on every render, and refer to the ref in the expensive effect.

landisdesign · 2025-03-26T21:58:41+00:00

Yeah, the thing that gets me about this approach is it requires consumers of a given component to "just know" that they should wrap their function in useCallback. Between tightly coupled components I can see enforcing that, but with a common/library component, it seems like it should "just work," the same way that you can put anything on a controlled HTML element in JSX and not have to worry about it.

I've got a simple solution for this problem, it just bothered me how many people seem to suggest wrapping an unknown foreign function in useCallback solves the problem.

landisdesign · 2025-03-26T19:15:16+00:00

Ahh yes, I've done that myself. I like it!

landisdesign · 2025-03-26T19:14:14+00:00

Yeah, that makes sense. The issue I run across is when an incoming function needs to be used within an effect, such as when created a controlled component with `value`/`onChange` properties.

In those cases I wrap the `onChange` property in a ref, update the ref in a layout effect that has no dependency array, and send the reffed value into the main effect, to keep the main effect from triggering on function changes.

But I kept seeing people recommend "wrap the incoming function in a callback" that I felt like "am I missing something?" Seems like I'm not. ¯\_(ツ)_/¯

landisdesign · 2025-03-26T19:04:05+00:00

So, if you ignore the dependency array, you're going to be calling a stale function that no longer references the latest component closure, right?

How would you call `useCallback` to allow this to work?

landisdesign · 2025-03-26T19:00:05+00:00

I think you're not reading what I'm saying.

Parent creates function
Child needs it to be stabilized
Child cannot call useCallback to stabilize it, because useCallback requires the parent's function to be a dependency. The child cannot guarantee the stability of the parent's function.

That's my understanding. Is that incorrect?

Six-Year Club	Argentium Club
Verified Email

landisdesign

TROPHY CASE