I have a Node Express REST API where I can make a GET request for a user controller - /users/:id- where :idis the user ID number stored in the database. I also have a React-Redux client application that calls an API call. To make a request, the client application needs access to the user ID, but Im is currently not sure of the best way to store the user ID on the client side.
For added context, my API sends a JWT token to the client when it logs in, which contains the user ID; the client application stores the token in localStorage. When a client makes a request, the API verifies that the user ID in the decoded token matches the identifier contained in the URL before sending a response to the client.
I see two possible solutions:
- Decode the JWT token on the client and use the user ID stored in the token to invoke the API call. I think this is a potential security risk, because I believe that I will need to keep a secret in the client application. In addition, anyone with a token can access user information.
- The API sends the user ID during authentication, and the client stores it in
localStorage. (I don’t think that storing it in the Redux store will work, since the user can update, clear the state of the user ID). I believe that this is not the best practice, since I do not see many other client applications taking this approach.
Which of the two is the best solution, or is there another approach that I am not considering?
source
share