I am currently working on a site using React where I want to be able to log in. Now my strategy is to send form data to the server (express) on sending, and if the information matches the user in my database, the server sends back the signed JWT without important information (just the username).
As soon as the client receives the JWT, I add it to localStorage and also add the decoded data to my redux store. I plan to have a recess storage in which the current logged-in user is located.
I believe that there may be a security issue on my site because I currently have it when a user first visits the site. If there is a JWT, it is added to my axis headers, and the decoded JWT is set by the current user. The code is as follows:
if(localStorage.jwtToken) {
setAuthorizationToken(localStorage.jwtToken)
store.dispatch(setCurrentUser(jwt.decode(localStorage.jwtToken)))
}
Currently, I have found that if someone just goes into my localStorage, copies my JWT and adds it to their localStorage, and then bam, these are them. I'm not sure if this is really a security flaw, because the only way I recreated it myself is to physically copy the token from one browser to another. But overall, it seems very unsafe that only my token has stolen my identity.
- , , , , , .