[ENHANCEMENT] Use Jason Web Token (JWT) for verification

[SethCram]

Is your feature request related to a problem? Please describe.

• Yes, user access should be more secure

Describe the solution you'd like

• Use Jason Web Token (JWT) for verification instead of userid

Describe alternatives you've considered

• Keeping the api as-is

Additional context

• useful tutorial: https://www.youtube.com/watch?v=Yh5Lil03tpI

Development

• [x] watch and take notes JWT

  • https://www.youtube.com/watch?v=Yh5Lil03tpI
  • need client side storage for Context API
  • can auth user connection to API via Session Cookie
    • session stored on server
    • problematic if several servers used for an app
  • can auth user performance of particular actions via JWT
    • JWT consists of headers, user payload info, and verification signature
  • JWT stored by user
  • JWT can be reused for diff servers
  • impl'd rest on my own personal project below
    • way he implemented token refresh didn't work for me
    • since every rerender triggered the addition of another request middleware method

• [x] impl JWT for deletion + updating

  • Currently, can change user username since stored on client side in local storage
  • would allow another user to delete anyone's post/comment since auth's thru username compare
  • Created new JWT everytime user logs in and rets it to them
  • includes important user info in JWT like user id and whether they're the admin
  • JWT sent as an Authorization header
  • For some reason, included "Bearer " before jwt value
  • since access and refresh token not stored in db besides refreshtoken in user's arr
  • have to combine updated user ret'd from db with local user to keep local tokens
  • Attached "verify" middleware to post, comment, and vote updating and deletion
  • no vote deletion currently
  • comment deletion can't be reached from frontend yet
  • should verify these
  • added token fresh API method
  • send a refresh token and if it's verified as urs
  • it's rm'd from ur db arr and a new one's added
  • rets new response token and new access token
  • added username to jwt for easier auth w/ can't use just id
  • decreases # of db retrieval calls this way
  • was trying to use AXIOS middleware to add headers during applicable api calls
  • tried to refresh the access token w/ it'd expired too
  • but api call made to refresh token called axios middleware again + inf looped
  • so, stopped invoking headers on axios post calls
  • axios middleware kept being double invoked every API call
  • changed config auth header to only be set w/ access token updated but that didn't help
  • only thing that solved it was changing to no longer use StrictMode
  • but now also being double-invoked if page not refreshed after first submission attempt
  • user via context api isn't getting their accessToken properly updated
  • possibly bc of placement in root component?
  • scrapped axios middleware and just imported retrieval of axios headers everytime they're needed
  • only had to update local tokens w/ updating user
  • would retrieve a new refresh + access token if needed

• [x] fix wrong accessToken being sent as auth header occasionally

  • possibly bc of how auth header configed globally
  • page refresh usually solves problem
  • stopped using axios middleware which solved this

• [x] shorten token expire to 5-15s before push to prod

  • added an env var to indicate whether in DEV or PROD
  • in DEV, tokens take 15 mins to expire
  • in PROD, tokens take 5s to expire
  • verified dev issued jwt using https://jwt.io/
  • Will need to change ENV var

• [x] check users jwt to enable post, comment, and vote posting

  • didn't do so for category & badge posting bc models don't have any user data storage
  • they don't necessarily require auth
  • ensured new tokens were propogated to updated user
  • untested but similar to previous changes

[SethCram]

Stopping usage of Strictmode recommended as answer but didn't work so told of my solution https://github.com/axios/axios/issues/2825#issuecomment-1502642144

[SethCram]

Same interceptor problem mentioned here https://github.com/axios/axios/issues/2315#issue-473688185 but no good solutions

[SethCram]

From now on, gonna have to login as user to get access JWT if want to update or delete a resource