search

magiclabs / magic-js

Magic browser/React Native JavaScript SDK is your entry-point to integrating passwordless authentication inside your application.
https://magic.link/docs/api-reference/client-side-sdks/web
Apache License 2.0
454 stars 86 forks source link

What is the recommended way to handle sessions for web3 apps in the browser? #227

Closed ianpatton closed 2 years ago

ianpatton commented 2 years ago

✅ Prerequisites

❓ Question

What is the recommended way to handle sessions for web3 apps in the browser?

Most of the recommendations and example apps I have seen pass the DID token to the backend API and create sessions with the server via cookie or JWT. However, when doing that, I lose the authenticated session in Magic on subsequent page views (user.isLoggedIn is false) or after refresh in the client (react/next.js) app.

I still see magic data in IndexDB. Why is user.isLoggedIn() false?

🌎 Environment

Software Version(s)
magic-sdk
Browser
yarn
Operating System
smithki commented 2 years ago

For a web-based use-case, you can take a look at our session management options in Magic Dashboard. However, for a web3 use-case, there are additional security risks with this approach. You'll be responsible for auditing your own application's XSS risk. While our session management approach is better at reducing the surface area of XSS compared to refresh token rotation, it's still a feasible attack vector if you're not careful! For this reason, we usually recommend against using this feature for web3.