thisismydesign
commented
2 years ago Hey @kylebaskin
Keep in mind I'm not an expert either.
My understanding is that this approach is fine because XSS needs an actual vulnerability and CSRF protection doesn't apply to APIs (see e.g. https://stackoverflow.com/questions/10741339/do-csrf-attacks-apply-to-apis). Edit: would need to set SameSite to protect against CSRF.
That said, it seems good practice to set HttpOnly and SameSite on the cookie. I'd be happy to take a PR if you manage to try this approach. However, I don't think HttpOnly would work out of the box because I do read the cookie to pass it to the GQL request as a header (the GQL endpoint would need to rely on cookies as well): https://github.com/thisismydesign/nestjs-starter/blob/2f92842c8d3eb1e230fae1041ef95b499493151a/src/client/app/apollo-client.ts#L12-L18
The best way would be to provide the JWT to the client and let the client handle it however it wants. The challenge here is to handle the redirect from the OAuth provider. This will hit the Nest server and we need a way to provide the JWT to Next. Cookies seemed like a straightforward approach here, but perhaps it's possible to have the OAuth redirect directly to a Next page, or pass the token in our own redirect. With a local strategy though you can definitely handle this all on the client side.
Similar thread on the medium post: https://florian-martens.medium.com/thanks-for-the-write-up-e97d65a65ad1
kylebaskin
Bit of a noob here, but isn't storing your jwt in client side cookies insecure?
@Get('redirect') @UseGuards(GoogleOauthGuard) async googleAuthRedirect(@Req() req: Request, @Res() res: Response) { const { accessToken } = this.jwtAuthService.login(req.user); res.cookie('jwt', accessToken); return res.redirect('/profile'); }Isn't this line
res.cookie('jwt', accessToken);something we want to avoid? In this article, storing your jwt in a token leaves you vulnerable to XSS attacks and even CSRF attacks (even if the cookie is httponly, which also seems to be common practice).The same article linked to above recommends storing in memory. I'll be trying this over the next few days, but I may be misguided - perhaps because googleOauth isn't susceptible to these attacks? Currently developing a local strategy off of this repo.