L
L
lexstile2021-12-18 23:02:14
JSON Web Token
lexstile, 2021-12-18 23:02:14

How to properly organize the authorization/authentication architecture?

access token - localStorage refresh token
- cookie (httpOnly, Secure) I drew the following scheme for myself
for private routes (requests): the scheme indicates that in this case there is a redirect to the login (login) page, but the user can clear localStorage forcibly, but we cannot check from the front if the refresh token exists at the moment). 2. The second point, is it necessary to check the access token before requesting a delay? (That is, we start making a request, the token is expired - we learn about this not by 401 errors from the back, but by decoding and viewing the exp parameter - then we get a new one and continue to do the previous operation)
61be3b6786726848449220.png

What is the best thing to do in these situations?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
I
Ivan Shumov, 2021-12-19
@lexstile

1. Yes, and do not care. They didn’t send a token (for any reason) - we don’t know you, go get a coupon address here
2. If we are talking about the front, then it’s good, but in practice it doesn’t play a role because the behavior of 401 unauthorized is still implemented (token can just withdraw)

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question