<a target="_blank" rel="noopener noreferrer" href="https://github.com/deniapps/nextfeathers">NextFeathers</a> uses JSON web token (JWT) for authentication when calling the Restful API implemented by FeathersJS. &nbsp; The JWT token was simply saved in the browser's localStorage and removed when the user is logged out. Many people said this is very bad because the hacker could run Javascript via what so-called XSS on your website, and read the data from localStorage. Personally, I kinda against this because it's unlikely happened, and as I know that is how <a target="_blank" rel="noopener noreferrer" href="https://github.com/aws-amplify/amplify-js/issues/3224">AWS-amplify </a>works by default. But there is indeed a risk, so I would like to fix it.<figure class="image"><img src="https://images.unsplash.com/photo-1562663626-db7642010d11?ixlib=rb-1.2.1&amp;q=80&amp;fm=jpg&amp;crop=entropy&amp;cs=tinysrgb&amp;w=1080&amp;fit=max&amp;ixid=eyJhcHBfaWQiOjE1NDAxMH0"><figcaption>Photo by <a target="_blank" rel="noopener noreferrer" href="https://unsplash.com/@dfartek?utm_source=DNX&amp;utm_medium=referral">David Fartek</a> on <a target="_blank" rel="noopener noreferrer" href="https://unsplash.com/?utm_source=DNX&amp;utm_medium=referral">Unsplash</a></figcaption></figure>Saving JWT to HttpOnly Cookie sounds like a solution, but there is an issue that I have &nbsp;“Next' and ”Feathers" on different domains (i.e. different ports,) and the cookie can only be sent with requests made to the same domain inside a <code>Cookie</code> HTTP header. That means, we set the httpOnly cookie on deniapps.com, which cannot be sent to api.deniapps.com, so we are not able to pass the JWT token for authentication. To fix this, we have to use a middleware called Proxy. So the API request will be sent to the same domain, for example, https://deniapps.com/api/proxy/post, and then the Proxy will pass the request to the real API at https://api.deniapps.com/post.&nbsp;The overall workflow is like below:<ol><li>User logs in at https://deniapps.com/api/proxy/authentication.</li><li>The proxy transfers the request URL to the real API endpoint, for example, http://localhost:3030/authentication&nbsp;</li><li>Before the proxy sends the response back to the client, it saves the accessToken to the httpOnly cookie and sends only the user's info (like username, email, etc.) back to the client.</li><li>The client saves the user's info into the user context used by other page components.</li><li>When the client makes any private API call, it calls the proxy endpoint, like https://deniapps.com/api/proxy/posts.</li><li>The proxy reads the cookie for JWT, which is set to the “Authorization” header before calling the real URL endpoint.</li><li>When the client receives the response passed by the proxy, it checks the HTTP status. If it's 401, then log out the user, otherwise, use response data to render the page.</li></ol>The main part is pages/proxy/[…path].js, which I modified from the one in <a target="_blank" rel="noopener noreferrer" href="https://maxschmitt.me/posts/next-js-http-only-cookie-auth-tokens/">Max's post</a>. (Thank you! Max)<pre><code class="language-javascript" id="j1zy23qDh">import httpProxy from "http-proxy";
import Cookies from "cookies";
import url from "url";

const API_URL = process.env.API_HOST;

const proxy = httpProxy.createProxyServer();

export const config = {
 api: {
 bodyParser: false,
 },
};

export default (req, res) =&gt; {
 return new Promise((resolve, reject) =&gt; {
 const pathname = url.parse(req.url).pathname;
 const isLogin = pathname === "/api/proxy/authentication";

 const cookies = new Cookies(req, res);
 const authToken = cookies.get("auth-token");

 // Rewrite URL, strip out leading '/api'
 // '/api/proxy/*' becomes '${API_URL}/*'
 req.url = req.url.replace(/^\/api\/proxy/, "");

 // Don't forward cookies to API
 req.headers.cookie = "";

 // Set auth-token header from cookie
 if (authToken) {
 req.headers["Authorization"] = authToken;
 }

 proxy
 .once("proxyRes", (proxyRes, req, res) =&gt; {
 if (isLogin) {
 let responseBody = "";
 proxyRes.on("data", (chunk) =&gt; {
 responseBody += chunk;
 });

 proxyRes.on("end", () =&gt; {
 try {
 const { accessToken, user } = JSON.parse(responseBody);
 const cookies = new Cookies(req, res);
 cookies.set("auth-token", accessToken, {
 httpOnly: true,
 sameSite: "lax", // CSRF protection
 });

 res.status(200).json({ user });
 resolve();
 } catch (err) {
 reject(err);
 }
 });
 } else {
 resolve();
 }
 })
 .once("error", reject)
 .web(req, res, {
 target: API_URL,
 autoRewrite: false,
 selfHandleResponse: isLogin,
 });
 });
};
</code></pre>I also created a local API to check if the user is logged in named “check-login.js” as below:<pre><code class="language-javascript" id="O5OpdguAb">/**
 * pages/api/check-login.js
 *
 * A API endpoint for checking if the user is logged in.
 */
import { isExpired } from "helpers/common";

export default (req, res) =&gt; {
 const Cookies = require("cookies");
 const cookies = new Cookies(req, res);
 const authToken = cookies.get("auth-token") || "";

 const loggedIn = !isExpired(authToken);

 res.status(200).json({
 loggedIn,
 });
};</code></pre>I checked user is logged in in the _app.js when the componentDidMount, so basically every time a page is hard loaded, it will check if the user is logged in, if so, user info is shown on the header, otherwise, the “Login” button is shown instead.<pre><code class="language-plaintext" id="DcTiwQgBJ">/**
 * pages/_app.js
 */ 
 componentDidMount = async () =&gt; {
 const deniUser = localStorage.getItem(NEXT_PUBLIC_USER_LC_KEY);

 if (deniUser) {
 const userStatus = await axios
 .get("/api/check-login")
 .then((response) =&gt; response.data);
 if (userStatus.loggedIn) {
 const deniUserObj = JSON.parse(deniUser);
 this.setState({
 user: deniUserObj.firstName,
 });
 }
 }
 this.setState({
 isReady: true,
 });

 };</code></pre><h3>Note</h3>Initially, I used https://api.deniapps.com in the production, but go the following error:<pre><code class="language-plaintext" id="kEVvo-6By">SyntaxError: Unexpected token in JSON at position 0</code></pre>I think it's related to HTTP. To use HTTPS as a proxy target, we need to use “SSL” options with key/cert defined. But since, I have an API server running on the same server with a different port, so I could just change it to http://localhost:5050.&nbsp;Also, here I don't set cookie expiration, so it expires at the end of the session (the could mean a different thing for different browsers.)&nbsp;The last thing, you may take a look at how I implement the log out at &nbsp;<a target="_blank" rel="noopener noreferrer" href="https://github.com/deniapps/nextfeathers">NextFeathers</a>. And check out how to <a target="_blank" rel="noopener noreferrer" href="https://deniapps.com/blog/jwt-token-auto-renew-auto-logout">renew the access token</a> if needed.

NextFeathers uses JSON web token (JWT) for authentication when calling the Restful API implemented by FeathersJS.   The JWT token was simply saved in the browser's localStorage and removed when the user is logged out. Many people said this is very bad because the hacker could run Javascript via what so-called XSS on your website, and read the data from localStorage. Personally, I kinda against this because it's unlikely happened, and as I know that is how AWS-amplify works by default. But there is indeed a risk, so I would like to fix it.

All Posts In Jw