Hi guys. I am really interested in getting your opinions on this issue.

For user authentication I usually send a jwt token stored in a http-only cookie to my frontend. I handle authorization by verifying the token on every request to a protected api endpoint.

How efficient and secure is this?

What is the industry, real-world standard and how do you handle yours?

What would you recommend?

You'll only try to look down on those who reply.

BlackhatMentor:
You'll only try to look down on those who reply.

Why would I look down on people trying to assist me?

I am really curious to know. I have done some research and the overwhelming advice is to never build your own auth from scratch but rather to use already tested and secure services like keycloak or at the barest minimum something like passportjs with Oauth.

I want to know how backend engineers on Nairaland handle their auth.

Devdevdev:


Why would I look down on people trying to assist me?

I am really curious to know. I have done some research and the overwhelming advice is to never built your own auth from scratch but rather to use already tested and secure services like firebase, clerk or keycloak, or at the barest minimum something like passportjs with Oauth.

I want to know how backend engineers on Nairaland handle their auth.

You'll look down on them because before you ask these questions you must have done some research and arrive at a verdict you believe and feel is the way it's done and thus the only way.


Once someone suggest something contrary you'd start replying with your usual derisive comments, remarks and troll like jabs.

It's evident in all your threads here.

I personally believe you're a gigantic TROLL.

You love being a troll and you love the feeling you get when you feel your superior over others because of what you think you've learnt.

Devdevdev:
Hi guys. I am really interested in getting your opinions on this issue.

For user authentication I usually send a jwt token stored in a http-only cookie to my frontend. I handle authorization by verifying the token on every request to a protected api endpoint.

How efficient and secure is this?

What is the industry, real-world standard and how do you handle yours?

What would you recommend?

User visits /login, on the backend, you authenticate using bcrypt or whatever algorithm and generate a token which you must send back as response.

On the frontend, you read the response and store the token in httpOnly cookie named XSRF-TOKEN, axios and some other http libraries will automatically pass it for you on each request.

Why store it in httpOnly cookie and not web storage ? Because if you store it in web storage, anyone can read it, using httpOnly cookie makes it impossible for anyone else to read the token except you, the server who sets it.

Devdevdev:
Hi guys. I am really interested in getting your opinions on this issue.

For user authentication I usually send a jwt token stored in a http-only cookie to my frontend. I handle authorization by verifying the token on every request to a protected api endpoint.

How efficient and secure is this?

What is the industry, real-world standard and how do you handle yours?

What would you recommend?

jwt is good for most usage when working with APIs. You can use oauth2 if you want to login using third party app

https://frontegg.com/blog/oauth-vs-jwt

http only cookie only make sense if the front end and backend is integrated together.

I feel you should use industry standard for the stack you’re building with.

I work with Nextjs13.4 and I use NextAuth library.

It generate the token upon login and sends it to the session.

From the session, I can authenticate userz

I create my own API with PHP

I just use Spring boot security and call it a day. Man no get time.

Devdevdev:
Hi guys. I am really interested in getting your opinions on this issue.

For user authentication I usually send a jwt token stored in a http-only cookie to my frontend. I handle authorization by verifying the token on every request to a protected api endpoint.

How efficient and secure is this?

What is the industry, real-world standard and how do you handle yours?

What would you recommend?

Use Auth0 or firebase authentication it offers a range of features such as single sign-on, multi-factor authentication and user management. It also supports various development frameworks and protocols, making it compatible with different types of applications.

Expecting op to come swinging calling all of you that replied 1d1075 and how supremely elegant their preferred solution is

Devdevdev:
Please if you are a nodejs developer, I want to know what is the industry standard for handling user authentication and authorization.

I have a project and I want to make sure it is as secure as possible. Usually I use jwt tokens stored in a http only cookie that is verified on requests to protected api endpoints, but I read that this method is still vulnerable to attacks.

Most Youtube videos and articles on this subject are just pure trash made by a bunch of idiots and frauds. Me that hasn't even been coding for a year already knows better than most of them.


Please if you have worked professionally with node and express, how did you handle your authentication?

By the way, RIP to the dead.

And the self acclaimed princess of code never disappoints.


I pity your future employer.

You're sure to make life living hell for other employees thereby creating a less conducive atmosphere in your workplace.