its author is a bit rough but the section "Sensitive Data" describes one secure way to store/use client-side tokens in spa,
tl;dr: create a crypto signed session identifier cookie in the server, set httpOnly flag to prevent the browser to read any cookie data, use SameSite=strict; secure=true cookie's flag, for every subsequent client-side request you need to send the fetch credentials to the server, on the server you extract/decode the cookie and retrieve any sensitive information
tools/stack aside, its a well written article about API Access Token/Client Side App (coincidently is in Vue too), first he store it in the localStorage, explains the drawbacks and change it to use the Signed Session/HTTP Only (same solution as the article above)
i recommend this article as a reading:
Please Stop Using Local Storage
rdegges.com/2018/please-stop-using...
its author is a bit rough but the section "Sensitive Data" describes one secure way to store/use client-side tokens in spa,
tl;dr: create a crypto signed session identifier cookie in the server, set httpOnly flag to prevent the browser to read any cookie data, use
SameSite=strict; secure=truecookie's flag, for every subsequent client-side request you need to send the fetch credentials to the server, on the server you extract/decode the cookie and retrieve any sensitive informationanother good one is:
Using Rails Session Cookies for API Authentication
pragmaticstudio.com/tutorials/rail...
tools/stack aside, its a well written article about API Access Token/Client Side App (coincidently is in Vue too), first he store it in the localStorage, explains the drawbacks and change it to use the Signed Session/HTTP Only (same solution as the article above)
Thank you! Both posts were excellent!