DEV Community 👩‍💻👨‍💻

Discussion on: Authentication for a Gatsby React GraphQL App

Collapse
 
ryanbethel profile image
Ryan Bethel Author

Thank you for your feedback. I appreciate you taking the time to read it and give helpful feedback. I take it as a slight compliment that you said I "managed to create a secure-as sessions system"😃. I suppose I could have done much worse. I agree that the end result doesn't have much advantage over cookie-based sessions and is arguably more complicated. This is the first authentication system I have ever built from scratch. I did it with the purpose of learning authentication a bit better. It started out with the goal of being stateless as I was originally only going to use the split cookie approach. As I realized the need for some additional features for CSRF and expiring tokens if permission changed etc. it changed incrementally to what is shown in the post. At that point it would probably have been a better idea to switch over to a sessions based system.

When I first tweeted with a link to this post I was mainly trying to make the point that if you are talking about using a JWT and storing the token in local storage it would be better and more secure to use a split token with the signature in an httpOnly cookie so that the whole token could not be accessed by javascript in the client.

Again, thank you for your feedback.