DEV Community

Discussion on: Ruby vs Elixir

Collapse
 
wolfiton profile image
wolfiton • Edited

Hi @haricsecic

JWT is old from a security's point of view because it doesn't respect the latest specs and can be easily highjacked.

Randall Degges has a great talk on this here youtube.com/watch?v=Ai7PVLl4Wng

Thread Thread
 
_hs_ profile image
HS

Thanks I'll check it out. I'm aware of some issues but I'm asking about alternatives and what would be as easy to use in API to API scenario, not browser to API

Thread Thread
 
wolfiton profile image
wolfiton

I don't use Api's, I use graphql because it creates a real user experience with great feedback.

Laravel is great once you understand what you can do with it.

Thread Thread
 
_hs_ profile image
HS

GraphQL is API. Backend services have no user experience when communicating with each other as the gateway or whatever is the one exposed to frontend. I think you lack some knowledge in this field to understand the question and why JWT is not so bad as one might think.

Thread Thread
 
wolfiton profile image
wolfiton • Edited

First of all graphql creates a great api that combined with a ssr framework on the frontend creates a great user experience and can serve many clients, from mobile to OS. if you know what stacks to use.

JWT has big security problems, I would use a http cookie any day over jwt.

I already assumed that you know that graphql will be used with a frontend and i don't have to mention that.

Thread Thread
 
_hs_ profile image
HS • Edited

As said you lack some knowledge here. Cookies can also be hijacked. Http cookies contain JWT itself sometimes. The thing you want to complain about is local storage which was prooven to have quite same security as cookies since there's other ways to exploit them.

Why are you saying "you don't use api but graphql" and once I pointed out "that graphql is in fact api" you go explaining it like I'm saying something bad about it? I'm pointing out that I have background services communicating with each other without any user doing anything. You'll need to work with much more complex system to understand my point. You can have graphql calling other services including other grpahql or other types of API where you're sending jwt between them and user has no direct communication with these ones. Point is graphql has nothing to do with the things I'm talking about.