Am I safe with my authentication in React or not?

alt1 · June 13, 2020, 12:04am

My code - // Appclass App extends Component { render() { //... - Pastebin.com
I check token on each component (page) render from for set of protected pages. On each request to backend I send auth parameters:

axios({        
    url: crmApiURL + url,
    params: {
        ...extraParams,
        ...authData
    }
//...
var authData = {
        action,
        user_access_token: accessToken,
        timestamp: currenttime,
        hash: _signData(action, currenttime, crmApiSecret)
    };

At backend for group of protected routes I have middleware which checks: my selfmade hash, lifetime of request (I’ve set some real empirical value for my conditions, something about 5 sec), validity of JWT (request to Auth0) again and then check user’s permissions for access to requested route (based on payload inside JWT). What can you (or anyone else) say about security, can we say that my communication of React and backend is secure? And I am using SSL for CRM.

P.S. As you see in my code, I store JWT in React Redux store.

thameera · June 15, 2020, 2:56am

Hi @alt1, this code will send these values as query parameters. This is not recommended due to reasons like the request URL being accessible in browser history and most servers/load balancers logging the full URL thus leaking the tokens. Please consider using a header or a POST body instead.

Auth0’s recommendation is to pass the access token in the Authorization header as a bearer token. Have you checked out this document? Auth0 React SDK Quickstarts: Call an API