Authentication flow. Let’s say I don’t need access_token to make queries to some API.
1. I am using React. I press login button, I being redirected to Auth0 server to enter email and password, I type them in, I am being redirected back to callback url in my app. As extra param I get access token. It is indicator that I was authorized. Now I can see protected pages in my app. What exactly should I do on callback page with access_token?
a) I see that it exists, I save flag ‘isLoggedIn’ to store? Then on each protected page I check it before render? But this is just data in redux store, I guess it is possible to easily hack it and change flag, am I right?
b) I save access_token to… somewhere? Where? In one tutorial you say it is unsafe, don’t do it, in another you suggest to save access_token in local storage. What to do? Can you give direct and ready to use answer, please? And what should I do with that token after I save it.
c) Or maby I don’t need to save token at all. Should I use some method to check token validity (aka checkSessionOnAuth0Side() ) in root component each time some rerender happens?
2. And the second part of question reffered to API.
This is how I did authentication and authorisation (but looks that something is broken now, I get errors). My apologise for dirty code. It is not working as an application (you may close browser immediately), it is just code, the most important part for you could understand conception.
Is it correct, am I do it a right way, can I use it? Look at the code, please.