I have a regular web app, with a browser client and a database that lives on the server, with the backend written in Go. The database can save access tokens.
I have tried to implement Authorization Code Flow (https://auth0.com/docs/flows/authorization-code-flow). I’m confused about whether or not I should be using the access token and exposing it in the browser React code. I have seen recommendations from Auth0 that the access token should be stored in the server if possible (for example, see here: Which is the best way to store the auth0 token for a web app); but does this mean that I may allow the client React code to use the access token?
In order to avoid exposing the access token to the browser and React client code at all, I have implemented a cookie-based authentication mechanism. Upon logging in, a cookie is stored in the browser, and then this cookie (sent via HTTP request) is used in the backend to retrieve an access token from my server-side database. This access token is then validated and used upon every API request to my server.
Is this implementation reasonable?
Let me know which implementation is preferred.