Regular web app plus protected API

jamesrdelaney · September 26, 2019, 2:42pm

Hi
I have implemented on site using Auth0 and SPA… in this case I implemented REST endpoints and accessed them from the angular using an access_token stored in local storage.
(REST endpoints protected using jwt and jwtAuthz)

I am now creating a second site but this time a Regular Web Application using pug templates rendered on the back end.
90% of the site is created this way but I also need to include a couple of REST endpoints for certain actions from some buttons.
I would like to protect these endpoints so that only the signed in user can access them… same as in the SPA above.
My understanding is that the access_token is now in the cookie? Is this correct?
How can I use it when doing for example a jQuery call to the REST endpoint?

Many thanks
James

dan.woda · September 27, 2019, 8:43pm

Hi @jamesrdelaney,

Welcome to the Auth0 Community Forum!

You should not be storing the token in localStorage, it is vulnerable to xss attacks.

If you are using a normal web app setup then the token is requested and stored on the backend.

I will have to research this more, but I would suspect that you will want to register your client side app like a SPA and request an access token, because you are making ajax requests like a SPA.

Does that make sense?

Thanks,
Dan

dan.woda · October 12, 2019, 12:43am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.