Looking at auth0-spa-js, but could potentially use server-side or anything else.
I have an SPA, connecting to a custom backend.
I’d like to persist the access token between requests, but don’t necessarily need access to it from javascript. In fact I’d prefer JS doesn’t have acesss to it.
Looking at the security aspects of localstorage, and my rough idea is to do something like the following.
- Set up CSP to prevent any js not from my domain
- Add a cache provider (custom
cache
option in auth0-js-spa) that makes a call to the API with one part of the token. The server sets a http-only cookie with that part of the token. The other part of the token is stored in localstorage. Theget
part would only be able to retrieve part of the token. - When accessing the backend, the client sends the localstorage part of the token in a header, and the http-only cookie part via cookie (of course).
- The server joins the two parts of the token.
My thinking is:
If only part of the token is in localstorage, it mitigates the risk of anyone retrieving the token via XSS.
If only part of the token is in cookie, it partially mitigates the risk of CSRF session hijacking, and mitigates the risk of retrieving the token via HTTP TRACE.
My questions are:
- Does this seem like a good idea?
- Does this sound like it could be done with auth0-spa-js? Would it prevent token refresh?
- Would I be better doing some server-side integration with auth0?