Thanks Anuj for your insights. Hi Isuru,
It might help draw up an architecture of front end UI components to backend security gateway to brainstorm this and arrive at a consensus of handling API security for UI’s. Suresh > On Jul 7, 2020, at 7:52 PM, anuj bhandar <[email protected]> wrote: > > I agree with your research, Options [1] & [2] are not recommended. > > We use AWS Amplify (https://aws.amazon.com/amplify/ > <https://aws.amazon.com/amplify/>) to handle that scenario, our tech stack > comprises React front-end, AWS Amplify integrated with our company's SSO > provider, and an Rails API backend. > > Using a third party like AWS Amplify will not handle all the security > concerns, you will have to pay special attention to Token Validity. JWT > claims offer a good amount of control if set up properly > (https://tools.ietf.org/html/rfc7519 <https://tools.ietf.org/html/rfc7519>). > > I am not sure if this was helpful. Happy to help wherever I can. > > Thanks, > Anuj Bhandar > Intuit Inc. > > On Tue, Jul 7, 2020 at 3:52 PM Rastogi, Shivam <[email protected] > <mailto:[email protected]>> wrote: > Hi Everyone, > > > > Just wanted to check if anyone has any experience in securing Single Page > Webapps using JWT tokens. > > > > > Challenge > > The challenge we are facing is how to store the JWT token at the client-side > in the browser which will be used to securely call the back-end APIs. > > > > Background > > We are working on the custos UI portal and one of the design options that we > are considering is to directly call the custos backend APIs from client-side > javascript. The basic flow would look like: > > > > 1. User logins using username and password from the login screen using login > API > > 2. JWT token and basic user-information is returned to the client in > response. > > 3. In subsequent API requests, user will send this authentication token. > But,how to store this token at client-side? > > > > Options > > Store it in localStorage - This is not considered to be secure as > localstorage is vulnerable to XSS attacks- > https://dev.to/rdegges/please-stop-using-local-storage-1i04 > <https://dev.to/rdegges/please-stop-using-local-storage-1i04> - > Store the JWT token in httpOnly cookie - Browser adds the cookie to all the > API calls - vulnerable to CSRF attacks and need to be protected using CSRF > token or in some other manner. Do you have any experience implementing these > securely? > Have an authentication middleware(API gateway) - All user requests are routed > to API-gateway which authenticates the users using sessionId and then > re-routes the requests to the API by including the users JWT token or session > information. More of a traditional way of doing things, but some big > companies use this approach like Airbnb as per this article - > https://medium.com/airbnb-engineering/building-services-at-airbnb-part-2-142be1c5d506 > > <https://medium.com/airbnb-engineering/building-services-at-airbnb-part-2-142be1c5d506> > > > It would be really helpful if you can provide any inputs or share your > experience with SPAs. > > > > Thanks and regards, > > Shivam Rastogi >
