VueJS / Vuex App - Validate JWT Token USED for Authentication










2















I have a VueJS App, using Vuex & Vue Router.
I have 3 components (which are also pages): Home, Login and a Protected Page which requires one to be authenticated.



The login page make a POST call to the backend API which returns a token if the credentials are valid.



 methods: 
 sendCredentials: function() 
 const email, password = this
 this.$store.dispatch(AUTH_REQUEST, email, password)
 .then(() => 
 this.$router.push('/')
 )
 .catch((err) => console.log(err.response));


Here is the related action:



actions: {
 [AUTH_REQUEST]: ( commit, dispatch , user) => 
 return new Promise((resolve, reject) => 
 commit(AUTH_REQUEST);
 axios.post('http://localhost:3000/api/login', user)
 .then((resp) => 
 const token = resp.data.token;
 localStorage.setItem('userToken', token);
 commit(AUTH_LOGIN, token);
 resolve(resp);
 )
 .catch(err => 
 commit(AUTH_ERROR, err);
 localStorage.removeItem('userToken');
 reject(err);
 )

 );


I have used navigation guard to block access to the protected page if the user is not logged in.



This is actually working: When I go the protected page, I'm asked to log in. When I use the rights credentials, I'm able to access the protected page.



I have yet a huge bug: When I put any random string on the localStorage as the userToken, I can access the protected page...



How to prevent that ?



The initial state is defined as below:



state: ,


Is there a way to validate the userToken which I get through the localStorage when I set up the initial state of token ?






authentication vue.js jwt vuex vue-router







share|improve this question






















  • Could you use cookies to store your token instead of local storage?

    – Andrew1325
    Nov 14 '18 at 21:32











  • @Andrew1325 I can use cookie but don't we have the same issue ? I can create the cookie with document.cookie="userToken=1234".

    – Vidushan Chooriyakumaran
    Nov 14 '18 at 21:41











  • You need to store the token in your api also and validate it. If anything is client side only it is always vulnerable. Cookies allow you to pass header information to the server which local storage doesn't.

    – Andrew1325
    Nov 14 '18 at 22:06











  • I'm using express-jwt to validate the cookie on the back-end. I have some endpoints that can be reached only if the token is valid. For the restricted routes in the client app, I don't understand how to proceed as what I'm checking is only if I have a token. How can I validate the token through the API when I initiate my state then ?

    – Vidushan Chooriyakumaran
    Nov 14 '18 at 22:15











  • I use nuxt and call the verification through nuxtServerInit but in vue you should still be able to call a validation method with beforeMount. Although this isn't called during SSR so if your doing that you'd need something else.

    – Andrew1325
    Nov 14 '18 at 22:39















2















I have a VueJS App, using Vuex & Vue Router.
I have 3 components (which are also pages): Home, Login and a Protected Page which requires one to be authenticated.



The login page make a POST call to the backend API which returns a token if the credentials are valid.



 methods: 
 sendCredentials: function() 
 const email, password = this
 this.$store.dispatch(AUTH_REQUEST, email, password)
 .then(() => 
 this.$router.push('/')
 )
 .catch((err) => console.log(err.response));


Here is the related action:



actions: {
 [AUTH_REQUEST]: ( commit, dispatch , user) => 
 return new Promise((resolve, reject) => 
 commit(AUTH_REQUEST);
 axios.post('http://localhost:3000/api/login', user)
 .then((resp) => 
 const token = resp.data.token;
 localStorage.setItem('userToken', token);
 commit(AUTH_LOGIN, token);
 resolve(resp);
 )
 .catch(err => 
 commit(AUTH_ERROR, err);
 localStorage.removeItem('userToken');
 reject(err);
 )

 );


I have used navigation guard to block access to the protected page if the user is not logged in.



This is actually working: When I go the protected page, I'm asked to log in. When I use the rights credentials, I'm able to access the protected page.



I have yet a huge bug: When I put any random string on the localStorage as the userToken, I can access the protected page...



How to prevent that ?



The initial state is defined as below:



state: ,


Is there a way to validate the userToken which I get through the localStorage when I set up the initial state of token ?






authentication vue.js jwt vuex vue-router







share|improve this question






















  • Could you use cookies to store your token instead of local storage?

    – Andrew1325
    Nov 14 '18 at 21:32











  • @Andrew1325 I can use cookie but don't we have the same issue ? I can create the cookie with document.cookie="userToken=1234".

    – Vidushan Chooriyakumaran
    Nov 14 '18 at 21:41











  • You need to store the token in your api also and validate it. If anything is client side only it is always vulnerable. Cookies allow you to pass header information to the server which local storage doesn't.

    – Andrew1325
    Nov 14 '18 at 22:06











  • I'm using express-jwt to validate the cookie on the back-end. I have some endpoints that can be reached only if the token is valid. For the restricted routes in the client app, I don't understand how to proceed as what I'm checking is only if I have a token. How can I validate the token through the API when I initiate my state then ?

    – Vidushan Chooriyakumaran
    Nov 14 '18 at 22:15











  • I use nuxt and call the verification through nuxtServerInit but in vue you should still be able to call a validation method with beforeMount. Although this isn't called during SSR so if your doing that you'd need something else.

    – Andrew1325
    Nov 14 '18 at 22:39













2












2








2


0






I have a VueJS App, using Vuex & Vue Router.
I have 3 components (which are also pages): Home, Login and a Protected Page which requires one to be authenticated.



The login page make a POST call to the backend API which returns a token if the credentials are valid.



 methods: 
 sendCredentials: function() 
 const email, password = this
 this.$store.dispatch(AUTH_REQUEST, email, password)
 .then(() => 
 this.$router.push('/')
 )
 .catch((err) => console.log(err.response));


Here is the related action:



actions: {
 [AUTH_REQUEST]: ( commit, dispatch , user) => 
 return new Promise((resolve, reject) => 
 commit(AUTH_REQUEST);
 axios.post('http://localhost:3000/api/login', user)
 .then((resp) => 
 const token = resp.data.token;
 localStorage.setItem('userToken', token);
 commit(AUTH_LOGIN, token);
 resolve(resp);
 )
 .catch(err => 
 commit(AUTH_ERROR, err);
 localStorage.removeItem('userToken');
 reject(err);
 )

 );


I have used navigation guard to block access to the protected page if the user is not logged in.



This is actually working: When I go the protected page, I'm asked to log in. When I use the rights credentials, I'm able to access the protected page.



I have yet a huge bug: When I put any random string on the localStorage as the userToken, I can access the protected page...



How to prevent that ?



The initial state is defined as below:



state: ,


Is there a way to validate the userToken which I get through the localStorage when I set up the initial state of token ?






authentication vue.js jwt vuex vue-router







share|improve this question














I have a VueJS App, using Vuex & Vue Router.
I have 3 components (which are also pages): Home, Login and a Protected Page which requires one to be authenticated.



The login page make a POST call to the backend API which returns a token if the credentials are valid.



 methods: 
 sendCredentials: function() 
 const email, password = this
 this.$store.dispatch(AUTH_REQUEST, email, password)
 .then(() => 
 this.$router.push('/')
 )
 .catch((err) => console.log(err.response));


Here is the related action:



actions: {
 [AUTH_REQUEST]: ( commit, dispatch , user) => 
 return new Promise((resolve, reject) => 
 commit(AUTH_REQUEST);
 axios.post('http://localhost:3000/api/login', user)
 .then((resp) => 
 const token = resp.data.token;
 localStorage.setItem('userToken', token);
 commit(AUTH_LOGIN, token);
 resolve(resp);
 )
 .catch(err => 
 commit(AUTH_ERROR, err);
 localStorage.removeItem('userToken');
 reject(err);
 )

 );


I have used navigation guard to block access to the protected page if the user is not logged in.



This is actually working: When I go the protected page, I'm asked to log in. When I use the rights credentials, I'm able to access the protected page.



I have yet a huge bug: When I put any random string on the localStorage as the userToken, I can access the protected page...



How to prevent that ?



The initial state is defined as below:



state: ,


Is there a way to validate the userToken which I get through the localStorage when I set up the initial state of token ?






authentication vue.js jwt vuex vue-router




authentication vue.js jwt vuex vue-router






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 14 '18 at 19:13









Vidushan ChooriyakumaranVidushan Chooriyakumaran

229




229












  • Could you use cookies to store your token instead of local storage?

    – Andrew1325
    Nov 14 '18 at 21:32











  • @Andrew1325 I can use cookie but don't we have the same issue ? I can create the cookie with document.cookie="userToken=1234".

    – Vidushan Chooriyakumaran
    Nov 14 '18 at 21:41











  • You need to store the token in your api also and validate it. If anything is client side only it is always vulnerable. Cookies allow you to pass header information to the server which local storage doesn't.

    – Andrew1325
    Nov 14 '18 at 22:06











  • I'm using express-jwt to validate the cookie on the back-end. I have some endpoints that can be reached only if the token is valid. For the restricted routes in the client app, I don't understand how to proceed as what I'm checking is only if I have a token. How can I validate the token through the API when I initiate my state then ?

    – Vidushan Chooriyakumaran
    Nov 14 '18 at 22:15











  • I use nuxt and call the verification through nuxtServerInit but in vue you should still be able to call a validation method with beforeMount. Although this isn't called during SSR so if your doing that you'd need something else.

    – Andrew1325
    Nov 14 '18 at 22:39

















  • Could you use cookies to store your token instead of local storage?

    – Andrew1325
    Nov 14 '18 at 21:32











  • @Andrew1325 I can use cookie but don't we have the same issue ? I can create the cookie with document.cookie="userToken=1234".

    – Vidushan Chooriyakumaran
    Nov 14 '18 at 21:41











  • You need to store the token in your api also and validate it. If anything is client side only it is always vulnerable. Cookies allow you to pass header information to the server which local storage doesn't.

    – Andrew1325
    Nov 14 '18 at 22:06











  • I'm using express-jwt to validate the cookie on the back-end. I have some endpoints that can be reached only if the token is valid. For the restricted routes in the client app, I don't understand how to proceed as what I'm checking is only if I have a token. How can I validate the token through the API when I initiate my state then ?

    – Vidushan Chooriyakumaran
    Nov 14 '18 at 22:15











  • I use nuxt and call the verification through nuxtServerInit but in vue you should still be able to call a validation method with beforeMount. Although this isn't called during SSR so if your doing that you'd need something else.

    – Andrew1325
    Nov 14 '18 at 22:39
















Could you use cookies to store your token instead of local storage?

– Andrew1325
Nov 14 '18 at 21:32





Could you use cookies to store your token instead of local storage?

– Andrew1325
Nov 14 '18 at 21:32













@Andrew1325 I can use cookie but don't we have the same issue ? I can create the cookie with document.cookie="userToken=1234".

– Vidushan Chooriyakumaran
Nov 14 '18 at 21:41





@Andrew1325 I can use cookie but don't we have the same issue ? I can create the cookie with document.cookie="userToken=1234".

– Vidushan Chooriyakumaran
Nov 14 '18 at 21:41













You need to store the token in your api also and validate it. If anything is client side only it is always vulnerable. Cookies allow you to pass header information to the server which local storage doesn't.

– Andrew1325
Nov 14 '18 at 22:06





You need to store the token in your api also and validate it. If anything is client side only it is always vulnerable. Cookies allow you to pass header information to the server which local storage doesn't.

– Andrew1325
Nov 14 '18 at 22:06













I'm using express-jwt to validate the cookie on the back-end. I have some endpoints that can be reached only if the token is valid. For the restricted routes in the client app, I don't understand how to proceed as what I'm checking is only if I have a token. How can I validate the token through the API when I initiate my state then ?

– Vidushan Chooriyakumaran
Nov 14 '18 at 22:15





I'm using express-jwt to validate the cookie on the back-end. I have some endpoints that can be reached only if the token is valid. For the restricted routes in the client app, I don't understand how to proceed as what I'm checking is only if I have a token. How can I validate the token through the API when I initiate my state then ?

– Vidushan Chooriyakumaran
Nov 14 '18 at 22:15













I use nuxt and call the verification through nuxtServerInit but in vue you should still be able to call a validation method with beforeMount. Although this isn't called during SSR so if your doing that you'd need something else.

– Andrew1325
Nov 14 '18 at 22:39





I use nuxt and call the verification through nuxtServerInit but in vue you should still be able to call a validation method with beforeMount. Although this isn't called during SSR so if your doing that you'd need something else.

– Andrew1325
Nov 14 '18 at 22:39












1 Answer
1






active

oldest

votes


















1














I have been wondering the same thing a while ago. What I ended up with is to check the token against your backend on initial loading of your page. If the token is valid you commit it to Vuex, if the token is invalid, you delete everyting from localStorage.



This leads to the outcome where someone hypothetically could replace the token after initial load with their own invalid token, but if the clientside token is already validated, what would be the point? If you want to secure against this scenario as well you could apply the same logic in your navigation guard. So not just check for a token, but validate the token against your backend on each route change and clear localStorage if invalid. I think this will come at a performance disadvantage though due to the extra API call.






share|improve this answer























  • I finally ended by doing that verification call on my main.js It's perfectly working now, thanks!

    – Vidushan Chooriyakumaran
    Nov 15 '18 at 11:15










Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53307261%2fvuejs-vuex-app-validate-jwt-token-used-for-authentication%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














I have been wondering the same thing a while ago. What I ended up with is to check the token against your backend on initial loading of your page. If the token is valid you commit it to Vuex, if the token is invalid, you delete everyting from localStorage.



This leads to the outcome where someone hypothetically could replace the token after initial load with their own invalid token, but if the clientside token is already validated, what would be the point? If you want to secure against this scenario as well you could apply the same logic in your navigation guard. So not just check for a token, but validate the token against your backend on each route change and clear localStorage if invalid. I think this will come at a performance disadvantage though due to the extra API call.






share|improve this answer























  • I finally ended by doing that verification call on my main.js It's perfectly working now, thanks!

    – Vidushan Chooriyakumaran
    Nov 15 '18 at 11:15















1














I have been wondering the same thing a while ago. What I ended up with is to check the token against your backend on initial loading of your page. If the token is valid you commit it to Vuex, if the token is invalid, you delete everyting from localStorage.



This leads to the outcome where someone hypothetically could replace the token after initial load with their own invalid token, but if the clientside token is already validated, what would be the point? If you want to secure against this scenario as well you could apply the same logic in your navigation guard. So not just check for a token, but validate the token against your backend on each route change and clear localStorage if invalid. I think this will come at a performance disadvantage though due to the extra API call.






share|improve this answer























  • I finally ended by doing that verification call on my main.js It's perfectly working now, thanks!

    – Vidushan Chooriyakumaran
    Nov 15 '18 at 11:15













1












1








1







I have been wondering the same thing a while ago. What I ended up with is to check the token against your backend on initial loading of your page. If the token is valid you commit it to Vuex, if the token is invalid, you delete everyting from localStorage.



This leads to the outcome where someone hypothetically could replace the token after initial load with their own invalid token, but if the clientside token is already validated, what would be the point? If you want to secure against this scenario as well you could apply the same logic in your navigation guard. So not just check for a token, but validate the token against your backend on each route change and clear localStorage if invalid. I think this will come at a performance disadvantage though due to the extra API call.






share|improve this answer













I have been wondering the same thing a while ago. What I ended up with is to check the token against your backend on initial loading of your page. If the token is valid you commit it to Vuex, if the token is invalid, you delete everyting from localStorage.



This leads to the outcome where someone hypothetically could replace the token after initial load with their own invalid token, but if the clientside token is already validated, what would be the point? If you want to secure against this scenario as well you could apply the same logic in your navigation guard. So not just check for a token, but validate the token against your backend on each route change and clear localStorage if invalid. I think this will come at a performance disadvantage though due to the extra API call.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 15 '18 at 8:13









Imre_GImre_G

972721




972721












  • I finally ended by doing that verification call on my main.js It's perfectly working now, thanks!

    – Vidushan Chooriyakumaran
    Nov 15 '18 at 11:15

















  • I finally ended by doing that verification call on my main.js It's perfectly working now, thanks!

    – Vidushan Chooriyakumaran
    Nov 15 '18 at 11:15
















I finally ended by doing that verification call on my main.js It's perfectly working now, thanks!

– Vidushan Chooriyakumaran
Nov 15 '18 at 11:15





I finally ended by doing that verification call on my main.js It's perfectly working now, thanks!

– Vidushan Chooriyakumaran
Nov 15 '18 at 11:15



















draft saved

draft discarded
















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53307261%2fvuejs-vuex-app-validate-jwt-token-used-for-authentication%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Darth Vader #20

Image
Wiki Characters Creators Teams Volumes Issues Publishers Locations Concepts Things Story Arcs Movies Series Episodes New Comics Forums Gen. Discussion Bug Reporting Delete/Combine Pages Artist Show-Off Off-Topic Contests Battles Fan-Fic RPG Comic Book Preview API Developers Editing & Tools Podcast Quests Community Top Users Activity Feed User Lists Community Promos Archives News Reviews Videos Podcasts Previews Login / Sign Up All Wiki     Arcs     Characters     Companies     Concepts     Issues     Locations     Movies     People     Teams     Things     Volumes     Series     Episodes Editorial     Videos     Articles     Reviews     Features Community     Users Wiki Characters Creators Teams Volumes Issues Publishers Locations Concepts Things Story Arcs Movies Series Episodes New Comics Forums Gen. Discussion Bug Reporting Delete/Combine Pages Artist Show-Off Off-Topic Contests Battles Fan-Fic RPG Comic Book Preview API Developers Editing & Tools Podcast Quests Com
Read more

How to how show current date and time by default on contact form 7 in WordPress without taking input from user in datetimepicker

Image
0 I have a "Ask for demo" form which has two options, 1. Contact me now and 2. Schedule a demo. If user selects option 1 then current date and time should by displayed on form and if he selects option 2 then A calendar is shown for taking user input. My problem is getting current date and time by default on form. Please help. TIA contact-form-7 share | improve this question asked Nov 12 '18 at 9:01 abhi25 abhi25 14 5 add a comment  |  0 I have a "Ask for demo" form which has two options, 1. Contact me now and 2. Schedule a demo. If user selects option 1 then current date and time should by displayed on form and if he selects option 2 then A calendar is shown for taking user input. My problem is getting current date and time by default on form. Please help. TIA contact-form-7 share | improve this question asked Nov 12 '18 at 9:01 abhi25 abhi25 14 5 add a commen
Read more

Ondo

Image
Der Titel dieses Artikels ist mehrdeutig. Zu weiteren Bedeutungen siehe Ondo (Begriffsklärung). Ondo Basisdaten Hauptstadt: Akure gegründet: 3. Februar 1976 Gouverneur: Rotimi Akeredolu ISO 3166-2: NG-ON Fläche Fläche: 15.500 km² Rang in Nigeria: 25 Bevölkerung Einwohner: 4.671.700 (2016) Bevölkerungsdichte: 320 Einw./km² (2016) Rang in Nigeria: 18 Lage von Ondo in Nigeria Ondo ist ein Bundesstaat des westafrikanischen Landes Nigeria mit der Hauptstadt Akure, die mit 420.623 Einwohnern (2005) auch die größte Stadt des Bundesstaates ist. Inhaltsverzeichnis 1 Geografie 2 Geschichte 2.1 Liste der Gouverneure und Administratoren 3 Verwaltung 4 Wirtschaft Geografie | Der Bundesstaat liegt im Südwesten des Landes und grenzt im Norden an den Bundesstaat Ekiti, im Nordwesten an den Bundesstaat Osun, im Nordosten an den Bundesstaat Kogi, im Süden an den Atlantik, im Südosten an den Bundesstaat Delta, im Westen an den Bundesstaat Ogun und im Osten an den Bundesstaat Edo. Geschichte | Der
Read more