VueJS / Vuex App - Validate JWT Token USED for Authentication










2















I have a VueJS App, using Vuex & Vue Router.
I have 3 components (which are also pages): Home, Login and a Protected Page which requires one to be authenticated.



The login page make a POST call to the backend API which returns a token if the credentials are valid.



 methods: 
sendCredentials: function()
const email, password = this
this.$store.dispatch(AUTH_REQUEST, email, password)
.then(() =>
this.$router.push('/')
)
.catch((err) => console.log(err.response));




Here is the related action:



actions: {
[AUTH_REQUEST]: ( commit, dispatch , user) =>
return new Promise((resolve, reject) =>
commit(AUTH_REQUEST);
axios.post('http://localhost:3000/api/login', user)
.then((resp) =>
const token = resp.data.token;
localStorage.setItem('userToken', token);
commit(AUTH_LOGIN, token);
resolve(resp);
)
.catch(err =>
commit(AUTH_ERROR, err);
localStorage.removeItem('userToken');
reject(err);
)

);



I have used navigation guard to block access to the protected page if the user is not logged in.



This is actually working: When I go the protected page, I'm asked to log in. When I use the rights credentials, I'm able to access the protected page.



I have yet a huge bug: When I put any random string on the localStorage as the userToken, I can access the protected page...



How to prevent that ?



The initial state is defined as below:



state: ,


Is there a way to validate the userToken which I get through the localStorage when I set up the initial state of token ?










share|improve this question






















  • Could you use cookies to store your token instead of local storage?

    – Andrew1325
    Nov 14 '18 at 21:32











  • @Andrew1325 I can use cookie but don't we have the same issue ? I can create the cookie with document.cookie="userToken=1234".

    – Vidushan Chooriyakumaran
    Nov 14 '18 at 21:41











  • You need to store the token in your api also and validate it. If anything is client side only it is always vulnerable. Cookies allow you to pass header information to the server which local storage doesn't.

    – Andrew1325
    Nov 14 '18 at 22:06











  • I'm using express-jwt to validate the cookie on the back-end. I have some endpoints that can be reached only if the token is valid. For the restricted routes in the client app, I don't understand how to proceed as what I'm checking is only if I have a token. How can I validate the token through the API when I initiate my state then ?

    – Vidushan Chooriyakumaran
    Nov 14 '18 at 22:15











  • I use nuxt and call the verification through nuxtServerInit but in vue you should still be able to call a validation method with beforeMount. Although this isn't called during SSR so if your doing that you'd need something else.

    – Andrew1325
    Nov 14 '18 at 22:39















2















I have a VueJS App, using Vuex & Vue Router.
I have 3 components (which are also pages): Home, Login and a Protected Page which requires one to be authenticated.



The login page make a POST call to the backend API which returns a token if the credentials are valid.



 methods: 
sendCredentials: function()
const email, password = this
this.$store.dispatch(AUTH_REQUEST, email, password)
.then(() =>
this.$router.push('/')
)
.catch((err) => console.log(err.response));




Here is the related action:



actions: {
[AUTH_REQUEST]: ( commit, dispatch , user) =>
return new Promise((resolve, reject) =>
commit(AUTH_REQUEST);
axios.post('http://localhost:3000/api/login', user)
.then((resp) =>
const token = resp.data.token;
localStorage.setItem('userToken', token);
commit(AUTH_LOGIN, token);
resolve(resp);
)
.catch(err =>
commit(AUTH_ERROR, err);
localStorage.removeItem('userToken');
reject(err);
)

);



I have used navigation guard to block access to the protected page if the user is not logged in.



This is actually working: When I go the protected page, I'm asked to log in. When I use the rights credentials, I'm able to access the protected page.



I have yet a huge bug: When I put any random string on the localStorage as the userToken, I can access the protected page...



How to prevent that ?



The initial state is defined as below:



state: ,


Is there a way to validate the userToken which I get through the localStorage when I set up the initial state of token ?










share|improve this question






















  • Could you use cookies to store your token instead of local storage?

    – Andrew1325
    Nov 14 '18 at 21:32











  • @Andrew1325 I can use cookie but don't we have the same issue ? I can create the cookie with document.cookie="userToken=1234".

    – Vidushan Chooriyakumaran
    Nov 14 '18 at 21:41











  • You need to store the token in your api also and validate it. If anything is client side only it is always vulnerable. Cookies allow you to pass header information to the server which local storage doesn't.

    – Andrew1325
    Nov 14 '18 at 22:06











  • I'm using express-jwt to validate the cookie on the back-end. I have some endpoints that can be reached only if the token is valid. For the restricted routes in the client app, I don't understand how to proceed as what I'm checking is only if I have a token. How can I validate the token through the API when I initiate my state then ?

    – Vidushan Chooriyakumaran
    Nov 14 '18 at 22:15











  • I use nuxt and call the verification through nuxtServerInit but in vue you should still be able to call a validation method with beforeMount. Although this isn't called during SSR so if your doing that you'd need something else.

    – Andrew1325
    Nov 14 '18 at 22:39













2












2








2


0






I have a VueJS App, using Vuex & Vue Router.
I have 3 components (which are also pages): Home, Login and a Protected Page which requires one to be authenticated.



The login page make a POST call to the backend API which returns a token if the credentials are valid.



 methods: 
sendCredentials: function()
const email, password = this
this.$store.dispatch(AUTH_REQUEST, email, password)
.then(() =>
this.$router.push('/')
)
.catch((err) => console.log(err.response));




Here is the related action:



actions: {
[AUTH_REQUEST]: ( commit, dispatch , user) =>
return new Promise((resolve, reject) =>
commit(AUTH_REQUEST);
axios.post('http://localhost:3000/api/login', user)
.then((resp) =>
const token = resp.data.token;
localStorage.setItem('userToken', token);
commit(AUTH_LOGIN, token);
resolve(resp);
)
.catch(err =>
commit(AUTH_ERROR, err);
localStorage.removeItem('userToken');
reject(err);
)

);



I have used navigation guard to block access to the protected page if the user is not logged in.



This is actually working: When I go the protected page, I'm asked to log in. When I use the rights credentials, I'm able to access the protected page.



I have yet a huge bug: When I put any random string on the localStorage as the userToken, I can access the protected page...



How to prevent that ?



The initial state is defined as below:



state: ,


Is there a way to validate the userToken which I get through the localStorage when I set up the initial state of token ?










share|improve this question














I have a VueJS App, using Vuex & Vue Router.
I have 3 components (which are also pages): Home, Login and a Protected Page which requires one to be authenticated.



The login page make a POST call to the backend API which returns a token if the credentials are valid.



 methods: 
sendCredentials: function()
const email, password = this
this.$store.dispatch(AUTH_REQUEST, email, password)
.then(() =>
this.$router.push('/')
)
.catch((err) => console.log(err.response));




Here is the related action:



actions: {
[AUTH_REQUEST]: ( commit, dispatch , user) =>
return new Promise((resolve, reject) =>
commit(AUTH_REQUEST);
axios.post('http://localhost:3000/api/login', user)
.then((resp) =>
const token = resp.data.token;
localStorage.setItem('userToken', token);
commit(AUTH_LOGIN, token);
resolve(resp);
)
.catch(err =>
commit(AUTH_ERROR, err);
localStorage.removeItem('userToken');
reject(err);
)

);



I have used navigation guard to block access to the protected page if the user is not logged in.



This is actually working: When I go the protected page, I'm asked to log in. When I use the rights credentials, I'm able to access the protected page.



I have yet a huge bug: When I put any random string on the localStorage as the userToken, I can access the protected page...



How to prevent that ?



The initial state is defined as below:



state: ,


Is there a way to validate the userToken which I get through the localStorage when I set up the initial state of token ?







authentication vue.js jwt vuex vue-router






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 14 '18 at 19:13









Vidushan ChooriyakumaranVidushan Chooriyakumaran

229




229












  • Could you use cookies to store your token instead of local storage?

    – Andrew1325
    Nov 14 '18 at 21:32











  • @Andrew1325 I can use cookie but don't we have the same issue ? I can create the cookie with document.cookie="userToken=1234".

    – Vidushan Chooriyakumaran
    Nov 14 '18 at 21:41











  • You need to store the token in your api also and validate it. If anything is client side only it is always vulnerable. Cookies allow you to pass header information to the server which local storage doesn't.

    – Andrew1325
    Nov 14 '18 at 22:06











  • I'm using express-jwt to validate the cookie on the back-end. I have some endpoints that can be reached only if the token is valid. For the restricted routes in the client app, I don't understand how to proceed as what I'm checking is only if I have a token. How can I validate the token through the API when I initiate my state then ?

    – Vidushan Chooriyakumaran
    Nov 14 '18 at 22:15











  • I use nuxt and call the verification through nuxtServerInit but in vue you should still be able to call a validation method with beforeMount. Although this isn't called during SSR so if your doing that you'd need something else.

    – Andrew1325
    Nov 14 '18 at 22:39

















  • Could you use cookies to store your token instead of local storage?

    – Andrew1325
    Nov 14 '18 at 21:32











  • @Andrew1325 I can use cookie but don't we have the same issue ? I can create the cookie with document.cookie="userToken=1234".

    – Vidushan Chooriyakumaran
    Nov 14 '18 at 21:41











  • You need to store the token in your api also and validate it. If anything is client side only it is always vulnerable. Cookies allow you to pass header information to the server which local storage doesn't.

    – Andrew1325
    Nov 14 '18 at 22:06











  • I'm using express-jwt to validate the cookie on the back-end. I have some endpoints that can be reached only if the token is valid. For the restricted routes in the client app, I don't understand how to proceed as what I'm checking is only if I have a token. How can I validate the token through the API when I initiate my state then ?

    – Vidushan Chooriyakumaran
    Nov 14 '18 at 22:15











  • I use nuxt and call the verification through nuxtServerInit but in vue you should still be able to call a validation method with beforeMount. Although this isn't called during SSR so if your doing that you'd need something else.

    – Andrew1325
    Nov 14 '18 at 22:39
















Could you use cookies to store your token instead of local storage?

– Andrew1325
Nov 14 '18 at 21:32





Could you use cookies to store your token instead of local storage?

– Andrew1325
Nov 14 '18 at 21:32













@Andrew1325 I can use cookie but don't we have the same issue ? I can create the cookie with document.cookie="userToken=1234".

– Vidushan Chooriyakumaran
Nov 14 '18 at 21:41





@Andrew1325 I can use cookie but don't we have the same issue ? I can create the cookie with document.cookie="userToken=1234".

– Vidushan Chooriyakumaran
Nov 14 '18 at 21:41













You need to store the token in your api also and validate it. If anything is client side only it is always vulnerable. Cookies allow you to pass header information to the server which local storage doesn't.

– Andrew1325
Nov 14 '18 at 22:06





You need to store the token in your api also and validate it. If anything is client side only it is always vulnerable. Cookies allow you to pass header information to the server which local storage doesn't.

– Andrew1325
Nov 14 '18 at 22:06













I'm using express-jwt to validate the cookie on the back-end. I have some endpoints that can be reached only if the token is valid. For the restricted routes in the client app, I don't understand how to proceed as what I'm checking is only if I have a token. How can I validate the token through the API when I initiate my state then ?

– Vidushan Chooriyakumaran
Nov 14 '18 at 22:15





I'm using express-jwt to validate the cookie on the back-end. I have some endpoints that can be reached only if the token is valid. For the restricted routes in the client app, I don't understand how to proceed as what I'm checking is only if I have a token. How can I validate the token through the API when I initiate my state then ?

– Vidushan Chooriyakumaran
Nov 14 '18 at 22:15













I use nuxt and call the verification through nuxtServerInit but in vue you should still be able to call a validation method with beforeMount. Although this isn't called during SSR so if your doing that you'd need something else.

– Andrew1325
Nov 14 '18 at 22:39





I use nuxt and call the verification through nuxtServerInit but in vue you should still be able to call a validation method with beforeMount. Although this isn't called during SSR so if your doing that you'd need something else.

– Andrew1325
Nov 14 '18 at 22:39












1 Answer
1






active

oldest

votes


















1














I have been wondering the same thing a while ago. What I ended up with is to check the token against your backend on initial loading of your page. If the token is valid you commit it to Vuex, if the token is invalid, you delete everyting from localStorage.



This leads to the outcome where someone hypothetically could replace the token after initial load with their own invalid token, but if the clientside token is already validated, what would be the point? If you want to secure against this scenario as well you could apply the same logic in your navigation guard. So not just check for a token, but validate the token against your backend on each route change and clear localStorage if invalid. I think this will come at a performance disadvantage though due to the extra API call.






share|improve this answer























  • I finally ended by doing that verification call on my main.js It's perfectly working now, thanks!

    – Vidushan Chooriyakumaran
    Nov 15 '18 at 11:15










Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53307261%2fvuejs-vuex-app-validate-jwt-token-used-for-authentication%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














I have been wondering the same thing a while ago. What I ended up with is to check the token against your backend on initial loading of your page. If the token is valid you commit it to Vuex, if the token is invalid, you delete everyting from localStorage.



This leads to the outcome where someone hypothetically could replace the token after initial load with their own invalid token, but if the clientside token is already validated, what would be the point? If you want to secure against this scenario as well you could apply the same logic in your navigation guard. So not just check for a token, but validate the token against your backend on each route change and clear localStorage if invalid. I think this will come at a performance disadvantage though due to the extra API call.






share|improve this answer























  • I finally ended by doing that verification call on my main.js It's perfectly working now, thanks!

    – Vidushan Chooriyakumaran
    Nov 15 '18 at 11:15















1














I have been wondering the same thing a while ago. What I ended up with is to check the token against your backend on initial loading of your page. If the token is valid you commit it to Vuex, if the token is invalid, you delete everyting from localStorage.



This leads to the outcome where someone hypothetically could replace the token after initial load with their own invalid token, but if the clientside token is already validated, what would be the point? If you want to secure against this scenario as well you could apply the same logic in your navigation guard. So not just check for a token, but validate the token against your backend on each route change and clear localStorage if invalid. I think this will come at a performance disadvantage though due to the extra API call.






share|improve this answer























  • I finally ended by doing that verification call on my main.js It's perfectly working now, thanks!

    – Vidushan Chooriyakumaran
    Nov 15 '18 at 11:15













1












1








1







I have been wondering the same thing a while ago. What I ended up with is to check the token against your backend on initial loading of your page. If the token is valid you commit it to Vuex, if the token is invalid, you delete everyting from localStorage.



This leads to the outcome where someone hypothetically could replace the token after initial load with their own invalid token, but if the clientside token is already validated, what would be the point? If you want to secure against this scenario as well you could apply the same logic in your navigation guard. So not just check for a token, but validate the token against your backend on each route change and clear localStorage if invalid. I think this will come at a performance disadvantage though due to the extra API call.






share|improve this answer













I have been wondering the same thing a while ago. What I ended up with is to check the token against your backend on initial loading of your page. If the token is valid you commit it to Vuex, if the token is invalid, you delete everyting from localStorage.



This leads to the outcome where someone hypothetically could replace the token after initial load with their own invalid token, but if the clientside token is already validated, what would be the point? If you want to secure against this scenario as well you could apply the same logic in your navigation guard. So not just check for a token, but validate the token against your backend on each route change and clear localStorage if invalid. I think this will come at a performance disadvantage though due to the extra API call.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 15 '18 at 8:13









Imre_GImre_G

972721




972721












  • I finally ended by doing that verification call on my main.js It's perfectly working now, thanks!

    – Vidushan Chooriyakumaran
    Nov 15 '18 at 11:15

















  • I finally ended by doing that verification call on my main.js It's perfectly working now, thanks!

    – Vidushan Chooriyakumaran
    Nov 15 '18 at 11:15
















I finally ended by doing that verification call on my main.js It's perfectly working now, thanks!

– Vidushan Chooriyakumaran
Nov 15 '18 at 11:15





I finally ended by doing that verification call on my main.js It's perfectly working now, thanks!

– Vidushan Chooriyakumaran
Nov 15 '18 at 11:15



















draft saved

draft discarded
















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53307261%2fvuejs-vuex-app-validate-jwt-token-used-for-authentication%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Use pre created SQLite database for Android project in kotlin

Darth Vader #20

Ondo