Sending the refresh token with each API call is completely at odds with the aim of the access/refresh token paradigm where the short lived access token goes out with API requests, and the refresh token is only used to request new access tokens. The fix is simple; scope the cookie to only the path for requesting a new access token. This keeps all the benefits described of access token in memory, refresh token in cookie, and avoids having the refresh token "hanging around" where it shouldn't be (e.g. API requests that may dump the request to logs, leaking the long lived refresh tokens)
how would this be implemented in a GraphQL server? All requests would have the same 'scope' and since the cookie is not accessible via JS we cannot selectively add/remove it from requests.
Storing in memory would still be vulnerable to XSS, however, an attacker would have to reverse engineer your application to find where you store it in memory.
I think there might be an exploit without doing any re. Just use a proxy to check the requests that get made, to see how the refresh token is used. Then in the payload do a fetch and get an access token.
@@Yutaro-Yoshii you misunderstood what Julien wrote. You can see what PATH has been called to get the access token, so you "attacker" can call it as well and get the access token.
@@zerefdev Path is also TLS encrypted in https. Though there are some ways to get around this using man in the middle tool like mitmproxy so that might be what he meant. But to get this to work you'd need root write access to trusted CA list on the client so it's not a free pass.
If the attacker see your network activity, he'll know the "refresh" strategy and will be able to do an attack that first, go to refresh and get a new token, and then use this token to do malicious activity..
Access to cookies from JavaScript can be blocked easily so actualy XSS is not an issue. If you blocked, browsers will manage cookies in request and responses. Atacker may can stole cookies in file system using a malware anyway but i think it is not a big case. You don't need to store token in memory, this is just increase the complexibility.
there is no difference keeping it in memory or localstorage , they are both vulnerable to xss. and the access token scenario is the same as server side sessions with the difference of sending the request every 15 minute instead of every request and has problem with microservice architecture you mentioned. but I agree this is a good approach that the refresh token service can has a black list (not bad idea)
@@bawad 1- if the token is attached in URL param => simply override the XMLHttpRequest to tamper the details, works on all browsers 2- create a new request to the /refresh_token url and get new valid token, works on all browsers 3- if the variable is global (easily accessible!) 4- angular scopes are easily accessible ... I didn't tried react component variable scopes before
@@bawad of course not (xss is unwanted js, there no escape of possible harms), preventing the xss is vital, approaches like keeping the tokens in localstorage/indexeddb/memory are just about making it harder not preventing it! so why do we make it harder to develop in comparison keeping it in localstorage? preventing xss in not the answer making xss harder is not enough reason to me with vulnerability to xss keeping the token in cookie isn't important too, the attacker can request any endpoint he wants while the user is online (just preventing later usage of tokens)
I read the article but I don't understand how memory storage is any better than local storage. Both are immune to CSRF, but both are very easily accessible from JS, so why bother?
I also found this article interesting. Another thing that this kind of approach only authenticates client side. I show a few websites which generally keep access token in cookies and use a csrf token and that's why if we open 'view source', it also gives you authenticated user details whereas in this article's case, it gets user details client side and looks more secure.
The main reason token is over cookie is to decouple the app from the auth server. If it is not a concern, go with cookie. Your way the cookie is the session on the server like the traditional way only access token is renewable to keep user always logged in and cookie can replace refresh token . Server just need to renew the session keep cookie alive in order to keep getting new access token when it expired . Only drawback is that it is not scalable as good as token
Unless I'm mistaken, this is vulnerable by XSS combined with CSRF. Code is injected that calls the refresh token endpoint as well as using the returned access token to make a second request. Please correct me if I am wrong.
i think you're right @patricknazar, i'm still confusing how to store the token in a public client and protect them from xss and xsrf attacks. do you have any suggestions ?
If the refresh token is sent in an HttpOnly cookie, does that mean the client and server have to be on the same domain? If so, this pattern can't be applied when a SPA is on a different domain than the API.
I dont think httponly means same domain. It means javascript cant access it. But javascript can still make a request somewhere and it will automatically be sent with the request. Not sure if im 100% right tho
Enjoyed your video. Some thoughts I am thinking... How is storing the JWT in memory (JS variable) not vulnerable to XSS just like local or session storage? Why not stick with storing the JWT in a cookie with HTTP only? CSRF is much easier to mitigate by using a CSRF token over XSS.
I think it's because with XSS you can't read JS variables (or maybe you don't know which one is the token), but if you put it in localStorage an xss can read from that I think that's a valid way to do it if you want to protect against csrf with a token
This is what I was thinking, even if the name of the variable in memory isn't known to the 'malicious script' it wouldn't be too difficult for it to iterate through the variables looking for an object that even vaguely resembles that of a JWT or the like.. I'm still thinking http only cookie is the way to go for that belt and braces security feel..?
@@bawad No I'm not 100% either to be honest, I'll have a look into that for sure. It does feel like something that might be possible even if it were a convoluted way, hackers will go to great lengths to steal sh#t :(
Than you for the voideo. One thing that is not clear for me: why malicious user get nothing from a refresh request when he's got a valid refresh token?
While it does help with CSRF, I don't see how it helps with XSS. If you have an XSS then you just make your payload do a fetch() request with credentials to obtain an access token. As you said, in the case of a CSRF, the SOP will prevent you from reading the access token. But this is not the case with an XSS, where the request will be same-origin.
Many thanks for your informative and humorous videos, Ben, but what exactly is the difference to session cookies with a csrf token? The refresh token reminds me of the session id cookie and the JWT would be the csrf token.
If the refresh token is stored in an httpOnly cookie it would make this strategy unviable for setups where the client and the backend are on different domains and even ports, no? Since cookies are domain specific. Unless I'm missing something.
You can generate httpOnly cookies which also work on different subdomains. I wouldn't put the backend and frontend on entirely different domains unless you're running serverless, but that introduces other differences as well.
I have a question regarding the refresh token, as you mentioned when the attacker got the refresh token in the cookie, the attacker can't get access token then the malicious attack won't happen. But when an authenticated user refreshed the page, the access token is gone as well, right? how can this authenticated user get the access token after refreshing the page? (I believe the user needs to login again after refresh the page?)
@@mtosity the hacker cannot make the request, he only can "make" you make unintended requests, in your case, suppose that the hacker can capture the response of the generate_access_token route in the XSS script and send from victim's PC to him, it's still very hard to exploit it because the access token life cycle is often very short
I explained this in a comment awhile ago. You send your access token (not both) for every request. If the access token expires an error is send back to the client and now the client sends the refresh token and gets a new access token (or fails and goes to login). You need to catch the failed request (expired access) send the refresh token and then try the request again with the new access token. If done right it's invisible to the end user. Setting this up with Apollo was tricky but i got it working. Most simple apps (startups) just use a long lived access token cause it's simple.
I wanted this, but wasn't sure how since we are storing the refresh token in a cookie. One of the comments recommended "scope the cookie to only the path for requesting a new access token" that should give the desired effect, I'm going to give it a try
Not gonna help. If you have an XSS vulnerability, the attacker will still be able to make requests from your domain. Storing an access token in httpOnly cookie is a way to go.
i'm little bit confused in CSRF case 1 - attacker can send a request which gonna have 'refresh token' inside and get the access token in response and then send that malicious request with the received access token in header 2 - also attacker gonna have the acess token . which isn't the case in set http-only coockie
In my code, I store the refresh token inside an HttpOnly cookie. Every time a user wants to open the website, it checks if the refresh token cookie is expired. If it is expired, the user is logged out and asked to log in again. If it is not expired, a new access token is created and the user is taken to the homepage without being asked to log in. The access token expires after 15 minutes, and at that point, the refresh token inside the cookie is checked again. If the refresh token is still valid, a new access token is created automatically, and the API request is made. Is there a problem with this approach?
Ben, if the refreshToken endpoint doesn’t return anything and then suddenly our JWT is no longer expired, doesn’t that mean the server must have to keep some state about which JWTs are still valid? I thought the main nicety about JWTs was that you didn’t have to store a list of valid sessions on the server (in something like redis and/or a db).
The refreshToken endpoint returns a new JWT accessToken, just not as a cookie. The JWT that expires is the one being held in a variable, so the server never has to store a state, it just needs to check that the accessToken has not expired.
Oxcorp I’m still not completely getting this. If the refreshToken endpoint returns a new accessToken, why can’t a malicious script/request call the refreshToken endpoint to get a new accessToken and then go to town?
@@benjidaniel5595 There's not really an approach you can take to defend against a full on XSS attack like that which I know of, but a CSRF attack can't perform tasks like this.
My wep-page crashes when the jwt token expires and I have to manually delete my expired token from the localStorage for the page to work again, why is that happening and how i can solve it ? Note: I’m not using a refresh token .
Ok, so storing the token in (scoped) memory will prevent an attacker from stealing the token using XSS/CSS, because it is not accessable. But if an attacker is able to do a XSS/CSS, what will prevent him from requesting a new token from the auth server? Couldn't he just make a request to the auth server through the user's browser? In that case, the browser will add the HttpOnly session cookie to the request and the auth server will issue a new valid token that the attacker can use for future requests...
If the attacker is able to make a request on the users behalf AND read the response, I don't think it matters where you store the access token your in trouble
@@bawad Good point! I'm not sure if I am deep enough in JS, but as far as I know, for XSS it doesn't make a difference whether you make an AJAX request or read a value from local storage, because anyway you just need to execute code in users's browser. So I think the idea with storing the token in memory makes it more complicated to the attacker (and also for the developers), but in case of a successfull XSS it would not improve the security. Or is there something I didn't see?
Didn't understand how will it help to resist csrf attacks? malicious website just will need to get access token using refresh token that still being stored in localstorage/cookies. isn't it?
if you put the refresh token in a http only cookie, the idea is the malicious site can't access it they can make you do a request, but they can't read the response to get the access token
@@bawad But why? If an attacker manages to inject JS code into my app, why cant they do a fetch to the /refresh-token endpoint and read the body of the response? What is preventing them? It will look like a same site request like any request you do. Or what am I missing?
Localstorage is subjected to XSS. So if you can prevent XSS in the first place, then you're ok. If your site is subjected to XSS, then it's somewhat game over i think.
This whole authentication authorization stuff gives me a headache. I’m not experienced enough to even know which person I should be listening to. There is one camp saying stay clear from JWT and use sessions instead and another saying JWT are okay to use so long as this and this is also done.
It really just depends on what sort of security your website/app needs. If you want to be able to blacklist refreshTokens then you need some sort of session storage; you can implement JWT with sessions, it just seems counter-intuitive. For general use, JWTs save a lot of performance and reduce a point of failure (session storage state/database)
@@Oxcorp Storing sessions in a Redis cache is crazy fast and it doesn't come with a lot of the negatives attached to JWTs (like invalidating tokens in case of theft. Good luck finding that out by the way.)
@@Oxcorp If you have a black list, you're still doing a database lookup though. Sure with the access token you get a small window where you don't need to but still. Also shouldn't there be a security standard for all websites regardless of how small or big the site is? I just want users to login safely and not have their sessions highjacked.
@@adamtak3128 You have to do a database lookup when generating accessTokens anyways. Also, all of these concerns about XSS/CSRF still apply to session tokens, the difference is that if a JWT is stolen it will also contain the payload which is easily read. The reason there is not a security standard for all websites is because authentication is not handled the same for all websites, it would also be a bit reckless to have all sites use the same methods because it would put them all at risk at the same time whenever a new exploit was discovered.
hey, thanks for the content. I am curious about what you meant by the attacker can not read what is in the response from the refresh token call. Also, if the httpOnly is safe, why dont we store the access_token as a cookie as well? I guess my concern is the attacker making a call to the refresh endpoint first and then the malicious call right after.
Yeah I agree with you; The fact is with only the refresh token you can get a new access token. I think the in memory saving part is completely redundant, saving both access and refresh tokens in http only cookie makes more sense specially because we can do another check while validating refresh token. Before validating refresh token we should check if the access token is valid and only expired then we proceed to check the refresh token.
So this would be the case if you were storing the refreshToken in localStorage. The risk to storing the JWT in a cookie is not that it will get stolen, but that a CSRF attack would cause the user to perform an unwanted action with the authentication in their cookie. By using the method he describes in the video it prevents CSRF attacks from executing authorized attacks since those endpoints would not accept any cookies as an accessToken. There would still be an endpoint for generating accessTokens which would accept the refreshToken cookie for authorization, but CSRF attacks would not be able to make multi-step requests like that to generate an accessToken for their own use.
@@Oxcorp so the CSRF is the clue. that makes sense. tx for pointing me out! however, it's possible to use CSRF to get accessToken, isn't it? you merely have to figure out the refresh endpoint.
Hey, I'm having trouble understanding how this prtects against XSS. I get why it protects against CSRF. But isn't the access token, althought short lived, still expoable to XSS?
Hi, I am programming a web app. Two websites but security is still matter to me. I am using Apollo, Graphql and express an I deploy them to AWS. One is ok to close session every 24 hours or even 12 hours but the client I want to this be permanent login like Amazon or Facebook. How I can commit this difficult task to be extremely secure? Your will be vary valuable for me. Thank you very much!
Why backend doesn't refresh an access token automatically if the user is valid and has a valid refresh token in headers? (which can be done e.g. via middleware)
I'm afraid you are not correct. Everything that is located in the client code can be accessed by cross site scripting. This means that storing an access token in a variable is similar to storing it in local storage. Both methods are prone to XSS attacks as opposed to storing JWT in a cookie, which is prone to CSRF attacks.
I’m a novice in development, but what protects me from hackers that before sending my access token to them via XSS just refresh it via request to my server?
This whole set up doesnt really nake any sense to me. If as a user, you decide to refresh your page and loose your access token, you can still make a request with the refresh token and get an access token. Can't a hacker get your access token and mimic that request with your refresh token and make a request to get an access token? Thereby impersonating the client? What's now the point if you can get an access token by mimicking the refresh token request to get access token. Thanks.
I am a noob so I do not really know much about this kinda stuff, but I am very curious how do we know when to send the access token back? You said that the refresh token absolutely does nothing. However, when the user refreshes the page, then the user will send us the refresh token to get the access token? So, both cases, we receive just the refresh token and how do we know when to send the access token back?
We need on very requests get a new access token using the refresh token stored in the cookie but I think these may be a bad thing for the user experience of the app. Thanks
Waiting for js implementation!) Btw, for me it's still a problem with actual user's data, displayed, for example at header. We're now making a site with gatsby, so it is improtant for us to have it blazing fast, and page loaders / placeholder blocks looks not so great at all. But with persisting user data we have issues with security and data actualisation, heh
@@bawad all the problem is in ux. At first we need to validate user token or refresh it, then we need to actualise user data, that's two asynchronous tasks (yeah, i know that they may be pretty fast). But our designs mostly not ready for this cases. Our company before mostly making apps with rails only, without client side apps. Previously we used page loader until all needed data would be loaded, but I still looking for more elegant solution.
I think most tokens are stolen at the point of the request... So someone hacks you modem gets your request steal the token and use it. Things are so secure these days that's the only possible way to get in. I guess what am saying is we cannot prevent everything
This is the most popular attack method called "Man in the middle". That's why we need an SSL certificate to encrypt the data package to secure the content of the request body.
I still don't understand how the refresh is going to work in your case as access token is lost on refresh of web page. At least how I implemented backend is with two things: 1. verify the signature of existing (possibly expired) access token, 2. does refresh token matches the one stored on the server, ... and only then re-issued a new access token. Not sure if anything is gained with this new approach, as I understand you will return new access token only by matching with refresh token ... and refresh token is stored in cookie which is prone to hacking. I don't really see how this improves security. Or am I missing something?
> I still don't understand how the refresh is going to work in your case as access token is lost on refresh of web page. we persist the refresh token in a cookie, so when the user refreshes we can use the refresh token to get an access token > and refresh token is stored in cookie which is prone to hacking. if you use an httponly cookie, the cookie can't be accessed by javascript.
I gave interview today for React.. Thinking that interviewer would ask me about JavaScript, React... Guess what he drilled me asking about security.. Questions, how to secure website from Cross Site Forgery, vulnerabilities etc...I never implemented any of these... Since i am not from banking domain....... I am really keen..to get a good grasp on all these..Thanks Ben looking forward more vidoes if possible on this topic,not much help online regarding this... So i expect help from you and you always do :)
It's always nice to have a bit of background on common website security techniques. I would recommend you look into XSS protection techniques and specifics such as CSRF tokens which help stop CSRF attacks by using a hidden form value.
Hi Ben, If your site is vulnerable to XSS then an attacker can still easily get your access token from global memory. So is this the right method. I am still confused. More over if you are storing refresh token in http only cookie without a csrf token, you are still vulnerable to csrf attacks as csrf attacks works with http only cookie. Eg session cookies.
Even you store access token in memory it is still visible on the browser inspect element network. You can still see the actual token on Request Header: Authorization Bearer. Is there a way to hide it or what are other options?
Well if an XSS attack is successful, its all over already. Attacker can intercept all requests/responses in JS by webRequest API and steal the access token.
@@paritoshbatish9984 Yeah. I thought he would talk about pairing httpOnly cookie with CSRF token. But no. What he presented doesn't make sense and is still prone to XSS.
@@AhtshamShabir According to my current understanding (I am quite new to this), 1. httpOnly cookie cannot be accessed via javascript 2. httpOnly cookie is sent with every request to the server So for an XSS attack, they basically have to do a post request like a form submission where only the refresh token is sent which won't do anything as the access token is to be sent for any request from the server. And there will be only one endpoint like "/refresh" where the server accepts the refresh token and returns a new access token. In conclusion, 1. Upon login refresh token is sent which is stored in httpOnly cookie which cannot be accessed by javascript and is always sent with every request. 2. Upon login access token is also sent by the server, which we store in memory. 3. In the access token we store information like expiry date, etc (I still have to see the video on full implementation) which helps us validate the access token. (the access token is not stored in any DB, it evaluated solely based on the info stored on it. See the blog by hasura for detail) 4. For API's, only access token is required. 5. To get new access token there will be only 1 endpoint to do so which validates the refresh token and sends a new access token. Since access token will be short lived for like 2 mins, an attacker only has 2 mins with that token. See the hasura blog for detail: hasura.io/blog/best-practices-of-using-jwt-with-graphql/
@@hiradr3857 No, because the access tokens are valid as long as their lifetime, they cannot be revoked, because this requires a centralized token provider and then you can also use normal sessions
the problem that I am facing with the httpOnly cookie is that the browser doesnt attach it unless the request is being made to an endpoint that is on the same domain as the client is. Which makes it pretty useless as one cannot test the application during the development given that backend and frontend are being run on different ports of localhost
You can use proxy for that, and later on production/qa/dev servers you definitely would benefit from an API Gateway! Samesite strict for the HTTP only cookie is vital and important.
Just revoke that token by storing it in a store for the length of the expiry in a database. So whenever you receive a refresh request to get a new access token, check your store of revoked tokens, and if the refresh token is there just send a 401 response back.
making another request each time the user refreshes the page seems overkill, initial content will be delayed a lot, I prefer to take my chances with localstorage and a better user experience
I believe it is still safer to store it in a cookie compared to localStorage as it mitigates the risk to the user performing unwanted actions (as opposed to their JWT getting outright stolen). However the approach he's talking about is best for stuff like SPAs where the user will generally not manually refresh the page very often. In regards to initial content delay, the recommended accessToken expiration is something like 5 minutes, so if your user is only manually refreshing the page every few minutes then the impact will remain the same.
No not localstorage. just use cookie httponly and dont change the database by default get or post requests and use cors js for only requests from your website and you are good to go. hard to attack with httponly cookie if your server side is well coded
Let’s say your user download a 3:58 recipe 😜 this guy is harvesting autumn Crocus 🌸 I think 🤔 For myself was implementing something on NodeJS and needed to find out how to make it compatible for the browser !!! Regarding authentication Tanks great video
Basically, he is trying to implement the Authorization Code Grant of OAuth 2.0 protocol. Anyway, at last, he is going to store the refresh-token in the cookie by enabling HttpOnly.
can we keep it in session storage because our application supports only single tab and the react already protects us from xss attack . we don't directly inject HTML in our react code
I imagine it would work well for mobile apps, but there are probably safer platform-specific storage methods which are safe from general attacks. Native mobile apps aren't really open to most XSS/CSRF attacks.
But essentially if a baddy knows your refresh-token-URL and you're storing your refresh token in a cookie, and the baddy can get you to click on a link, then they could do a CSRF to your refresh-token-url which would pass your cookie (with refresh-token) and return an access-token to the baddy's site (is this correct? I'm asking 'cause I'm not sure).... Update: I've seen your comment below: "they can make you do a request, but they can't read the response to get the access token" ... what is it that prevents the baddy from reading the response? Update, found this: "In fact, due to same origin policy, the attacker can’t even read the response that contains the token."
@@michaelblom_78 I am still confused. If I manage as an attacker to get JavaScript code running on the site, the request to /refresh-token would be from the same origin? And then I could just read the body to obtain the access token or am I missing something?
Seeing that you know about this, I have a small question. Copying and pasting the token in another browser (incognito mode, for example), allows me to access the app, so, doesn't that mean that a hacker could access your local storage and take the token in order to gain access? How is not unsafe (not rhetorical)?
As a side note, the amount of jokes you make on your channel, really ruined your credibility for me, because I REALLY don't know if you're being serious or if you're joking.
implementation: ua-cam.com/video/25GS0MLT8JU/v-deo.html
Sending the refresh token with each API call is completely at odds with the aim of the access/refresh token paradigm where the short lived access token goes out with API requests, and the refresh token is only used to request new access tokens.
The fix is simple; scope the cookie to only the path for requesting a new access token. This keeps all the benefits described of access token in memory, refresh token in cookie, and avoids having the refresh token "hanging around" where it shouldn't be (e.g. API requests that may dump the request to logs, leaking the long lived refresh tokens)
I was wondering about that, nice fix!
how would this be implemented in a GraphQL server? All requests would have the same 'scope' and since the cookie is not accessible via JS we cannot selectively add/remove it from requests.
That makes sense. Without this detail CSRF is still possible because an attacker could just hijack and use the refresh token.
I wonder what the benefits would be of this approach versus storing the JWT in a cookie and turning SameSite to Strict mode
@@alexleung842 I don't think an attacker can capture a cookie with a CSRF attack. They can only make the user make unintended requests.
Storing in memory would still be vulnerable to XSS, however, an attacker would have to reverse engineer your application to find where you store it in memory.
I think there might be an exploit without doing any re. Just use a proxy to check the requests that get made, to see how the refresh token is used. Then in the payload do a fetch and get an access token.
@@juliengrijalva8606 I don't think you can just sniff out refresh token from a proxy since HTTPS is encrypted.
@@Yutaro-Yoshii you misunderstood what Julien wrote. You can see what PATH has been called to get the access token, so you "attacker" can call it as well and get the access token.
@@zerefdev Path is also TLS encrypted in https. Though there are some ways to get around this using man in the middle tool like mitmproxy so that might be what he meant. But to get this to work you'd need root write access to trusted CA list on the client so it's not a free pass.
@@Yutaro-Yoshii OP is talking about XSS (why would you need a mitm proxy/tools if you can inject your own js code)
If the attacker see your network activity, he'll know the "refresh" strategy and will be able to do an attack that first, go to refresh and get a new token, and then use this token to do malicious activity..
yeah I've come to the conclusion that if your vulnerable to xss, it doesn't matter what you do ua-cam.com/video/M6N7gEZ-IUQ/v-deo.html
That's what I was wondering as well. Props to the channel owner for making and update addressing this flaw.
@@bawad if the attacker knows how this variable is called, they can simply inject js to steal it
Access to cookies from JavaScript can be blocked easily so actualy XSS is not an issue. If you blocked, browsers will manage cookies in request and responses. Atacker may can stole cookies in file system using a malware anyway but i think it is not a big case. You don't need to store token in memory, this is just increase the complexibility.
there is no difference keeping it in memory or localstorage , they are both vulnerable to xss.
and the access token scenario is the same as server side sessions with the difference of sending the request every 15 minute instead of every request and has problem with microservice architecture you mentioned. but I agree this is a good approach that the refresh token service can has a black list (not bad idea)
How is storing the token in memory vulnerable to xss?
@@bawad
1- if the token is attached in URL param =>
simply override the XMLHttpRequest to tamper the details, works on all browsers
2- create a new request to the /refresh_token url and get new valid token, works on all browsers
3- if the variable is global (easily accessible!)
4- angular scopes are easily accessible ...
I didn't tried react component variable scopes before
If a hacker can do 1 or 2, does it matter where you store the token?
@@bawad of course not (xss is unwanted js, there no escape of possible harms), preventing the xss is vital, approaches like keeping the tokens in localstorage/indexeddb/memory are just about making it harder not preventing it!
so why do we make it harder to develop in comparison keeping it in localstorage? preventing xss in not the answer
making xss harder is not enough reason to me
with vulnerability to xss keeping the token in cookie isn't important too, the attacker can request any endpoint he wants while the user is online (just preventing later usage of tokens)
@@bawad with attack number 1 the attacker cannot access the headers even if they are set by javascript
Thank you for introducing another usuful concept for authentication. I'll look forward to your actual implementation.
I read the article but I don't understand how memory storage is any better than local storage.
Both are immune to CSRF, but both are very easily accessible from JS, so why bother?
storing info in js doest protect it from XSS or even CTFS. you need policies like SameSite Cookie Attribute.
I also found this article interesting. Another thing that this kind of approach only authenticates client side. I show a few websites which generally keep access token in cookies and use a csrf token and that's why if we open 'view source', it also gives you authenticated user details whereas in this article's case, it gets user details client side and looks more secure.
The main reason token is over cookie is to decouple the app from the auth server. If it is not a concern, go with cookie. Your way the cookie is the session on the server like the traditional way only access token is renewable to keep user always logged in and cookie can replace refresh token . Server just need to renew the session keep cookie alive in order to keep getting new access token when it expired . Only drawback is that it is not scalable as good as token
Unless I'm mistaken, this is vulnerable by XSS combined with CSRF. Code is injected that calls the refresh token endpoint as well as using the returned access token to make a second request. Please correct me if I am wrong.
any updates on your thoughts about your comment? wondering if u had enough time to look into that deeper
i think you're right @patricknazar, i'm still confusing how to store the token in a public client and protect them from xss and xsrf attacks. do you have any suggestions ?
If the refresh token is sent in an HttpOnly cookie, does that mean the client and server have to be on the same domain? If so, this pattern can't be applied when a SPA is on a different domain than the API.
I dont think httponly means same domain. It means javascript cant access it. But javascript can still make a request somewhere and it will automatically be sent with the request. Not sure if im 100% right tho
@@k3vinshum u r correct
Enjoyed your video. Some thoughts I am thinking... How is storing the JWT in memory (JS variable) not vulnerable to XSS just like local or session storage? Why not stick with storing the JWT in a cookie with HTTP only? CSRF is much easier to mitigate by using a CSRF token over XSS.
I think it's because with XSS you can't read JS variables (or maybe you don't know which one is the token), but if you put it in localStorage an xss can read from that
I think that's a valid way to do it if you want to protect against csrf with a token
This is what I was thinking, even if the name of the variable in memory isn't known to the 'malicious script' it wouldn't be too difficult for it to iterate through the variables looking for an object that even vaguely resembles that of a JWT or the like..
I'm still thinking http only cookie is the way to go for that belt and braces security feel..?
I'm not 100% sure, but I don't think you can just iterate through js variables
@@bawad No I'm not 100% either to be honest, I'll have a look into that for sure. It does feel like something that might be possible even if it were a convoluted way, hackers will go to great lengths to steal sh#t :(
If you can read data using javascript, why wouldn’t that be true with xss
Than you for the voideo. One thing that is not clear for me: why malicious user get nothing from a refresh request when he's got a valid refresh token?
It's been a while since you posted the implementation. Has anything changed or storing the jwt in memory is still good. Thanks.
@Matthew Caseresthat way, you still have to save the cookie in browser. Saving in memory is more feasible.
Well done Ben looking forward for video on this concept..
how can you store the cookie as an http only in case your frontend and backend are server from different domains ?
While it does help with CSRF, I don't see how it helps with XSS. If you have an XSS then you just make your payload do a fetch() request with credentials to obtain an access token. As you said, in the case of a CSRF, the SOP will prevent you from reading the access token. But this is not the case with an XSS, where the request will be same-origin.
yeah I came to the same conclusion
Many thanks for your informative and humorous videos, Ben, but what exactly is the difference to session cookies with a csrf token? The refresh token reminds me of the session id cookie and the JWT would be the csrf token.
If the refresh token is stored in an httpOnly cookie it would make this strategy unviable for setups where the client and the backend are on different domains and even ports, no? Since cookies are domain specific. Unless I'm missing something.
You can generate httpOnly cookies which also work on different subdomains. I wouldn't put the backend and frontend on entirely different domains unless you're running serverless, but that introduces other differences as well.
ua-cam.com/video/GdJ0wFi1Jyo/v-deo.html
@@bawad This does not give the answer to cross domain i.e. client hosted on one domain and back-end on another domain
What do you recommend in that scenario?
@@bawad I am still looking for a solution to that problem. Do let me know what you think will work! Nice video btw
I have a question regarding the refresh token, as you mentioned when the attacker got the refresh token in the cookie, the attacker can't get access token then the malicious attack won't happen. But when an authenticated user refreshed the page, the access token is gone as well, right? how can this authenticated user get the access token after refreshing the page? (I believe the user needs to login again after refresh the page?)
Great stuff! Looking forward to the implementation video.
5:22 Can they maliciously request an access token at this point?
The hacker can only make you make unintended requests, they can not capture your cookie and then get the access token
@@mtosity the hacker cannot make the request, he only can "make" you make unintended requests, in your case, suppose that the hacker can capture the response of the generate_access_token route in the XSS script and send from victim's PC to him, it's still very hard to exploit it because the access token life cycle is often very short
I explained this in a comment awhile ago. You send your access token (not both) for every request. If the access token expires an error is send back to the client and now the client sends the refresh token and gets a new access token (or fails and goes to login). You need to catch the failed request (expired access) send the refresh token and then try the request again with the new access token. If done right it's invisible to the end user. Setting this up with Apollo was tricky but i got it working. Most simple apps (startups) just use a long lived access token cause it's simple.
I wanted this, but wasn't sure how since we are storing the refresh token in a cookie.
One of the comments recommended "scope the cookie to only the path for requesting a new access token"
that should give the desired effect, I'm going to give it a try
what about storing the JWT in localstorage and setting CORS in the backend to only allow requests from a specific domain?
Not gonna help. If you have an XSS vulnerability, the attacker will still be able to make requests from your domain. Storing an access token in httpOnly cookie is a way to go.
i'm little bit confused in CSRF case
1 - attacker can send a request which gonna have 'refresh token' inside and get the access token in response and then send that malicious request with the received access token in header
2 - also attacker gonna have the acess token . which isn't the case in set http-only coockie
1. for CSRF the attacker can't read the response of the request and can't get the access token
2. ua-cam.com/video/M6N7gEZ-IUQ/v-deo.html
Thank you TikTok guy, this really helped me a lot!
In my code, I store the refresh token inside an HttpOnly cookie. Every time a user wants to open the website, it checks if the refresh token cookie is expired. If it is expired, the user is logged out and asked to log in again. If it is not expired, a new access token is created and the user is taken to the homepage without being asked to log in. The access token expires after 15 minutes, and at that point, the refresh token inside the cookie is checked again. If the refresh token is still valid, a new access token is created automatically, and the API request is made. Is there a problem with this approach?
Ben, if the refreshToken endpoint doesn’t return anything and then suddenly our JWT is no longer expired, doesn’t that mean the server must have to keep some state about which JWTs are still valid?
I thought the main nicety about JWTs was that you didn’t have to store a list of valid sessions on the server (in something like redis and/or a db).
The refreshToken endpoint returns a new JWT accessToken, just not as a cookie. The JWT that expires is the one being held in a variable, so the server never has to store a state, it just needs to check that the accessToken has not expired.
Oxcorp I’m still not completely getting this. If the refreshToken endpoint returns a new accessToken, why can’t a malicious script/request call the refreshToken endpoint to get a new accessToken and then go to town?
@@benjidaniel5595 There's not really an approach you can take to defend against a full on XSS attack like that which I know of, but a CSRF attack can't perform tasks like this.
My wep-page crashes when the jwt token expires and I have to manually delete my expired token from the localStorage for the page to work again, why is that happening and how i can solve it ? Note: I’m not using a refresh token .
couldn the attaker use the refresh token to get an access token to himself?
Ok, so storing the token in (scoped) memory will prevent an attacker from stealing the token using XSS/CSS, because it is not accessable.
But if an attacker is able to do a XSS/CSS, what will prevent him from requesting a new token from the auth server?
Couldn't he just make a request to the auth server through the user's browser? In that case, the browser will add the HttpOnly session cookie to the request and the auth server will issue a new valid token that the attacker can use for future requests...
If the attacker is able to make a request on the users behalf AND read the response, I don't think it matters where you store the access token your in trouble
@@bawad Good point!
I'm not sure if I am deep enough in JS, but as far as I know, for XSS it doesn't make a difference whether you make an AJAX request or read a value from local storage, because anyway you just need to execute code in users's browser.
So I think the idea with storing the token in memory makes it more complicated to the attacker (and also for the developers), but in case of a successfull XSS it would not improve the security.
Or is there something I didn't see?
yeah I'm starting to think if someone successfully executes XSS it doesn't matter what you do
Didn't understand how will it help to resist csrf attacks? malicious website just will need to get access token using refresh token that still being stored in localstorage/cookies.
isn't it?
if you put the refresh token in a http only cookie, the idea is the malicious site can't access it
they can make you do a request, but they can't read the response to get the access token
@@bawad But why? If an attacker manages to inject JS code into my app, why cant they do a fetch to the /refresh-token endpoint and read the body of the response? What is preventing them? It will look like a same site request like any request you do. Or what am I missing?
Great video thanks. Quick question with your solution… would it not be the same storing the refresh token in web storage?
your recipe app is frikin good ben. how long did it take you to make? do you have a lot of traction on it?
i wanna know how instagram and facebook (because they are using reactjs on the frontend) store and secure users tokens ??
Localstorage is subjected to XSS. So if you can prevent XSS in the first place, then you're ok. If your site is subjected to XSS, then it's somewhat game over i think.
this is just extremely convoluted and does not change the attack surface for xss at all, just store the access token in local storage.
Can the malicious user not also send the refresh token to the refresh endpoint and get a new access token?
how can someone record video like this? I mean how you recorded both the screen and yourself at the same time and then overlapped it with the video
This whole authentication authorization stuff gives me a headache. I’m not experienced enough to even know which person I should be listening to. There is one camp saying stay clear from JWT and use sessions instead and another saying JWT are okay to use so long as this and this is also done.
It really just depends on what sort of security your website/app needs. If you want to be able to blacklist refreshTokens then you need some sort of session storage; you can implement JWT with sessions, it just seems counter-intuitive. For general use, JWTs save a lot of performance and reduce a point of failure (session storage state/database)
@@Oxcorp Storing sessions in a Redis cache is crazy fast and it doesn't come with a lot of the negatives attached to JWTs (like invalidating tokens in case of theft. Good luck finding that out by the way.)
@@Oxcorp If you have a black list, you're still doing a database lookup though. Sure with the access token you get a small window where you don't need to but still. Also shouldn't there be a security standard for all websites regardless of how small or big the site is? I just want users to login safely and not have their sessions highjacked.
@@hdauven8434 You invalidate JWT tokens by blacklisting the refreshTokens like I mentioned.
@@adamtak3128 You have to do a database lookup when generating accessTokens anyways. Also, all of these concerns about XSS/CSRF still apply to session tokens, the difference is that if a JWT is stolen it will also contain the payload which is easily read.
The reason there is not a security standard for all websites is because authentication is not handled the same for all websites, it would also be a bit reckless to have all sites use the same methods because it would put them all at risk at the same time whenever a new exploit was discovered.
hey, thanks for the content. I am curious about what you meant by the attacker can not read what is in the response from the refresh token call. Also, if the httpOnly is safe, why dont we store the access_token as a cookie as well? I guess my concern is the attacker making a call to the refresh endpoint first and then the malicious call right after.
Yeah I agree with you; The fact is with only the refresh token you can get a new access token. I think the in memory saving part is completely redundant, saving both access and refresh tokens in http only cookie makes more sense specially because we can do another check while validating refresh token. Before validating refresh token we should check if the access token is valid and only expired then we proceed to check the refresh token.
Have you gotten an answer for this question?
still someone could steal the refreshToken and get the actuall JWT. doesn't seem helping too much. am I missing something?
Andrew Tatomyr my exact thought 🤔
Asking my self the same thing, i believe you should save the refresh token only in a trusted client.
So this would be the case if you were storing the refreshToken in localStorage. The risk to storing the JWT in a cookie is not that it will get stolen, but that a CSRF attack would cause the user to perform an unwanted action with the authentication in their cookie. By using the method he describes in the video it prevents CSRF attacks from executing authorized attacks since those endpoints would not accept any cookies as an accessToken.
There would still be an endpoint for generating accessTokens which would accept the refreshToken cookie for authorization, but CSRF attacks would not be able to make multi-step requests like that to generate an accessToken for their own use.
yep if someone gets your refreshToken or accessToken you're screwed
@@Oxcorp so the CSRF is the clue. that makes sense. tx for pointing me out!
however, it's possible to use CSRF to get accessToken, isn't it? you merely have to figure out the refresh endpoint.
Great video but sending a refresh token and making a Database call defeats the purpose of a JWT token
many enterprise projects use keycloak, okta... kind of tools to manage this.
It'll be cool to see you handling keycloak
yeah I want to give okta a try
Hey, I'm having trouble understanding how this prtects against XSS. I get why it protects against CSRF. But isn't the access token, althought short lived, still expoable to XSS?
Hi, I am programming a web app. Two websites but security is still matter to me. I am using Apollo, Graphql and express an I deploy them to AWS. One is ok to close session every 24 hours or even 12 hours but the client I want to this be permanent login like Amazon or Facebook. How I can commit this difficult task to be extremely secure? Your will be vary valuable for me.
Thank you very much!
ua-cam.com/video/25GS0MLT8JU/v-deo.html
Why backend doesn't refresh an access token automatically if the user is valid and has a valid refresh token in headers? (which can be done e.g. via middleware)
I'm afraid you are not correct.
Everything that is located in the client code can be accessed by cross site scripting.
This means that storing an access token in a variable is similar to storing it in local storage.
Both methods are prone to XSS attacks as opposed to storing JWT in a cookie, which is prone to CSRF attacks.
I’m a novice in development, but what protects me from hackers that before sending my access token to them via XSS just refresh it via request to my server?
This whole set up doesnt really nake any sense to me. If as a user, you decide to refresh your page and loose your access token, you can still make a request with the refresh token and get an access token. Can't a hacker get your access token and mimic that request with your refresh token and make a request to get an access token? Thereby impersonating the client? What's now the point if you can get an access token by mimicking the refresh token request to get access token. Thanks.
Why cant a malicious request read the response?
I am a noob so I do not really know much about this kinda stuff, but I am very curious how do we know when to send the access token back? You said that the refresh token absolutely does nothing. However, when the user refreshes the page, then the user will send us the refresh token to get the access token? So, both cases, we receive just the refresh token and how do we know when to send the access token back?
We need on very requests get a new access token using the refresh token stored in the cookie but I think these may be a bad thing for the user experience of the app. Thanks
not on every request just when the access token expires, so could be every 15 minutes
looking forward for the implementation video
I have a quetion, doesn't preflight requests set by the browsers protect us against csrf attacks?
Waiting for js implementation!)
Btw, for me it's still a problem with actual user's data, displayed, for example at header. We're now making a site with gatsby, so it is improtant for us to have it blazing fast, and page loaders / placeholder blocks looks not so great at all. But with persisting user data we have issues with security and data actualisation, heh
What problem are you having with displaying the user's data in the header?
@@bawad all the problem is in ux. At first we need to validate user token or refresh it, then we need to actualise user data, that's two asynchronous tasks (yeah, i know that they may be pretty fast). But our designs mostly not ready for this cases. Our company before mostly making apps with rails only, without client side apps. Previously we used page loader until all needed data would be loaded, but I still looking for more elegant solution.
gotcha, I'll be covering how to fetch that user data soon :)
You have a dangling closing paranthesis in line 1.
but can a hacker access the access token through refresh token
adding it to cookie wouldn't that expose the jwt for a csrf 🤷🏼♂️ ..... I personally have used session storage ... 👀
Session and local storage can lead to xss attack.
I think most tokens are stolen at the point of the request...
So someone hacks you modem gets your request steal the token and use it. Things are so secure these days that's the only possible way to get in.
I guess what am saying is we cannot prevent everything
This is the most popular attack method called "Man in the middle". That's why we need an SSL certificate to encrypt the data package to secure the content of the request body.
Well an attacker can actually access the cookie to get the refresh token and then go ahead with the attacks
missed the httpOnly part, my bad.
I still don't understand how the refresh is going to work in your case as access token is lost on refresh of web page. At least how I implemented backend is with two things: 1. verify the signature of existing (possibly expired) access token, 2. does refresh token matches the one stored on the server, ... and only then re-issued a new access token. Not sure if anything is gained with this new approach, as I understand you will return new access token only by matching with refresh token ... and refresh token is stored in cookie which is prone to hacking. I don't really see how this improves security. Or am I missing something?
> I still don't understand how the refresh is going to work in your case as access token is lost on refresh of web page.
we persist the refresh token in a cookie, so when the user refreshes we can use the refresh token to get an access token
> and refresh token is stored in cookie which is prone to hacking.
if you use an httponly cookie, the cookie can't be accessed by javascript.
the question is how to receive the two tokens from local storage and cookie at the same time with one http request?
The cookie is sent automatically by design since it is a httpOnly cookie. So you only need to worry about the access token
I gave interview today for React.. Thinking that interviewer would ask me about JavaScript, React... Guess what he drilled me asking about security.. Questions, how to secure website from Cross Site Forgery, vulnerabilities etc...I never implemented any of these... Since i am not from banking domain....... I am really keen..to get a good grasp on all these..Thanks Ben looking forward more vidoes if possible on this topic,not much help online regarding this...
So i expect help from you and you always do :)
It's always nice to have a bit of background on common website security techniques. I would recommend you look into XSS protection techniques and specifics such as CSRF tokens which help stop CSRF attacks by using a hidden form value.
Hi Ben, If your site is vulnerable to XSS then an attacker can still easily get your access token from global memory. So is this the right method. I am still confused. More over if you are storing refresh token in http only cookie without a csrf token, you are still vulnerable to csrf attacks as csrf attacks works with http only cookie. Eg session cookies.
Even you store access token in memory it is still visible on the browser inspect element network. You can still see the actual token on Request Header: Authorization Bearer. Is there a way to hide it or what are other options?
if an attacker can have access to the physical device, there is very little you can do to protect it.
Hi ! is there an implementation video?
ua-cam.com/video/25GS0MLT8JU/v-deo.html
Can we store tokens on a indexed DB?
you gotta store it in a carrier pigeon
But we can protect against xss and csrf, right?
Should I use different keys for signing the refresh_token compared to the access_token??
Well if an XSS attack is successful, its all over already. Attacker can intercept all requests/responses in JS by webRequest API and steal the access token.
yeah, he can get as many access token as he likes, I didn't get the concept of this implementation
@@paritoshbatish9984 Yeah. I thought he would talk about pairing httpOnly cookie with CSRF token. But no. What he presented doesn't make sense and is still prone to XSS.
@@AhtshamShabir According to my current understanding (I am quite new to this),
1. httpOnly cookie cannot be accessed via javascript
2. httpOnly cookie is sent with every request to the server
So for an XSS attack, they basically have to do a post request like a form submission where only the refresh token is sent which won't do anything as the access token is to be sent for any request from the server.
And there will be only one endpoint like "/refresh" where the server accepts the refresh token and returns a new access token.
In conclusion,
1. Upon login refresh token is sent which is stored in httpOnly cookie which cannot be accessed by javascript and is always sent with every request.
2. Upon login access token is also sent by the server, which we store in memory.
3. In the access token we store information like expiry date, etc (I still have to see the video on full implementation) which helps us validate the access token. (the access token is not stored in any DB, it evaluated solely based on the info stored on it. See the blog by hasura for detail)
4. For API's, only access token is required.
5. To get new access token there will be only 1 endpoint to do so which validates the refresh token and sends a new access token. Since access token will be short lived for like 2 mins, an attacker only has 2 mins with that token.
See the hasura blog for detail: hasura.io/blog/best-practices-of-using-jwt-with-graphql/
what happens if the user opens 2 tabs? Doesn't the first tabs token become invalid?
Why?
@@bawad The first tab requests a token, then the second tab requests a new token, invalidating the token in the first tab no?
@@hiradr3857 No, because the access tokens are valid as long as their lifetime, they cannot be revoked, because this requires a centralized token provider and then you can also use normal sessions
@@JonasPrimbs got it. So each tab has it's own token.
the problem that I am facing with the httpOnly cookie is that the browser doesnt attach it unless the request is being made to an endpoint that is on the same domain as the client is. Which makes it pretty useless as one cannot test the application during the development given that backend and frontend are being run on different ports of localhost
You can use proxy for that, and later on production/qa/dev servers you definitely would benefit from an API Gateway! Samesite strict for the HTTP only cookie is vital and important.
What about CORS?
npm i --save cors
What if the refresh token leaks?
Just revoke that token by storing it in a store for the length of the expiry in a database. So whenever you receive a refresh request to get a new access token, check your store of revoked tokens, and if the refresh token is there just send a 401 response back.
Sweet cant wait for the tutorial
ours videos are very great. Congratulations!
making another request each time the user refreshes the page seems overkill, initial content will be delayed a lot, I prefer to take my chances with localstorage and a better user experience
I believe it is still safer to store it in a cookie compared to localStorage as it mitigates the risk to the user performing unwanted actions (as opposed to their JWT getting outright stolen). However the approach he's talking about is best for stuff like SPAs where the user will generally not manually refresh the page very often.
In regards to initial content delay, the recommended accessToken expiration is something like 5 minutes, so if your user is only manually refreshing the page every few minutes then the impact will remain the same.
tbh I kind of agree with this to some extent
also if your vulnerable to xss that's a big problem no matter where you store the token
No not localstorage. just use cookie httponly and dont change the database by default get or post requests and use cors js for only requests from your website and you are good to go. hard to attack with httponly cookie if your server side is well coded
Came here for memes, got educated instead
what does that Bearer mean?
Let’s say your user download a 3:58 recipe 😜 this guy is harvesting autumn Crocus 🌸 I think 🤔 For myself was implementing something on NodeJS and needed to find out how to make it compatible for the browser !!! Regarding authentication Tanks great video
Basically, he is trying to implement the Authorization Code Grant of OAuth 2.0 protocol. Anyway, at last, he is going to store the refresh-token in the cookie by enabling HttpOnly.
is the refresh_token safe if its HttpOnly enabled? How is that happening
can we keep it in session storage because our application supports only single tab and the react already protects us from xss attack . we don't directly inject HTML in our react code
is this also the preferred way for mobile apps?
I imagine it would work well for mobile apps, but there are probably safer platform-specific storage methods which are safe from general attacks. Native mobile apps aren't really open to most XSS/CSRF attacks.
I'm not 100% sure. I've been using a cookie fine in react native, but it may be better to use secure storage
is it valid for SPA's???
?is the implementation video out yet ?
ua-cam.com/video/25GS0MLT8JU/v-deo.html
Didn't understand anything, just some graphs with arrows
Hi Ben, there is still something I did n t get what happened if a hacker took the refresh token with the "csrf" and use it for asking the access token
If a hacker ever gets an access token then your in trouble
But essentially if a baddy knows your refresh-token-URL and you're storing your refresh token in a cookie, and the baddy can get you to click on a link, then they could do a CSRF to your refresh-token-url which would pass your cookie (with refresh-token) and return an access-token to the baddy's site (is this correct? I'm asking 'cause I'm not sure).... Update: I've seen your comment below: "they can make you do a request, but they can't read the response to get the access token" ... what is it that prevents the baddy from reading the response? Update, found this: "In fact, due to same origin policy, the attacker can’t even read the response that contains the token."
@@michaelblom_78 I am still confused. If I manage as an attacker to get JavaScript code running on the site, the request to /refresh-token would be from the same origin? And then I could just read the body to obtain the access token or am I missing something?
I first click like then i watch the video😁
you must lock a the camera
what's a JWT?
Json web token
@@sivananthdiwakar8591 ah hmmmm
Nice approach! 😀
Thank you
... or you can just encrypt your tokens using salt (4 digits pin) and store it into localStorage or IndexedDB.
Seeing that you know about this, I have a small question. Copying and pasting the token in another browser (incognito mode, for example), allows me to access the app, so, doesn't that mean that a hacker could access your local storage and take the token in order to gain access? How is not unsafe (not rhetorical)?
“Jay Double-U Tees […] and I read through this article” Obvious lie. The pronunciation is mentioned in the very first sentence.
Could have cut this vid time in 1/2.
YASSS GET SECUREEEE
As a side note, the amount of jokes you make on your channel, really ruined your credibility for me, because I REALLY don't know if you're being serious or if you're joking.
You are so wrong..