Jwt storage

Eicrud's client offers multiple ways to store the JWT token used for authentication.

Browser environment

By default, JWTs are stored in your browser's localStorage (or sessionStorage when no expiresInSec option is provided).

For additional security, you can store your JWT in a secure httpOnly cookie. To do so, specify the useSecureCookie option when setting up your client.

const { CrudClient, ClientConfig } = require('@eicrud/client')

const config: ClientConfig = {
  // ...
  useSecureCookie: true,
}
const profileClient = new CrudClient(config)

Note

You might need to update your CORS configuration if your client is served on a different domain than your Eicrud application. For example, if your Eicrud application is listening on http://localhost:3000 and your client is served on http://localhost:5173:

./src/main.ts

// ...
app.enableCors({
  origin: 'http://localhost:5173',
  credentials: true,
});
await app.listen(3000);

Info

When using this cookie storage method, the JWT token is not accessible via javascript and therefore cannot be stolen in case of a Cross-site scripting (XSS) attack. Note that putting credentials in cookies opens the way for Cross-site request forgery (CSRF) attacks. Eicrud attempts to block these attacks using the Double-submit Cookie Pattern.

Server environment

When no document object is found, the client uses RAM to store your JWT token. You can provide your own storage to make the JWT persist on server shutdown (or to share it between clients).

export interface ClientStorage {
  get(name: string): string;
  set(name: string, value: string, durationSeconds: number, secure: boolean): void;
  del(name: string): void;
}

const { CrudClient, ClientConfig } = require('@eicrud/client')

const sharedStorage = new MyStorageClass();

const config: ClientConfig = {
  // ...
  storage: sharedStorage,
}
const profileClient = new CrudClient(config)

Jwt storage

Browser environment

Cookie storage

Server environment