Client - Jwt storage
Eicrud's client offers multiple ways to store the JWT token used for authentication.
Browser environment
By default, JWTs are stored in your browser's localStorage (or sessionStorage when no expiresInSec
option is provided).
Cookie storage
For additional security, you can store your JWT in a secure
httpOnly
cookie. To do so, specify the useSecureCookie
option when setting up your client.
const { CrudClient, ClientConfig } = require('@eicrud/client')
const config: ClientConfig = {
// ...
useSecureCookie: true,
}
const profileClient = new CrudClient(config)
Note
You might need to update your CORS configuration if your client is served on a different domain than your Eicrud application. For example, if your Eicrud application is listening on http://localhost:3000
and your client is served on http://localhost:5173
:
Info
When using this cookie storage method, the JWT token is not accessible via javascript and therefore cannot be stolen in case of a Cross-site scripting (XSS) attack. Note that putting credentials in cookies opens the way for Cross-site request forgery (CSRF) attacks. Eicrud attempts to block these attacks using the Double-submit Cookie Pattern.
Server environment
When no document
object is found, the client uses RAM to store your JWT token. You can provide your own storage to make the JWT persist on server shutdown (or to share it between clients).
export interface ClientStorage {
get(name: string): string;
set(name: string, value: string, durationSeconds: number, secure: boolean): void;
del(name: string): void;
}
const { CrudClient, ClientConfig } = require('@eicrud/client')
const sharedStorage = new MyStorageClass();
const config: ClientConfig = {
// ...
storage: sharedStorage,
}
const profileClient = new CrudClient(config)