What is the best way to transfer the JWT token from the server to the client using an HTTP header?

Question

What is the best way to transfer the JWT token from the server to the client using an HTTP header?

I have been searching for an answer on how to pass the JWT Token from the client to the server securely, but I am not satisfied with the explanations I found. Everyone talks about the most secure way to transfer the JWT token using HTTP headers instead of cookies. But I am still confused - which specific header should I use to send the client's JWT token?

Let's say a user is already registered in my database and has submitted their login credentials to the server. After retrieving the credentials, I generated a JWT based on that information. Now, I am working with Express - can someone guide me on how to send this JWT to the client using a header?

I am implementing this using Express


       app.post("/login", async (inReq, inRes) => {
    
      //Loading the user's database
        usersDB.loadDatabase((err)=>{
            if (err) {console.log("Error while loading database: usersDB")};
        });
       
      // Starting our login logic here
      
      //Fetching the user's data
      const { username, password } = inReq.body;
    
      //Validating user input in some way.
        if(username.length < 4 || password.length < 8)
          return inRes.status(400).send('Bad data');
      
      //then attempting to...
      try {
        //Checking if the user exists in our database
        const foundUser = await findUser(usersDB,{"username":username});
    
        //Comparing the passwords (the one from DB and the one sent by the client)
        if (foundUser && (await bcrypt.compare(password, foundUser.password))) {
        
          //Creating a token if everything checks out
          const token = await  jwt.sign(
            { user_id: foundUser._id, username },
            process.env.TOKEN_KEY,
            {
              expiresIn: "40s",
            },
            function(err, intoken) {
              if(err) {
                  console.log(err);
                  return inRes.status(500).json({current_view: 'error', data: err});
              }
                 
            });

Now what?

WHAT DO I DO WITH THE TOKEN????
WHICH HEADER SHOULD I USE? And How?

    
          //sending a response to the user (successful login)
          return inRes.status(200).json(current_view: 'home', data: user);
        }
        //Sending an error message if the user is not valid
        return inRes.status(401).json(current_view: 'login', data: 'wrong-credentials');
      } 
      //Catching and logging any errors
      catch (err) {
        console.log(err);
      }
      // Finishing our register logic
    });

javascript express jwt http-headers authorization

Answer 1

Answer №1

I'm currently facing a similar situation where there is no clear consensus on how to transmit the JWT to the client. I came across some guidelines that suggest different methods, which you can find in this link:

https://github.com/dwyl/hapi-auth-jwt2/issues/82#issuecomment-129873082

According to these guidelines, placing the JWT token in the Authorization header offers flexibility for sending an actual response in a web application. For REST-only App/API, you have the option to send the JWT as either the response body or a cookie. The key aspect is how the client stores and sends back the JWT to the Server, typically through the Authorization header (or Cookie or URL Token if preferred) 👍

In terms of existing implementations, I haven't come across any examples where the server sends an Authorisation header to the client, but there is nothing indicating that this approach is incorrect according to the specifications. Refer to:

During my experiments with Express, I have been exploring sending the JWT via the Authorization header:

inRes.set('Authorization', `Bearer ${myJWT}`);

Remember to do this before setting the inRes.status.

On the client side, the process appears more straightforward. Most sources advise against storing the JWT in localStorage due to the lack of an expiration property. While cookies offer slightly better options with expiration settings, they also provide the advantage of being sent back to the server with future requests. Alternatively, sessionStorage could be considered as it has a definite expiration period, lasting only until the browser is closed.

You may want to explore the suggested method linked below (although the examples are Java-specific, the explanation is general) for storing the JWT on the client side:

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.md#token-storage-on-client-side

Answer 2

I'm currently facing a similar situation where there is no clear consensus on how to transmit the JWT to the client. I came across some guidelines that suggest different methods, which you can find in this link:

https://github.com/dwyl/hapi-auth-jwt2/issues/82#issuecomment-129873082

According to these guidelines, placing the JWT token in the Authorization header offers flexibility for sending an actual response in a web application. For REST-only App/API, you have the option to send the JWT as either the response body or a cookie. The key aspect is how the client stores and sends back the JWT to the Server, typically through the Authorization header (or Cookie or URL Token if preferred) 👍

In terms of existing implementations, I haven't come across any examples where the server sends an Authorisation header to the client, but there is nothing indicating that this approach is incorrect according to the specifications. Refer to:

During my experiments with Express, I have been exploring sending the JWT via the Authorization header:

inRes.set('Authorization', `Bearer ${myJWT}`);

Remember to do this before setting the inRes.status.

On the client side, the process appears more straightforward. Most sources advise against storing the JWT in localStorage due to the lack of an expiration property. While cookies offer slightly better options with expiration settings, they also provide the advantage of being sent back to the server with future requests. Alternatively, sessionStorage could be considered as it has a definite expiration period, lasting only until the browser is closed.

You may want to explore the suggested method linked below (although the examples are Java-specific, the explanation is general) for storing the JWT on the client side:

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.md#token-storage-on-client-side

Answer 3

Answer №2

Thank you so much, Scopique, for your response. I completely agree that finding a solution to this issue may not be simple and straightforward. It's interesting to hear that you also encountered a similar problem on GitHub - small world! In my opinion, given the importance of web security, any RFC standard should prioritize a secure approach in its description.

As I am currently focused on backend development, I haven't spent much time considering how to securely store tokens. However, I did create a basic diagram as a starting point. (Please note that this is not necessarily considered the best practice, but it works for now) https://i.sstatic.net/8MEeF.png

I hope taking this initial step isn't too risky. It's all part of the learning process!

Answer 4

Thank you so much, Scopique, for your response. I completely agree that finding a solution to this issue may not be simple and straightforward. It's interesting to hear that you also encountered a similar problem on GitHub - small world! In my opinion, given the importance of web security, any RFC standard should prioritize a secure approach in its description.

As I am currently focused on backend development, I haven't spent much time considering how to securely store tokens. However, I did create a basic diagram as a starting point. (Please note that this is not necessarily considered the best practice, but it works for now) https://i.sstatic.net/8MEeF.png

I hope taking this initial step isn't too risky. It's all part of the learning process!

What is the best way to transfer the JWT token from the server to the client using an HTTP header?

Answer №1

Answer №2

Similar questions

Each time a user uploads an image, my website crashes due to issues with the webpack bundle build

Creating a MySQL table that includes long string data types

Express updates the body during a curl request

Setting the height of columns in a Bootstrap panel to 100%

Next.js lacks proper Tree Shaking implementation for MUI

TypeScript does not verify keys within array objects

Develop a responsive shopping cart using PHP and JavaScript

Avoiding leaps through the use of dynamic pictures?

What could be the reason for Sequelize to completely replace the record when updating in a put request?

Executing a class function within the ajax success method

Tips for assigning a personalized value to an MUI Switch when it is in the off position

Tips on saving an audio file to a Node server using blob or FormData

Using conditional statements like 'if' and 'else' in JavaScript can

What is the best way to utilize JSON.stringify for substituting all keys and values?

Creating a jQuery AJAX form that allows users to upload an image, submit the form, and store the entered values in a MySQL database

A guide to monitoring and managing errors in the react-admin dataProvider

The JSON reviver function is still not returning anything even when explicitly using the return

Comparing nestableSortable with the Nestable JavaScript library

Checking for the presence of a specific function in a file using unit testing

Convert string IDs from a JSON object to numerical IDs in JavaScript