Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Token Walks into SPA

Ignacio Anaya
November 16, 2018
Programming
0
530

A Token Walks into SPA

# 📝Description
We often need to deal with token-based authentication when building Single Page Applications. There is a lot of fear, uncertainty and doubt when it comes to JWTs, so how can you be sure you are handling token-based auth properly?

In this talk, I will cover best practices when it comes to implementing token-based authentication using JWTs in a Vue.js SPA.

# 📚Resources
- https://jwt.io
- https://auth0.com/resources/ebooks/jwt-handbook
- https://auth0.com/blog/json-web-token-signing-algorithms-overview
- https://auth0.com/docs/api-auth/tutorials/silent-authentication

Ignacio Anaya

November 16, 2018
Tweet

More Decks by Ignacio Anaya

See All by Ignacio Anaya
Security is not a feature‼️
ianaya89
2
430
Rompiendo Paradigmas Otra Vuez! 🔨📜3️⃣
ianaya89
0
120
Security is not a feature!
ianaya89
1
320
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
99
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
250
Vue.js, PWA & The Subway Dilemma
ianaya89
0
160
PWA with PWF
ianaya89
0
69
Decentralizing the Web with JavaScript
ianaya89
0
110
hey-devs-time-to-care-about-web-apps-security.pdf
ianaya89
0
89

Other Decks in Programming

See All in Programming
Importmapを使ったJavaScriptの 読み込みとブラウザアドオンの影響
swamp09
4
1.3k
GitHub Actionsのキャッシュと手を挙げることの大切さとそれに必要なこと
satoshi256kbyte
5
410
gopls を改造したら開発生産性が高まった
satorunooshie
8
270
カスタムしながら理解するGraphQL Connection
yanagii
1
1.4k
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
480
From Subtype Polymorphism To Typeclass-based Ad hoc Polymorphism - An Example
philipschwarz
PRO
0
190
カラム追加で増えるActiveRecordのメモリサイズ イメージできますか?
asayamakk
4
1.9k
Nurturing OpenJDK distribution: Eclipse Temurin Success History and plan
ivargrimstad
0
310
Dev ContainersとGitHub Codespacesの素敵な関係
ymd65536
1
140
Realtime API 入門
riofujimon
0
130
PLoP 2024: The evolution of the microservice architecture pattern language
cer
PRO
0
2.2k
Hotwire or React? ~Reactの録画機能をHotwireに置き換えて得られた知見~ / hotwire_or_react
harunatsujita
8
4.9k

Featured

See All Featured
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
390
Visualization
eitanlees
145
15k
Docker and Python
trallard
40
3.1k
Code Review Best Practice
trishagee
64
17k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
Navigating Team Friction
lara
183
14k
The Cost Of JavaScript in 2023
addyosmani
45
6.7k
For a Future-Friendly Web
brad_frost
175
9.4k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k

Transcript

  1. A Token Walks into SPA !" 1

  2. ! Nacho Anaya @ianaya89 • JavaScript Engineer @BloqInc • Ambassador

    @Auth0 • Organizer @Vuenos_Aires 2

  3. ⚠ 3

  4. Why Tokens? ! 4

  5. 5

  6. 6

  7. 7

  8. 8

  9. 9

  10. ! Stateless 10

  11. ! JSON Web Tokens JWT 11

  12. header.payload.signature + Base64 12

  13. 13

  14. ! Header { "alg": "HS256", "typ": "JWT" } 14

  15. ! Payload { "iss": "https://api.website.com", "exp": 1510745797148, "role": "root", "name":

    "John Doe" } 15

  16. ! Payload { "iss": "https://api.website.com", "exp": 1510745797148, "role": "root", "name":

    "John Doe" } 16

  17. ✍ Signature const data = base64urlEncode( header ) + '.'

    + base64urlEncode( payload ) HMACSHA256(data, 'your_secret_message') 17

  18. ✍ Signature const data = base64urlEncode( header ) + '.'

    + base64urlEncode( payload ) HMACSHA256(data, 'your_secret_message') 18

  19. 19

  20. ! 20

  21. 21

  22. 22

  23. 23

  24. ! nhl.com 24

  25. 25

  26. 26

  27. 27

  28. 28

  29. 29

  30. 30

  31. ! Not really... 31

  32. ! Store the token 32

  33. localStorage 33

  34. 34

  35. ! Silent Auth 35

  36. 36

  37. ! 37

  38. ! JWT Considera.ons 38

  39. ! Vue Router const router = new Router({ routes: [{

    path: '/', component: Home }, { path: '/tickets', component: Ticket, meta: { isPublic: false, permission: 'write' } }] }) 39

  40. ! Vue Router router.beforeEach((to, from, next) => { // resolve

    auth // check if page is public // check if user has permission next() }) 40

  41. ! HTTP Interpectors // Example using axios axios.interceptors.request.use( config =>

    { config.headers.authorization = 'Bearer ...' return config }, error => Promise.reject(error) ) 41

  42. ! Vuex export default new Vuex.Store({ state: { token: 'Bearer

    ...' user : {} } }) 42

  43. ! Resources • jwt.io • JWT Handbook • JWT Algorithms

    • Post about Silent Auth 43

  44. ! Take Away 44

  45. ! Thanks! @ianaya89 45