Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Token Walks into SPA

Ignacio Anaya
November 16, 2018
Programming
0
530

A Token Walks into SPA

# 📝Description
We often need to deal with token-based authentication when building Single Page Applications. There is a lot of fear, uncertainty and doubt when it comes to JWTs, so how can you be sure you are handling token-based auth properly?

In this talk, I will cover best practices when it comes to implementing token-based authentication using JWTs in a Vue.js SPA.

# 📚Resources
- https://jwt.io
- https://auth0.com/resources/ebooks/jwt-handbook
- https://auth0.com/blog/json-web-token-signing-algorithms-overview
- https://auth0.com/docs/api-auth/tutorials/silent-authentication

Ignacio Anaya

November 16, 2018
Tweet

More Decks by Ignacio Anaya

See All by Ignacio Anaya
Security is not a feature‼️
ianaya89
2
440
Rompiendo Paradigmas Otra Vuez! 🔨📜3️⃣
ianaya89
0
120
Security is not a feature!
ianaya89
1
320
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
100
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
250
Vue.js, PWA & The Subway Dilemma
ianaya89
0
160
PWA with PWF
ianaya89
0
69
Decentralizing the Web with JavaScript
ianaya89
0
110
hey-devs-time-to-care-about-web-apps-security.pdf
ianaya89
0
90

Other Decks in Programming

See All in Programming
とにかくAWS GameDay!AWSは世界の共通言語! / Anyway, AWS GameDay! AWS is the world's lingua franca!
seike460
PRO
1
910
Remix on Hono on Cloudflare Workers
yusukebe
1
300
Quine, Polyglot, 良いコード
qnighy
4
650
Figma Dev Modeで変わる!Flutterの開発体験
watanave
0
150
Laravel や Symfony で手っ取り早く
OpenAPI のドキュメントを作成する
azuki
2
120
初めてDefinitelyTypedにPRを出した話
syumai
0
420
Realtime API 入門
riofujimon
0
150
ローコードSaaSのUXを向上させるためのTypeScript
taro28
1
630
Jakarta EE meets AI
ivargrimstad
0
660
Contemporary Test Cases
maaretp
0
140
Click-free releases & the making of a CLI app
oheyadam
2
120
リアーキテクチャxDDD 1年間の取り組みと進化
hsawaji
1
220

Featured

See All Featured
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Done Done
chrislema
181
16k
Site-Speed That Sticks
csswizardry
0
33
Embracing the Ebb and Flow
colly
84
4.5k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Scaling GitHub
holman
458
140k
Testing 201, or: Great Expectations
jmmastey
38
7.1k
A Philosophy of Restraint
colly
203
16k
Navigating Team Friction
lara
183
14k
Designing Experiences People Love
moore
138
23k
Music & Morning Musume
bryan
46
6.2k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k

Transcript

  1. A Token Walks into SPA !" 1

  2. ! Nacho Anaya @ianaya89 • JavaScript Engineer @BloqInc • Ambassador

    @Auth0 • Organizer @Vuenos_Aires 2

  3. ⚠ 3

  4. Why Tokens? ! 4

  5. 5

  6. 6

  7. 7

  8. 8

  9. 9

  10. ! Stateless 10

  11. ! JSON Web Tokens JWT 11

  12. header.payload.signature + Base64 12

  13. 13

  14. ! Header { "alg": "HS256", "typ": "JWT" } 14

  15. ! Payload { "iss": "https://api.website.com", "exp": 1510745797148, "role": "root", "name":

    "John Doe" } 15

  16. ! Payload { "iss": "https://api.website.com", "exp": 1510745797148, "role": "root", "name":

    "John Doe" } 16

  17. ✍ Signature const data = base64urlEncode( header ) + '.'

    + base64urlEncode( payload ) HMACSHA256(data, 'your_secret_message') 17

  18. ✍ Signature const data = base64urlEncode( header ) + '.'

    + base64urlEncode( payload ) HMACSHA256(data, 'your_secret_message') 18

  19. 19

  20. ! 20

  21. 21

  22. 22

  23. 23

  24. ! nhl.com 24

  25. 25

  26. 26

  27. 27

  28. 28

  29. 29

  30. 30

  31. ! Not really... 31

  32. ! Store the token 32

  33. localStorage 33

  34. 34

  35. ! Silent Auth 35

  36. 36

  37. ! 37

  38. ! JWT Considera.ons 38

  39. ! Vue Router const router = new Router({ routes: [{

    path: '/', component: Home }, { path: '/tickets', component: Ticket, meta: { isPublic: false, permission: 'write' } }] }) 39

  40. ! Vue Router router.beforeEach((to, from, next) => { // resolve

    auth // check if page is public // check if user has permission next() }) 40

  41. ! HTTP Interpectors // Example using axios axios.interceptors.request.use( config =>

    { config.headers.authorization = 'Bearer ...' return config }, error => Promise.reject(error) ) 41

  42. ! Vuex export default new Vuex.Store({ state: { token: 'Bearer

    ...' user : {} } }) 42

  43. ! Resources • jwt.io • JWT Handbook • JWT Algorithms

    • Post about Silent Auth 43

  44. ! Take Away 44

  45. ! Thanks! @ianaya89 45