I'm a bit confused with authentication using jwt token, I have an application on vuejs + vue-router, I'm not wanting to use vuex until I learn how to do it without it (I do not like to use what I do not understand). So I have my API in NodeJS which grants me a payload with token when the user logs in.
My question is, now I have this token, what do I do with it? I read several articles, said to store in the local storage (vulnerable to XSS), others in the cookie (vulnerable to CSRF), but I do not want to get very safe here, because I have not even worked in any way. What I did was store in local storage when I get the response with the server token as well.
In my main.js it looks like this:
import Vue from 'vue'
import App from './App.vue'
import router from './router'
import axios from 'axios'
import VueAxios from 'vue-axios'
axios.defaults.baseURL = 'http://localhost:3000'
axios.defaults.headers.common['Authorization'] = "Bearer" + localStorage.getItem('jwtToken')
Vue.use(VueAxios, axios)
router.beforeEach((to, from, next) => {
if (to.meta.requiresAuth) {
if (**O QUE COLOCO AQUI SEM UTILIZAR O VUEX?**) {
next()
} else {
next('/')
}
} else {
next()
}
})
new Vue({
el: '#app',
router,
axios,
render: h => h(App)
})
Where "to.meta.requiresAuth" means that routes that have the element "meta.requiresAuth = true" will be intercepted by the logic inside the if.
You can see that I do not know what check to do, actually could even check the existence of the token in the local storage, but I believe that just checking the existence or not would be pretty insecure. Since it could say that it has the token being that has not yet been received by the server. But if I do this, the way I thought it would be to send a post to the server and validate the token, if valid, then next () if it is not redirected to the home. But I do not know if that is the proper way to deal with this problem. I'm kind of lost.