React frontend and REST API, CSRF

白昼怎懂夜的黑 提交于 2020-07-04 05:25:31

问题


Using React on the frontend with a RESTful API as backend and authorisation by JWT, how do we handle sessions? For example after login, I get a JWT token from REST. If I save it to localStorage I am vulnerable to XSS, if I save it to cookies, same problems except I set cookies to HttpOnly, but React can't read HttpOnly Cookies (I need to read cookie to take JWT from it, and use this JWT with REST requests), also I didn't mention CSRF problem. If you're using REST as backend, you can't use CSRF Tokens.

As a result, React with REST seems like a bad solution and I need to rethink my architecture. Is it possible to offer your users a secure React application that handles all business logic on the REST API side without fear of losing their data?

Update:

As far as I understood, it is possible to do this:

  1. React makes AJAX call to REST API
  2. React gets JWT token from REST
  3. React writes HttpOnly cookie
  4. Because React can't read HttpOnly cookies, we use it as-is in all our REST calls where we need authentication
  5. REST calls check XMLHttpRequest header, which is some kind of CSRF protection
  6. REST side checks for cookie, reads JWT from it and does stuff

I lack theoretical knowledge here, but the logic looks pretty secure, but I still need an answer to my questions and approve of this "workflow".


回答1:


  1. React makes AJAX call to REST API

assured, lots of restful resource client lib available

  1. React gets JWT token from REST

assured, this is what JWT should do

  1. React writes httponly cookie

I don't think so, It should not work, but session is not such a important thing, it'll soon get out of date, and recheck password on key operations, even the hackers got it in a very short time, you can bind session token together with IP when user login and check it in your backend apis. If you want it most secured, just keep token in memory, and redo login when open new page or page refreshes

  1. Because react can't read httponly cookie, we use it as-is in our all REST call where we need authentication

assured, check user and permissions through login token, like csrf you can put your login token into your request header, and check it in your backend apis. Bind login token to your own restful lib will save you a lot codes

  1. REST on calls checks XMLHttpRequest header, what is some kind of CSRF protection REST side check for cookie, read JWT from it and do stuff

assured, as most people do. Also, bind csrf token to your own restful lib will save you a lot codes

use user token in header https://www.npmjs.com/package/express-jwt-token Authorization JWT < jwt token >

use csrf token in header https://github.com/expressjs/csurf req.headers['csrf-token'] - the CSRF-Token HTTP request header.

restful client https://github.com/cujojs/rest

react with jwt https://github.com/joshgeller/react-redux-jwt-auth-example




回答2:


Your server can set the JWT cookie directly as a response to the login request.

The server responds to POST /login with Set-Cookie: JWT=xxxxxx. That cookie is http only and therefore not vulnerable to XSS, and will be automatically included on all fetch requests from the client (as long as you use withCredentials: true).

CSRF is mitigated as you mentioned, see OWASP for details.



来源:https://stackoverflow.com/questions/45925344/react-frontend-and-rest-api-csrf

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!