-
Notifications
You must be signed in to change notification settings - Fork 927
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes nuxt-community/auth-module#133 #160
Conversation
@pi0, This actually fixes SSR logout without needing to implement setCookie on the server, as nuxt transfers the store to the client, and since the logout method now sets the user/tokens to false, they don't register as null or undefined, and are then properly propagated to the cookies/localStorage by the client, since the store is the first point of truth for getUniversal and setUniversal. |
But token is not being stored in the Vuex (https://github.com/nysos3/auth-module/blob/ccc0ea7257880174c5118f0cb198e4a11fd9cd17/lib/core/storage.js#L99) how can it be propagated? :D |
Ah, I'm using |
@nysos3 Keeping secure things as hidden as possible indeed. If it is being stored in vuex it will be in every SSR response and also I totally agree with your current changes in this PR but it would be much much better if we also use |
@pi0, I still don't understand what good keeping it out of vuex does. So you're protecting from javascript that has access to the window object? In all modern browsers, cross domain iframes are isolated and don't have access to the same window object, and therefore none of this auth data. I can still hit: or simply: oldHeader = XMLHttpRequest.prototype.setRequestHeader;
XMLHttpRequest.prototype.setRequestHeader = function(header,value){
if(header === 'Authorization')
alert(value);
oldHeader.apply(this, arguments);
} or even more simply: Cookies are just as insecure. Edit: also, |
@pi0 Shall I make another PR to set the default token prefix to just |
I'm not sure and still thinking using cookies as the only source of trust for token would be a better option. |
Then why implement the store or localStorage at all? Also, what about those that have disabled cookies, and rely on vuex-persisted-state instead, since that's a package built for multi-storage, where as this is an Auth module, allowing for the separation of responsibilities? |
For the record, I agree that we need to be able to modify cookies server side as well, but we also need support for |
No description provided.