Home>

The mainstream when developing API servers that require authentication is as follows.

1. Send login request including ID/Password from client
2. Check the ID/Password on the server side, and if it is correct, issue and return an access token
3. On the client side, save the access token in localStorage etc. and give it when requesting authentication is required.

At this time, save ID/Password in localStorage instead of the access token.
What are some of the disadvantages of having it included in every request and authenticating each time on the server side?

The points I thought about are as follows.

・ Tokenization is required to expose the authentication API to the outside

・ Every time authentication processing is required, the cost is heavier than the validity check of the access token

-Increased risk of ID/Password leak during communication
(There is a risk of leaking when logging in, so I don't feel that much)

・ ID/Password leaks from localStorage
(It is also a problem when an access token is leaked, but is it easy to take measures with a blacklist?)

  • Answer # 1

    The method of saving the name ID and password on the client side is frankly conspicuous, and I feel that there is no merit.

      

    -Increased risk of ID/Password leak during communication
      (There is a risk of leaking when logging in, so I don't feel that much)

    That's right, assuming HTTPS.
    You can't use the old-fashioned method of using HTTPS only when logging in, and then using HTTP, but is it okay to use that method nowadays?

      

    ・ ID/Password leaks from localStorage
      (It is also a problem when an access token is leaked, but is it easy to take measures with a blacklist?)

    This is a serious problem. Saving passwords on localStorage can be easily leaked by cross-site scripting. Even if there is cross-site scripting, impersonation can be done, but even in that case, even the password will not be leaked, so normally processing that requires a password (before settlement, password change, etc.) cannot be abused. On the other hand, if a password is leaked, it will be "anything".
    Whether or not you care about it is a matter of controversy, but it is also a problem that the password can be broken just by operating that browser.

    There seems to be no advantage over these disadvantages, so I think you should avoid the method of saving the raw password in the browser storage.