Authentication in React with JWTs, Access & Refresh Tokens (Complete Tutorial)

Рет қаралды 33,582

23 күн бұрын

🚀 Project React → cosden.solutions/project-react
Join The Discord! → discord.cosden.solutions
VSCode Theme | Font → Material Theme Darker | Menlo, Monaco "monospace"
In this video we will learn how to handle authentication in React with JWTs and access & refresh tokens. We will learn about the mental model of authentication, where to store each type of token, and finally we will look at some React code to see all of this in practice, so that you can take it and apply it to your own applications!

Пікірлер: 166

@Dabayare 19 күн бұрын

You are good n unique as online instructor. Most ppl don't explain the road ahead as you do. They just jump to launching IDEs.

@akashpadampalle2244 19 күн бұрын

i was waiting for this video

@mohammadkhakhsoor2068 14 күн бұрын

this one just awesome , please more video about authentication and authorization + a comprehensive one for axios thanks a lot one of the few channels worth subscribing...

@bodhitdarji8687 5 күн бұрын

Very good video.Keep doing videos like this.Thanks a lot!

@danilomperson 19 күн бұрын

Thank you so much for your videos, they are very well made and very helpful! thanks for what you are doing!

@olegsirbu2 20 күн бұрын

awesome video tutorial!

@mocastello9253 21 күн бұрын

once again a very great and well-explained video like always !! a BIG THANKS from berlin 🖤 all respect for your whole effort producing those video tutorials!

@dmitriyskachko9696 21 күн бұрын

This is huge, thank you a lot

@warriorwarlord6706 9 күн бұрын

Great video. Please make a video on authorisation next .

@matheuscastroks 22 күн бұрын

you're the best, thanks

@gihanrangana6248 20 күн бұрын

Nice tutorial, everyone can understand if you create a new video with step-by-step guide from scratch with a demo

@Dexquest3d 21 күн бұрын

Thanks for this. I'm voting for this same topic with next js app router please 🙏

@chandruts.2579 21 күн бұрын

Nice content

@TomislavKimovski 20 күн бұрын

The HTTPOnly cookies travel back and forth with every HTTP request and response, just like regular cookies. The only difference is that the browser will not allow the client-side Javascript to access them, which can prevent certain types of attacks.

@ahmednasser6877 19 күн бұрын

Great tutorial, but I have one question what if the user refreshes the app before the expiration time if so the token in memory will be undefined so how the server will identify the user in the refresh token call ? as the API request token is undefined even if the user has a valid refresh token?

@salvadorbalas5234 22 күн бұрын

Amazing video. I always wanted to see something like this. Is there anyway we can get this code so I can read it on my own? Thank you!

@moestaxx286 9 күн бұрын

bro, you should make a react course man. would be awesome and i hope you consider doing it one day !

@andy0401ify 19 күн бұрын

amazing

@ricohumme4328 19 күн бұрын

I am wondering your decision about choosing HTTP code 403 over 401, which is the actual standard for Unauthorized.

@trentcox9239 19 күн бұрын

how would this cater to multiple components failing at the same time? wouldn't you need a queue of some description with the first to error being responsible for the refresh then release the queue when the refresh is done? otherwise you risk a cascade of refresh requests for 'n' components on the page (think dashboard)

@tanveermughal3935 22 күн бұрын

Where do csrf tokens fit in? How to implement them and how are they different than JWTs?

@goljivines7356 20 күн бұрын

Very nice and concise tutorial. However, can you answer my question ?. Should I do authentication myself or use a third party for that ? Also what are the possible vulnerabilities i am exposed to if i do it myself ?

@ShailendraSingh-cd2ln 22 күн бұрын

Can you please prepare a video on authorization?

@ismaeltinta6118 21 күн бұрын

Please do a complete tutorial with next app router with separate backend using nest.js

@regilearn2138 18 күн бұрын

Local storage/ session storage /cookies what is the industries recommended ways to store user details and how to use 3 of the ways in react app

@djtoon8412 5 күн бұрын

So hard to find instructors like you.Can you add part two explaining how you would add RBAC in this implementation for role based authentication and have private routes and a hint on how to handle this with nextjs 14.We need to understand fully this phrase "Roll you own auth" and not becoming dependant on thirdy party libraries.Thank you

@adusparx Күн бұрын

If you store token in state won't it get deleted on page refresh? Then what would you send to the server. So every time the page is refreshed the user needs to relogin?

@user0x10 9 күн бұрын

Great video! The implementation looks really interesting. Could you please share the source code for this project? It would be very helpful for those of us trying to learn and follow along. Thanks!

@regilearn2138 18 күн бұрын

if we are doing multistep form, while filling the form how to save those data, what is the best practice in industry, if user redirect back to the form how to keep data persistence

@sathirabandara7981 22 күн бұрын

Can you do next auth session for us?☺

@the_anonymous369 11 күн бұрын

Is it refresh token that generate access token? I thought initially we have access token, then we use refresh token to revalidate the access token? Please help

@LegendaryAks 18 күн бұрын

What happens when the user refreshes the browser wouldn't the token be removed from the memory? How do you handle that use case

@tomerharari633 9 сағат бұрын

I've been putting interceptors in a separate axiosPrivate file that would define an axios instance that I'd use across my application. I'm curious why you put interceptors inside of React. Would placing interceptor outside of react behave any differently?

@ayaanshaikh8254 20 күн бұрын

But it doesn't really makes sense to me to implement a refresh token? Can't we just send a long lived access token in a http only cookie? Is this approach appropriate?

@ZeeshanMg 6 күн бұрын

Hi, I need some help with the following question: ### Refresh Case When I refresh the page, my access token is lost, resulting in `undefined` being passed as the access token in requests. You've mentioned that the backend will check the validity of the refresh token, generate a new access token, and retry the request. However, how does the backend identify which user's refresh token to validate in this case? Consider this scenario: - **User 1:** Refreshes the page and sends the next request with an undefined access token. How will the backend identify this user? - **User 2:** Also refreshes the page and sends the next request with an undefined access token. How will the backend distinguish between User 1 and User 2? How does the backend differentiate between the two users and validate the correct refresh token?

@amanjha3346 21 күн бұрын

Hy it's looks awesome..and code setup is also excellent can you share the repo link of code.

@user-ri5oz4qz4n 2 күн бұрын

muito bom

@naveenjain417 20 күн бұрын

is storing the token in local storage or session storage that bad? i mean i can get the tokens from anywhere even though its in memory every api call will have this data, the attacker can easily add a js interceptor and get this header, so just keeping it in memory doesn't actually solve the issue, and also once the page is refreshed and we are passing undefined for token to the server how is it able to validate the http only cookie, how does it identify if its the same user, can you give some clarity on it?

@bhanusunka2840 18 күн бұрын

Exactly!

@NijatNiyazov 22 күн бұрын

I need same with app router nextjs. Should I keep refresh logic in client component?

@hasnainsaeed9382 8 күн бұрын

If you find it ,let me know

@wizz1e80 22 күн бұрын

This is wonderful I've always thought that there has got to be a better way to handle authentication than storing it in local storage Thanks for the enlightenment Also would it be possible to share a repo of this code 🙏🏼

@gdies1 21 күн бұрын

JWTs are not encrypted but encoded. You can encrypted though in case you want to ensure confidentiality

@orcagaming2143 19 күн бұрын

can you please make a video where you create the server and implement it in the react app I'm having trouble with authentication and authorization

@HeinerAngarita 21 күн бұрын

I understand the concept of saving the access token in memory and why it's more secure to keep it there. However, what I don't understand is how the server knows it's "you" who sent the request for a new access token when the app is refreshed. Is it determined by IP address? By browser? What information is sent from the front end to the backend to verify that the user is the correct one for that refresh token to generate a new access token? I need to tell the backend developers what they need to implement for the front end to have a correct flow of the tokens. I would greatly appreciate an explanation of this, as I am struggling to understand how to keep the access token in memory. Currently, I have been saving it in session storage.

@robboerman9378 21 күн бұрын

Exactly my question. If not storing something to identify the user by, how does the server know it's the same user to use the refresh token for?

@robboerman9378 21 күн бұрын

Ah, http-only cookies are actually stored locally with a set Cookie. The only thing is that they are not accessible through scripts but on subsequent http requests

@owofrostyy8840 21 күн бұрын

I handle it this way. You see, if you're using jwt, you encode user data (e.g: email, roles) to it by passing it as a jwt payload when generating a new token. Same thing with refresh token. The only thing is you store refresh token in database in your user entity before setting it in request cookies. Then when handling the refresh route, you extract refresh token from the cookies and first find a user in the database who has the same refresh token, then you decode it, which will allow you to extract encrypted data(as I said before: email, roles). If the user from the database (one you found via refresh token) shares the same email and roles then it is the same person sending a request for a new access token so you generate new one for him and send it, otherwise you throw an error with 403 status code

@HeinerAngarita 21 күн бұрын

I think this is what’s missing in the video. I'm not a backend developer, and I noticed there was no code to save the HTTP-only cookie, so I was left wondering, "What magic is happening here?" I did some further research and I think I understand it now. However, a detailed backend explanation would be very useful so we know exactly what's going on. In the process described, two tokens are created: a refresh token and an access token. The refresh token is sent in an HTTP-only cookie as a header, while the access token is included in the response of the request. The browser automatically saves the cookie when the backend sends it as an HTTP-only cookie, provided that CORS (Cross-Origin Resource Sharing) is properly configured on both the frontend and backend (with credentials allowed). This ensures the cookie is saved and shared with every request. Therefore, if we don't have an access token when a refresh is needed, the refresh token, which exists as a cookie in the browser, will be sent to obtain a new access token. Maybe it was just me who didn’t fully grasp the concept initially and it was obvious from the start, but asking the question and getting answers helped point me in the right direction. Initially I though the HTTP-only cookie existed only in the server which lead me to misunderstandings.

@owofrostyy8840 21 күн бұрын

@@HeinerAngarita Hi, if you need a detailed backend code for handling user authentication and authorization, I can provide you with a link to my github repo. I used express js with typescript, prisma, and postgres for the db. And, if you need one for non-relational db such as MongoDb, I have a second repo for that as well. They're nealy identical in terms of handling the business logic, only difference is the way I query the database

@mobile_genshin 21 күн бұрын

Thank you very much for the video! I have a question, if anyone can answer I'd be very grateful! So this this kind of authorisation implemented in the backend, how should it work in the following example: I have an app where to display the UI correctly I have to make an api call to the backend and fetch some data. This data then used for the UI rendering and it can be visible to any website user, including just unreguistered visitors. They should be able to see the data, but not change it. In this case, how should I make an api call, if there isn't any users (uless you count frontend as a user), but the backend is protected like in the video? Obviously I can't include login/password into an api call for safety reasons, but I also don't have a token to access the data I need. Is this something that backend should care about and provide me a valid token?

@naveenjain417 20 күн бұрын

Hey, for this case i think you would have to bypass the authorization for those particular API's , typically they will be get only api to give you the info to render it on the UI, and all other backend routes will be going through the authorization so they will be protected.

@guilhermelourenco-lx4hj 9 күн бұрын

Can u do using graphql?

@tejasnasre3074 21 күн бұрын

Please Make React Projects I Think You Can Make Mind-blowing projects

@hatimtagmi5415 22 күн бұрын

what if the user sent the token as undefined?! thanks

@__shubhamtiwari 19 күн бұрын

Hey brother, can you give both files where you have written axios logic and this as well, this would be very helpful if you do so. Thankyou 🙏

@igorujevic5986 Күн бұрын

Great video!! Is it possible to share whole atuh provider code with us?

@oyerohabib 12 сағат бұрын

Thank you so much for this video. Could you kindly share the code for this, it makes it even more easier to follow along.

@imkir4n 22 күн бұрын

Dang, now please do it with next app router. There is no content available on yt about next authentication with a separate backend.

@mathblend930 16 күн бұрын

hi did you find any thing yet ?

@shubhamchandel-gs4so 19 күн бұрын

okay so here is a question, user refreshes the window and we are sending undifined as the access token , how does the backend know which refresh token to look at? im confused here. when we hit an api we send an access token which is the only way to authenticate the user, but if we are sending undefined then how is there backend checking which refresh token to this user with undifened as access token? Can anyone please explain?

@ZeeshanMg 6 күн бұрын

@shubhamchandel-gs4so Same question

@jerviemarquez5192 17 күн бұрын

is it possible also in react native?

@ErickCapitanachi 17 күн бұрын

Every tutorial I've seen, doesn't work for me, en context api doesn't update the data of the user instantly, and it is a headache that every time I want to consult the user's information is null, or lose the information when reloading the page, can someone help me?

@sourishdutta9600 22 күн бұрын

Hi, can you please share this code just to see and understand more precisely. And what about the csrf random token fit in this architecture?? Can you please create a full fledged authentication and authorisation video please. Thanks

@ptolemyhenson6838 22 күн бұрын

Does this cover the secure storage of JWTs? Right now I'm just using local storage, but obviously that isn't good enough for production.

@alyxx997 22 күн бұрын

No, and if you want to presist login even when dom tree wont exists (closing browser etc) you must use cookies or local storage. I suggest using cookies.

@markbarton 21 күн бұрын

Why not local storage? - if someone can login to your local machine to extract the JWT then you have bigger problems. Because the JWT is encoded, if its manipulated then the server will reject it.

@ptolemyhenson6838 21 күн бұрын

@@markbarton There's a security concern where, if you use any external scripts, someone could compromise one of those and load malicious code onto your website that first just sends all local storage to an external source before loading the actual script. I think this could also be done with something like a browser extension, but I'm not sure about that. Since I don't think JWTs can be revoked, that's a big problem.

@markbarton 21 күн бұрын

@@ptolemyhenson6838 Ok thats good to know - not using external scripts is good practice anyway but its good to understand the attack vectors and would make sense why you would use http cookies - thanks

@user-dd7kw3ym5i 20 күн бұрын

@@ptolemyhenson6838 the reason why refresh token is supposed to be stored in database is for revocation use. JWT token is supposed to be stateless, stateless means you don't have to store userinfo or something in the backend to verify it later with those stored infos. When you store jwt tokens in the backend it is not stateless anymore.

@MrLOPIU22 20 күн бұрын

One thing that dont make sense to me, if I want to keep the user logged in between refreshes and the access token is kept in memory, how the backend would know which refresh token to check if its valid? I assume that in this case you keep the user id or email in localStorage or some sort, if so, all this trip to secure the authentication it's throw in the trash can.

@MarlonEnglemam 20 күн бұрын

I have the same question! Everywhere I look I see the same explanation but not a direct answer! If it’s in memory it should mean that refreshing the page will lead to losing the access token lol how are we supposed to keep the user logged in??? 😢

@PaperKrane 19 күн бұрын

@@MarlonEnglemam Honestly, I was noticing the same thing. Of course memory will be 'safer' but I don't believe he designed this video with user-experience in mind. From my experience, saving a token to an HTTP-only cookie is safe as well. If you are worried about a token being 'leaked' then I would consider using another method of authentication/authorization simply because in order to save the token to memory, the token would have to be readable and therefore sent from the server which makes it just as prone to being leaked as if you save it in an HTTP-only cookie.

@baasirashraf8291 17 күн бұрын

why will we refresh the page ? simply when token is expired that will be notify to react app from server than instantly we hit refresh token api sending our expired token as payload , then in refresh token api : we will check that token received from payload is expired (firstly) than we will also check the data in it (email, id) in database or match with refresh token (it will be same ) if it matches then we will simply generate the new token for the user whom we got the payload (email, id etc..) and then send to react app , in react app it will again set state.

@PaperKrane 17 күн бұрын

@@baasirashraf8291 When you even switch tabs away from a React app and then come back later, it will still refresh itself so the 'refreshes' will happen a lot more often than one would think. What you are explaining is the typical auth workflow where the token is stored in a persisted way (cookies, localstorage etc.). What the author is explaining is to store the token in memory (which is not persisted through any form of refresh whatsoever - think of useState and trying to toggle it to a different state and then refresh to see it go back to its default state). When a token is stored in memory, it is deleted as soon as the app refreshes and with the token being deleted you have no way of 'sending' any credentials whatsoever to even 'refresh' your session. Yes this is more secure as it is harder to locate the token but it is also a bad user experience. Its not a knock on the author but it really should be clarified that sessions in this design will not persist. Memory is very secure but there is a reason a LOT of apps opt for HTTP-only cookies over memory.

@lyrical6852 20 күн бұрын

Goodluck on nba finals luka!

@user-dd7kw3ym5i 20 күн бұрын

when you store token in in-memory (state or variable) it will be gone when you refresh right?

@Priva_C 14 күн бұрын

Yes

@user-dd7kw3ym5i 14 күн бұрын

@@Priva_C so it isn't feasible to store and retrieve token in memory as refreshing the page will reset the state/variable

@Khnx04 22 күн бұрын

@Cosden Solutions sir is it will be persistent what happen when the user will refresh the page so it will again to login?

@hazemkhaled9416 21 күн бұрын

No, it is just gonna load and get the access token and start using it normally, user won't notice anything

@deekandau4596 15 күн бұрын

@@hazemkhaled9416 As much its "secure" don't we have any other more convenient way?

@daumtto 9 күн бұрын

@@hazemkhaled9416 what I thought.

@earthstop1084 22 күн бұрын

I guess i missed this part, why not store access token in http-only cookie? Also how do you create a access token using refresh token?

@mustafahaider9115 21 күн бұрын

I did that in my application

@owofrostyy8840 21 күн бұрын

@user-dd7kw3ym5i 20 күн бұрын

We don't create access token using refresh token, we generate new access token if refresh token is still not expired that's why refresh token is there.

@mohammedm5236 4 күн бұрын

agree

@puruzsuz31 9 күн бұрын

In case there is no access token, how the server can know the refresh token belongs to the user? We don't store the refresh token in client.

@SaifullahZubair 2 күн бұрын

I was about to comment the same concern. When user refreshes the Application, the token state becomes undefined. In that case how will the server know if its a valid user without the token or credentials ?

@puruzsuz31 2 күн бұрын

@@SaifullahZubair I found the answer. Refresh token should be stored as "http only". This is the common approach afaik and you can access the token on the server securely without losing it on refresh.

@puruzsuz31 17 сағат бұрын

@@SaifullahZubair I found the solution. The refresh token should be stored as 'http only'. With this common way, the server can access the token securely.

@Stefoux 22 күн бұрын

🎉 Darius is the best

@tahrizade 21 күн бұрын

in documentation we can see: "Dont use useLayoutEffect if its not important" .... why u are using ? whats other ways ??? 🤔🤔🤔🤔

@Morimove 3 күн бұрын

does anyone know where can i get the whole code!?

@PiotrMarkiewicz 22 күн бұрын

good video like always, BUT why in the hell I need this access token? Why refresh token isn't enough? Really I see no reason for that, especially that refresh token is also send with every request.

@osmanogluenes 22 күн бұрын

@aksyonov100 21 күн бұрын

Yes in that example it’s redundant. I guess you would only need it when you pass any user information on the client in that token. For example current UserId

@cosdensolutions 21 күн бұрын

you need to know if the user is logged in without having to fetch it constantly. For like displaying a manage account button, sign out, etc. or even for sending it with the request on button click

@PiotrMarkiewicz 21 күн бұрын

@@cosdensolutions ok, this sounds valid, but still I need to fetch every 15 minutes to check token, it will equally work with refresh token

@devyb-cc 21 күн бұрын

@@PiotrMarkiewicz i believe this method is called an asynchronous token. the key point is to make accesstoken maxage as little as possible and refreshtoken maxage long enough for the user to login to our app. the only reason i guess is security purpose.

@blackcatproductions237 17 күн бұрын

Plz anybody done this auth share your git

@bhanusunka2840 18 күн бұрын

What i usually do is I store the access token in the redux toolkit and persist the state And i encrypt the state too

@MarlonEnglemam 20 күн бұрын

What happens, in this case, if you refresh the page? I may have missed something but it was not clear to me how to handle that scenario since we're keeping the token only in memory. How should I go about that? I cant just force the user to log back in every time they refresh the page. This is where videos like this always seem to fail to explain... :(

@user-dd7kw3ym5i 20 күн бұрын

that's what comes to my mind too, on page refresh the states or variable will be gone

@deekandau4596 15 күн бұрын

Unless you keep sending refresh token request to backend before state is destroyed

@user-dd7kw3ym5i 14 күн бұрын

@@deekandau4596 what dom EVENT to use to do that?

20 күн бұрын

if refresh token is enough for authenticate why i must use access token?

@mohammedm5236 4 күн бұрын

same question here

@Khnx04 22 күн бұрын

@Cosden Solutions please provide the code link

@rockyGonnaHurtYou 20 күн бұрын

Don't ask. He's trying to charge for that source code snippet now

@the_anonymous369 13 күн бұрын

Please make a full tutorial on this topic with real world application

@cosdensolutions 13 күн бұрын

That's project React 😁

@the_anonymous369 13 күн бұрын

@@cosdensolutions yes, real world React projects with jwt access and refresh tokens please thank you

@ubarjaktarev 21 күн бұрын

If you're using this approach (which I don't necessarily have a problem with), pray to God that whoever is doing the backend knows how to manage http-only refresh cookies, CORS etc. otherwise you'll get blamed for users getting logged out all the time with no means of fixing this yourself.

@djtoon8412 5 күн бұрын

project react link is broken.I can't open it

@chai519 21 күн бұрын

Will there be a tutorial for Redux toolkit?

@bradleyandrewercole6349 21 күн бұрын

Heyy! Try zustand tho 🎉 it's easier and have less boilerplate

@alukoolakunlesam6874 20 күн бұрын

good video... please, Can we have the code ??

@uditnagar7905 14 күн бұрын

please provide github repo of this code

@mohamedyamani8502 22 күн бұрын

could you please share the source code?

@legend_749 21 күн бұрын

Please provide the source code

@NoneSense-zf7gj 22 күн бұрын

How come HTTP-only cookie never leave a server? What a nonesence?!

@cosdensolutions 21 күн бұрын

it gets sent but the browser doesn't allow javascript to access it, only the server

@NoneSense-zf7gj 21 күн бұрын

Exactly. Therefore what you say in the video about that is confusing.

@Diamonddrake 13 күн бұрын

“Refresh token is only on the server” this is nonsense. Http only cookies are not on servers, cookies are for clients. The server checks the cookie that is sent with every request to the server. It’s not living on the server. Your video quality is great, but this is a fundamental mistake