Can you please explain the second part

​@@jitx2797 statelessness here basically means that server doesn't keep record of which token it issues, so the server can't recognise the coming subsequent requests. And when we keep records of tokens to blacklist in a database then we will this idea of statelessness

@@jitx2797 You can maintain a blacklist or whitelist of all the assigned JWT's, a expiresOn property can be assigned to the JWT to verify if its still valid or no!

🙄

Facts on facts lol

You can see a working setup here: github.com/codinginflow/nextjs-express-typescript-course

You can configure your sessions to be stored on a database. Hence, all instance can pull from the same db and have the same sessions. If your issue is multiple queries to the DB, them thats why he spoke about using redis. Pulling the sessions will be faster.

Sessions should be in a database from what I can tell. At the end, he says you can store session info on the server for quick access, but there’s gotta be a way of reasonably keeping sessions on many instances of the server (imagine having many many servers with a horizontal scaling solution). You have to use some sort of sync mechanism.

sessions are a good thing

There are solutions for that if you ever reach that size

@@codinginflowcan you name drop some. I’d like to learn how to deploy my node server with some horizontal solution & learning how to keep some session info on each (and in sync) would be nice.

Then you're just rebuilding sessions

Highly unlikely. But that’s what replicas and fallback strategies are for.

Do you use a refresh token?

@@codinginflow yes and on client I don't store it in localStorage I just make request to server and verify all the times using axios interceptors

Can you explain the implementation please, would really appreciate it.

@@codinginflow yes and I am not storing anything in localStorage I am just making api request to my server so that persistent login is there

that'd be long explanation but in short you have to implement two types of tokens, accessToken (short lived) and refreshToken (long term) everytime your token expires you make a request to your server which generates a new access token for you, also everytime you login you check refreshToken in your database through a middleware so that authenticity of a user making the request is checked.

It is always better to use standard solutions! I hope that you are signing the JWTs and that you verify their signature

Yes

I think so, yes. At least it's easier to implement correctly.

​@@codinginflowbut a bit expensive compared to tokens

An in memory database for blacklisted tokens and JWT is much faster and scalable. You just have to keep an the ID around for every blacklisted token which can be very small if you have them expire after a couple days. It's basically just taking the best of sessions and the best of JWT. JWT let's you have a different server do the authentication and you can store things like access/modification rights in the token so you don't have to keep asking the database if a user is allowed to edit something. Instead you just need to check the token hasn't expired and isn't blacklisted and then from there you can skip all the extra reads from your database about wether the can view an asset ect. JWT was made to solve a problem sessions can't do efficiently at scale, but effective use of the tokens still leverages properties that sessions gave us, and that's having state on the server. But minimal state is what we are striving for

Next-auth

​​​@@codinginflowThank you. I'm going to trust you and I'm going to put all my focus on this, because now I want to complete my project in such a way that it's a safe project. Here's the question: Is this technology absolutely and without a doubt safe to make a full stack web program? I want to use SQL as a database in this project, I don't want any off-the-shelf service. Next - auth, is it FULLY suitable and functional for authentication and authorization? Does it allow me to do database operations through the user? I know I am asking too many questions but I need to know the answers to these questions. Because if Next-auth is suitable for these functions I will put all my focus on it, I don't want to waste time. Life is short. Pardon me for my English.

@@Prag1974 There are always things you can do wrong to make a website insecure. It's your responsibility as a developer to learn how to do it properly.

@@codinginflow Yeah I know, but you are saying in the video "JWT is not secure" You are not saying "The developer using the JWT developing website did a fault so JWT is unsecure." I mean you are saying that "JWT is a problem" I want "problemless" technology to use.

@@Prag1974if you never want to deal with problems then you're in the wrong profession bud.

You can do that. But then you lose the benefit of statelessness and basically rebuild sessions

@@codinginflow yes but the frontend team can handle token by themselves and dont need to deal with cookies security issues

@@mohammadjavadnajafi1782 Tokens have the same (and more) security issues as far as I know. Both can be implemented safely, but JWTs are trickier.

​@@codinginflowHow about a simple solution like password version, every time user change the password we will increase the number to a higher number and compare the one in database with the one in the jwt Sure it have some downsides but for most apps it works.

It's possible to implement them correctly but not how it's shown in most tutorials. You need very short-lived tokens and a refresh mechanism.

You still have the problem of invalidation

you set a short exp time for the jwt and a refreshToken associated with the user that can be revoked @@codinginflow