Thank you very much man it helped a lot - got the complete context ROUTER

I am wondering your decision about choosing HTTP code 403 over 401, which is the actual standard for Unauthorized.

Great tutorial, but I have one question what if the user refreshes the app before the expiration time if so the token in memory will be undefined so how the server will identify the user in the refresh token call ? as the API request token is undefined even if the user has a valid refresh token?

can you please make a video where you create the server and implement it in the react app I'm having trouble with authentication and authorization

okay so here is a question, user refreshes the window and we are sending undifined as the access token , how does the backend know which refresh token to look at? im confused here. when we hit an api we send an access token which is the only way to authenticate the user, but if we are sending undefined then how is there backend checking which refresh token to this user with undifened as access token? Can anyone please explain?

good explanation bro..

Thank you so much for your videos, they are very well made and very helpful! thanks for what you are doing!

i was waiting for this video

Thank you very much for sharing your experience. This gave me a confidence.

You are good n unique as online instructor. Most ppl don't explain the road ahead as you do. They just jump to launching IDEs.

Although I've only been following you for a short time, I find what you do amazing. I love the way you explain things so clearly. You are truly great. Thank you!

how would this cater to multiple components failing at the same time? wouldn't you need a queue of some description with the first to error being responsible for the refresh then release the queue when the refresh is done? otherwise you risk a cascade of refresh requests for 'n' components on the page (think dashboard)

Hey brother, can you give both files where you have written axios logic and this as well, this would be very helpful if you do so. Thankyou 🙏

amazing

Very nice and concise tutorial. However, can you answer my question ?. Should I do authentication myself or use a third party for that ? Also what are the possible vulnerabilities i am exposed to if i do it myself ?

when you store token in in-memory (state or variable) it will be gone when you refresh right?

Nice tutorial, everyone can understand if you create a new video with step-by-step guide from scratch with a demo

What happens, in this case, if you refresh the page? I may have missed something but it was not clear to me how to handle that scenario since we're keeping the token only in memory. How should I go about that? I cant just force the user to log back in every time they refresh the page. This is where videos like this always seem to fail to explain... :(

Don't waste your time asking him for the code. He does this on purpose to upsell. Assume he's trying to make money off you every time he fails to leave a code snippet or source code.

awesome video tutorial!

Would be great if you push the code at the start of the video to a different branch and the end product to the master branch so we could code along

Goodluck on nba finals luka!

where is the api.fetch('url') comes from?

Thanks you, its a great tutorial.👍

is storing the token in local storage or session storage that bad? i mean i can get the tokens from anywhere even though its in memory every api call will have this data, the attacker can easily add a js interceptor and get this header, so just keeping it in memory doesn't actually solve the issue, and also once the page is refreshed and we are passing undefined for token to the server how is it able to validate the http only cookie, how does it identify if its the same user, can you give some clarity on it?

Yes.. I also feel that the best way to become a senior developer. Thank you brother

The HTTPOnly cookies travel back and forth with every HTTP request and response, just like regular cookies. The only difference is that the browser will not allow the client-side Javascript to access them, which can prevent certain types of attacks.

Great video! Question, for a delete form you'd have to create a different form right?

Great job dude, new subs, thanks for the knowledge

Many thanks for this clear explanation. 💗💗

thanks for the video.

good video... please, Can we have the code ??

But it doesn't really makes sense to me to implement a refresh token? Can't we just send a long lived access token in a http only cookie? Is this approach appropriate?

One thing that dont make sense to me, if I want to keep the user logged in between refreshes and the access token is kept in memory, how the backend would know which refresh token to check if its valid? I assume that in this case you keep the user id or email in localStorage or some sort, if so, all this trip to secure the authentication it's throw in the trash can.

if refresh token is enough for authenticate why i must use access token?

Nice content

i will use mix of them or moduler file structures

JWTs are not encrypted but encoded. You can encrypted though in case you want to ensure confidentiality

once again a very great and well-explained video like always !! a BIG THANKS from berlin 🖤 all respect for your whole effort producing those video tutorials!

Hy it's looks awesome..and code setup is also excellent can you share the repo link of code.

Please provide the source code

Will there be a tutorial for Redux toolkit?

Thank you very much for the video! I have a question, if anyone can answer I'd be very grateful! So this this kind of authorisation implemented in the backend, how should it work in the following example: I have an app where to display the UI correctly I have to make an api call to the backend and fetch some data. This data then used for the UI rendering and it can be visible to any website user, including just unreguistered visitors. They should be able to see the data, but not change it. In this case, how should I make an api call, if there isn't any users (uless you count frontend as a user), but the backend is protected like in the video? Obviously I can't include login/password into an api call for safety reasons, but I also don't have a token to access the data I need. Is this something that backend should care about and provide me a valid token?

Thank you for this, it's exactly what I just built for an application. Yay us :D One long note is about the refresh token: You need a way in the server to invalidate users, so even though they have a valid refresh token, they can not get a new access token. The similar but not as important usecase is for changing permissions of a user. I just revalidate the user completely every time, which works because I don't have a very high load on the system. So in this case you don't really need a jwt, as we go to the database every time anyway. My refresh tokens are just random strings. The other way - I assume you would always do this for higher loads? - is to add some way to mark refresh tokens as invalid, which means you need to store them somewhere. So when you want to exclude a user or just changes the permissions, then the refresh token won't automatically work and the full login process is needed again. I would really like to see a follow up video to describe what you do and whether you change this based on the application. This was a great video though. There are an absurd amount of videos out there that tell you to just store the refresh and access tokens in local storage or in some other insecure way. This is only the second time I've seen someone really go through the process the way I also think is the right one.

Pinia is so simple compared to Redux!

a: *Asks question* b: I have never used this so actually I'm not sure... I don't know a: That's a valid answer

This is huge, thank you a lot

you earned my subscribe (Y)

If you're using this approach (which I don't necessarily have a problem with), pray to God that whoever is doing the backend knows how to manage http-only refresh cookies, CORS etc. otherwise you'll get blamed for users getting logged out all the time with no means of fixing this yourself.

Seriously underrated channel, thank you so much for your continuous content!