Enhancing security
In the MERN applications developed for this book, we kept the auth-related security implementations simple by using JSON Web Tokens as an authentication mechanism and by storing hashed passwords in the User collection. In this section, we will go over these choices and point to possible enhancements.
JSON web tokens – client-side or server-side storage
With the JWT authentication mechanism, the client side becomes responsible for maintaining user state. Once the user signs in, the token sent by the server is stored and maintained by the client-side code on browser storage, such as sessionStorage
. Hence, it is also up to the client-side code to invalidate the token by removing it when a user signs out or needs to be signed out. This mechanism works out well for most applications that need minimal authentication to protect access to resources. However, for instances where it may be necessary to track user sign-ins, sign-outs, and to let the server know that a specific token...