I'm developing a Reactive Web App. In the app, I'm using APIs that are protected by oAuth, so basically bearer-tokens. Question about the tokens!
In traditional web app I'd store the token (which has quite short TTL) in Session Variable, as it does not need to be persisted for a long time and it's ok to fetch it again every now and then. As session variables are stored in server side, they don't leak that easily so I believe this is pretty standard way to achieve the thingy.
Then comes Reactive Web App. We don't have sessions any more as our backend is stateless. What we have is a Client Variable. As client variable is stored in browser memory and accessible through web development tools, it sounds a bit sketchy place to store security tokens. Are client variables encrypted somehow?
If I can't use client variable, only way to store it safely is to store token in database and use all queries from backend (so token is never stored in frontend at all). I guess this is the best practice anyways.
I'm interested of approaches you've taken and if someone (e.g. from OutSystems) can explain how client variables are protected (or are they).
Hi Jasmo,
You could have a look at the following component that has client side encryption logic.
https://www.outsystems.com/forge/component-overview/1730/reactive-utilities
That would enable you to encrypt / decrypt values written / read from the client variable.
Regards,
Daniel
You are correct that the database would be a way to securely store the tokens.
Client variables are not encrypted, but they are not shared between different users, they are stored in the local storage of the browser for a given user. They are deleted upon logout. You can eventually take a look at the component Daniel shared or into the Web Crypto API if you really need encryption there.
Cheers,Tiago Simões
Actually your first assumption is right. All sensitive information should be stored on the server side so it's properly secured (e.g. against XSS attacks).