Advice needed - Best Authentication Approach for Web and Mobile Integration
Unanswered
MalvadoEZY posted this in #help-forum
Hi everyone,
I've built several projects with NextAuth before, and I'm currently working on another project that includes a mobile app using React Native. I'd like to use the Next.js API for both the web and mobile versions to reduce overall costs and make the project more manageable.
I've started implementing a JWT token authentication system that generates an access token and a refresh token upon login. On the web, I typically set these tokens as httpOnly cookies in the response. My understanding is that setting tokens as httpOnly and secure prevents them from being accessible via JavaScript, which helps mitigate XSS attacks.
However, for the mobile app, I need to receive these tokens in the response as a JSON body so that I can store them in a Keychain/Keystore. My biggest concern is how to design an authentication system that works seamlessly for both mobile and web.
I would appreciate your thoughts on this.
Thank you very much.
I've built several projects with NextAuth before, and I'm currently working on another project that includes a mobile app using React Native. I'd like to use the Next.js API for both the web and mobile versions to reduce overall costs and make the project more manageable.
I've started implementing a JWT token authentication system that generates an access token and a refresh token upon login. On the web, I typically set these tokens as httpOnly cookies in the response. My understanding is that setting tokens as httpOnly and secure prevents them from being accessible via JavaScript, which helps mitigate XSS attacks.
However, for the mobile app, I need to receive these tokens in the response as a JSON body so that I can store them in a Keychain/Keystore. My biggest concern is how to design an authentication system that works seamlessly for both mobile and web.
I would appreciate your thoughts on this.
Thank you very much.
3 Replies
Asian black bear
Aren't both apps under the same domain ?
I had a similar issue and proposed two servers under de same domain, even if one is in AWS and another one in Vercel.
Our PoC worked well, and I managed to access the cookies, with client-side JS (once they share the same domain)
I had a similar issue and proposed two servers under de same domain, even if one is in AWS and another one in Vercel.
Our PoC worked well, and I managed to access the cookies, with client-side JS (once they share the same domain)
@Asian black bear Aren't both apps under the same domain ?
I had a similar issue and proposed two servers under de same domain, even if one is in AWS and another one in Vercel.
Our PoC worked well, and I managed to access the cookies, with client-side JS (once they share the same domain)
Thanks for the help, Yeah both of them are listening the same API, in this case im using Nextjs for the API and web app, would it work with httpOnly tokens on mobile ?
Asian black bear
Our use-case was browser related.
When the users access site A hosted in AWS, a cookie is set with attributes Secure and HttpOnly.
Then user access site B, hosted on Vercel, and we are able to read the cookie.
This is because we are under the same domain. We use a WAF to re-write the URL.
I would imagine that for the API it would work the same way.
When the users access site A hosted in AWS, a cookie is set with attributes Secure and HttpOnly.
Then user access site B, hosted on Vercel, and we are able to read the cookie.
This is because we are under the same domain. We use a WAF to re-write the URL.
I would imagine that for the API it would work the same way.