Research: Store token in httpOnly Cookie

[cstenglein]

Store the JWT Token in a httpOnly Cookie and don't save it in session / local storage.

Also needs the API to support this.

[escapedcat]

Bit more background to this

https://hasura.io/blog/best-practices-of-using-jwt-with-graphql/#jwt_security

> That’s why it’s also really important not to store JWT on the client, say via cookies or localstorage. Doing so you make your app vulnerable to CSRF & XSS attacks, by malicious forms or scripts to use or steal your token lying around in cookies or localstorage.

and

What about saving it in a cookie?

Creating cookies on the client to save the JWT will also be prone to XSS. If it can be read on the client from Javascript outside of your app - it can be stolen. You might think an HttpOnly cookie (created by the server instead of the client) will help, but cookies are vulnerable to CSRF attacks.

[cstenglein]

Part of it is done. Currently, the token now comes via cookie (for SSE) & for normal requests still from the local storage.

Needs more work for the normal requests, but a small part is done.

Also needed: expiry time as response from login / refresh-token so the UI can calculate the refresh time.