Should the client or the server take more security precautions? Server.
What's the difference between local storage and session storage? Session storage is the same as local storage except that the data doesn't persist outside of the tab (session). The difference between local and session storage is that while local storage is always available in any tab and window of the same machine's browser, session storage isn't. Session storage is only available in the browser tab that the data was saved in, as soon as that tab is closed, the data is gone. As a result, session storage gives us an extra security feature for the frontend.
What problem does a JWT expiry time solve? JWT expiry time restricts the amount of time that an authorization token is valid for. This gives the server more control of the validity of any JWTs it creates instead of relying on the frontend client to ensure tokens aren't stolen.
Is a refresh endpoint protected or public? A refresh endpoint will be a protected endpoint that responds with a new JWT and thus a new expiry time.
What would happen if a refreshed JWT was requested with a JWT that had already expired? If the JWT has expired, the method will throw an error and our middleware will respond with the unauthorized error.
What does it mean to queue a callback? The interactions will keep pushing the idle callback further into the future so it never prevents any refresh requests.
What does the clearTimeout function do and what argument do you pass into it? It removes the refresh timeout from the queue. You pass it the ID of the refresh timeout.
For which of the following events should a refresh request be queued after?
- A successful user registration request -N
- A successful login request -Y
- A page load -N
- A successful API request to a protected endpoint for posting a comment -Y
- A successful refresh request -Y
- A push state navigation event -Y
- A user logs out -N
What is OIDC? OpenID Connect or OIDC is a protocol that enables a range of clients to securely authenticate.