Authorea

Commit id: 0ecb15f696d974607b1b46d3b00e0e98bdf3b0b2

deletions | additions

In a single page app, all of the decisions about what view/subview to render occurs on the client and does not require a trip back to the server.
This means that the client has to be able to authenticate the currently logged in user and access its data without going back to the server
We have to store information concerning the logged in user in such a way that we can trust it.
- With the rise of the single page app, a new vulnerability has emerged through the clever use of the javascript console.
  - Previous paradigms did not have this problem because they could authenticate every GET request and prevent the user from going somewhere they shouldn't.
JWTs are good because they allow for the client to be responsible for keeping track of the permissions of the currently logged in user.
- This removes the need for a session store in most cases which dramatically increases scalability
  - No more potential problem of synchronizing the store among processes with separate memory.

However JWTs require a secret key to be decrypted which means it can't happen on the frontend.

A malicious visiter would be able to download the source code compiled on a few different views and look for similar strings. One of them would be the secret key so its easily brute-forcible.