I have been building an elm application for which I need some oppionions on the Authentication strategy part.
As of today what I am doing is after user provides login in credentials to the server reposponds with a jwt I am storing the jwt through ports to the local storage. Every time a user makes a request I am getting the jwt from the local storage and then using it to authenticate my requests to the server.
This works fine and an additions to that would be using a black list of tokens in the back end for compromised users so that I can invalidate tokens that should no longer be valide and force users to re login.
I have only recently though considered that my tokens stored on the browser’s local storage would be vulerable in the case of a xss attack since the malicious code would have access to the local storage of the user and thus would be able to retrieve the tokens. And even in the case of using refresh tokens that still is a threat from the point that I am standing.
I want to hear your thoughts on the strategy and possibly which aproach did you used.
Is it just safer to just swich back to session cookies ? Is session storage a more secury way of storing my tokens ? Are signed cookies the way to go for token storage ??
Thank you all in advance