How can we store JWT token in Http only cookies?

Question

I am creating login module.

1. User will enter Username and Password.

2. If user validate successfully then Server will return JWT token.

3. I will use the JWT token to validate the different API call in React js.

Now my concern is that I found some article regarding this then I found that We can use http only cookie. How can we implement httponly cookie method to store JWT ? Is it safe?

Answer 1

HttpOnly cookies are safe in that they are protected from browser access via the Document.cookie API, and therefore are protected from things like XSS attacks.

When your user is successfully validated, the server should generate a jwt token and return it as a cookie to your client like so:

return res.cookie('token', token, {
    expires: new Date(Date.now() + expiration), // time until expiration
    secure: false, // set to true if you're using https
    httpOnly: true,
  });

The cookie will be accessible via incoming http requests from your client. You can check the jwt value of the cookie with an authorizing middleware function to protect your API endpoints:

const verifyToken = async (req, res, next) => {
  const token = req.cookies.token || '';
  try {
    if (!token) {
      return res.status(401).json('You need to Login')
    }
    const decrypt = await jwt.verify(token, process.env.JWT_SECRET);
    req.user = {
      id: decrypt.id,
      firstname: decrypt.firstname,
    };
    next();
  } catch (err) {
    return res.status(500).json(err.toString());
  }
};

Reference for more details: https://dev.to/mr_cea/remaining-stateless-jwt-cookies-in-node-js-3lle