equal-aqua
equal-aqua13mo ago

Auth provider and useGetIdentity() - passing userId if authenticated

Hello, I've set up my auth provider and with the login method, I'm able to authenticate a user. My backend responds with the user ID. Following the documentation and examples, I can use the getIdentity method in the auth provider to get my userId from localStorage. After logging in, the user is redirected to the home page, where i need to access its user Id. Again, from the documentation, I can use the hook useGetIdentity to get the authenticated user Id and use it where needed. It works, and I can get the user id as needed, to use inside my application, I believe I'm using it as intended, according to the documentation, but is it good practice to set user ids to local storage, regarding security? Is there any other way to achieve this, using refine? any guidance is appreciated.
4 Replies
kapa.ai
kapa.ai13mo ago
Hi @jaco0670. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
kapa.ai
kapa.ai13mo ago
---------------------- Yes, you're correct in using the getIdentity method in the auth provider to get the user's identity from localStorage, and using the useGetIdentity hook to access the authenticated user's information. Regarding your concern about storing user IDs in localStorage, it is a common practice in web applications. However, it's important to note that localStorage is accessible by any JavaScript code running on the same domain, which could potentially expose sensitive data to cross-site scripting (XSS) attacks. As an alternative, you can consider using HttpOnly cookies to store sensitive data like user IDs. HttpOnly cookies are not accessible by JavaScript, which provides an additional layer of security against XSS attacks. However, this approach would require changes in both your backend and frontend code to handle cookies instead of localStorage. In the context of refine, you would need to modify your auth provider to work with cookies instead of localStorage. Unfortunately, the provided information extracts do not cover this specific use case. You can refer to the refine documentation (https://refine.dev/docs) for more information on customizing auth providers and other aspects of refine. Remember that security is a complex topic, and it's essential to consider various aspects of your application to ensure a secure implementation. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ----------------------
Overview | refine
What is refine?
kapa.ai
kapa.ai13mo ago
<@486442088280358912> kapa.ai is still learning and improving, please let us how it did by reacting below
exotic-emerald
exotic-emerald13mo ago
I think it won't be a problem since the 'token' you saved in localStorage is used temporarily. (I'm assuming there is a refreshToken mechanism) You can search the JWT keyword for this topic.