How to securely pass MS authentication tokens from a Next.js frontend to a Node.js server when facing cookie restrictions? Planned

May 06, 2023 05:50
3 comments

Hello everyone,

I'm working on a Next.js app and have integrated Memberstack for authentication. I'm currently facing an issue where I'm unable to send the Memberstack token via cookies from my frontend to my Node.js server.

I've noticed that the SameSite attribute of the Memberstack token cookie is set to Strict. This is causing the cookie to not be sent to my server, as it's on a different domain or subdomain than my client-side application.

I'm currently using the following workaround to send the token to my server, but I feel this is not the most secure solution:

Front-End:
const token = document.cookie.match(/_ms-mid=([^;]+)/)?.[1]; const response = await axios.get("http://localhost:5000/api/protected", { headers: { Authorization: `${token}`, }, });

Backend:

const verifyMemberstackToken = async (req, res, next) => {

const token = req.headers.authorization;

if (!token) {

return res.status(401).send("No JWT token provided");

}

try {

const { id } = await memberstack.verifyToken({ token });

if (id) {

const { data } = await memberstack.members.retrieve({

id,

});

req.member = data;

console.log(data);

next();

} else {

res.status(401).send("Invalid JWT token");

}

} catch (error) {

console.error(error);

res.status(401).send("Error verifying JWT token");

}

};

I would like to rely on the browser to handle cookies and not expose the token to client-side code. Is there a way to verify the token on my server without directly extracting it from the cookie like this? I am using Memberstack v2.0.

Any help or suggestions would be greatly appreciated. Thank you!

Comments

3 comments

Duncan from Memberstack
- May 08, 2023 12:10
Hi Tunç Polat 👋 Thanks for posting your question!

I'm going to loop in Tyler and Josh from the team. They've been working on how Memberstack works with Cookies, so I believe they'll know what to do.

Josh Lopez Tyler Bell

1
Tyler Bell
- May 09, 2023 14:30
Hi Tunç Polat

Alrighty so at the moment, Memberstack sets the cookie at the current domain. Meaning, if the member is on say sub1.mydomain.com, the cookie will be set on sub1.mydomain.com. Not the root mydomain.com.

I'm not sure if removing the strict flag is going to solve the issue you're having since another subdomain isn't going to have access to the other subdomains "cookie jar"

We do have plans of adding another config option that will let you set the cookie on the root domain - subdomains can access the root domains cookies. I believe that will solve the issue for you.

I'll keep you updated as we work on that feature.

1
Tunç Polat
- May 10, 2023 06:28
Hi Tyler Bell

Thanks for taking the time to explain the situation and for working on a solution! I really appreciate it.

As it stands, because of the current cookie handling and the potential security concerns with available workarounds, I think I'll hold off on integrating Memberstack for now.

But I'm really looking forward to the feature you mentioned — being able to set cookies at the root domain would be a game-changer. It would make everything flow much more smoothly between my front-end and back-end servers, especially when they're on different subdomains.

I'm excited about using Memberstack once this feature is rolled out. I'll keep an eye out for updates from you guys.

Keep up the good work, and thanks again for your help.

1

Please sign in to leave a comment.