Authentication Session

Hi guys,
i wonder how you guys handle authentication. When i implemented metamask auth on my own backend a while ago i used a jwt session token. I notice that you generate a session token, but you don’t pass any cookies to the client. I know that the session token is saved in the localstorage, but how do make sure that the token is invalidated after the session ends? I’m asking because i would like to use the regular moralis auth for a unity webgl app instead of the qr one.
Best regards pascal

1 Like

If you’re using Moralis, moralis will handle everthing for you. Don’t worry much about behind the scenes. You can read the docs on how to use Moralis to handle auth

But as far as i know it is not possible to auth with metamask without using the qr code in unity for now?
But with webgl it should be possible to use the regular moralis auth to login the user in unity.

Ok i just noticed that you dont invalidate the token when the session ends. I really love your project moralis! But I’m not sure if saving the session token in the localstorage without invalidating it is really secure. I mean even my browser extension can read this and potentially use it to access the database with my acl. If I’m mistaken please excuse me and clarify it for me so i can understand how you handle auth.

you can use wallet connect in unity to use any wallet if it supports wallet connect

you can also use normal metamask if you export for web i think

BUT - lets not speak about unity in this thread as it requires special knowledge

Please ask in this thread where David can help you better:

Hey thanks for the answer.
I think it’s currently worked on:
Replace Wallet Connect with In-Browser wallet Interface for WebGL Projects

I wanted to try using it now :slight_smile:
Sry for posting in the wrong thread

I know that http only cookie token is not more secure than the local storage to xss attacks. But a refresh architecture like implemented by auth0 might be more secure. Because it invalidates the refresh token after reuse by another party. This way the user can just login again and the attacker has to launch another attack to get hold of the refresh token. Just my thoughts. Still love the project.

I know that http only cookie token is not more secure than the local storage to xss attacks

It is more secure. http only means javascript can’t access the cookie. Even if an attacker were able to get XSS, then they wouldn’t be able to read it. Not so much for localStorage.