Hi All! Thank you in advance for any help you can share.
I’m in the process of building a new site in NextJS (13.5.6) that will tie-in to our existing Parse App hosted on heroku. I have a couple of questions, since I’m new to this particular development context, so I need to be sure I know whether or not my intentions are secure or not.
I have set up working examples of signing in to existing accounts from both a client component and a server component. My preference is to use only server components for the Parse interaction, but I’ve run into an issue with authentication/session tokens. Running on the client side, things are pretty simple, as it’s very easy to get the current user, and that user stays signed in according to their session token info. When running in a server component, it becomes more complicated since there’s no longer a current user stored in the system (the js is now running in the node server, so no current user available). Because of this, users would need to authenticate every time they wanted to view account information on our site, which I don’t want to happen.
My question is whether or not saving the user’s session token locally is secure. From what I understand, after a user signs in, I can send the session token to the client where it can be saved to local storage. After that, I simply get the session token later when the user visits the site. If it’s still valid, I can fetch user data. If it’s not, just request that they sign in again.
Since the Parse SDK when running locally in the browser (NextJS Client Component) is saving some type of session data (I’m assuming the session token itself) in “localStorage,” I’m guessing this is all secure. However, in my research, I’m seeing that saving data of this nature in localStorage is not secure.
If it is secure, can I get a quick summary as to why it’s secure? To my understanding, if someone were to get hold of our Parse server url, our Parse App ID and a user’s session token, they would be able to do pretty much anything they wanted to that user’s account. The user data we store in our system is encrypted, but the account could still be damaged beyond repair.
If it’s not secure, why is it secure using the Parse JS SDK locally in a web browser?
Lastly, what are my options for handling all Parse interactions, including authentication, on the server side in React Server Components?