I'm new to jwt authorisation. Where I come from is just user and password authorisation without jwt. Now, that I learned the basics of jwt, I want to use is and here is my question:
In my login component, I collect email and password and of correct, I send a signed JWT to the user. I store that token with js-cookie. (I hope until here are no issues).
Now in my _app.js (I'm using nextjs) I think, if there is a component that requires data, I just built the app, as there was no login. Only thing I'd change, if the data fetch does not succeed, I'd send the user to the login screen.
With that, the user would be auto logged in, as long he has the cookie and neither the cookie, nor the token, do expire.
Or is there a better approach?
Edit after reading the comments: In the mean time I added Auth0 login to my app. I disabled all sign ups and created the user in the Auth0 database. The downside for me is, that the setup of the app now takes longer, as I need to configure another third-party. But fair enough, when this increases the security.
But now my questions changes: Can I stop using JWT now, because I can trust the user, that is logged in? I'd say no, because the API is an open API without JWT protection, so anyhow my question did not really change?!
You should not try to issue your own tokens, instead use a openid-connect certified token service (like KeyCloak, AzureAd, Auth0, Ping , IdentityServer...)
Secondly you should try to avoid storing tokens in a cookie or even in the browser. A video discussing the security issue is the one below that I can highly recommend: