Storing Only Refresh Tokens in Cookies

[vencho-mdp]

Is there a way to store the access token in memory (vuex) and just the refresh token in cookies? The way I found was to save both in cookies, but that could be vulnerable to some attacks

[jonahmolinski]

Although this would limit your attack surface slightly, a refresh token can be exchanged for an access token. So if access is gained to cookies at any point you are pwned. This is the logic behind not storing the tokens in storage or cookies at all. (Although this is less performant due to the redirects every time a user lands on your app)

[vencho-mdp]

Actually a refresh token in itself cannot be used to POST data to the server It can only be used to obtain jwt (the route to get a new access token should use GET). Hence, refresh token as a cookie is not vulnerable to CSRF

[devzom]

Yes, there is a way to do this:
As in documentation - https://auth.nuxtjs.org/api/options/#localstorage

You can set

localStorage: false, 
cookie: false

And make own auth.scheme with custom axios token handler

Edit:
Rest of message in next post

[vencho-mdp]

That's not true. That'll not use localStorage but will store the access token and the refresh token in cookies.

[devzom]

I've forgot to post rest of the message.
I've managed in last project to keep
access_token only in Vuex
but refresh_token obtained from axios ['Set-Cookie'] and stored it in cookie and it worked as needed.

[vencho-mdp]

How?