Authentication with SSR
You should have noticed that we have removed most of the authentication logic from the server-side React code. The reason for this is that localStorage
cannot be transmitted to the server on the initial loading of a page, which is the only case where SSR can be used at all. This leads to the problem that we cannot render the correct route because we cannot verify whether a user is logged in. The authentication has to be transitioned to cookies, which are sent with every request.
It is important to understand that cookies also introduce some security issues. We will continue to use the regular HTTP authorization header for the GraphQL API that we have written. If we use cookies for the GraphQL API, we will expose our application to potential cross-site request forgery (CSRF) attacks. The frontend code continues to send all GraphQL requests with the HTTP authorization header.
We will only use the cookies to verify the authentication status of a user and...