Adel Benyahia
1 min readDec 29, 2022

First a well organised article, thanks for sharing πŸ‘
I have some suggestions
1. Validate:
Do some validation in the signup and login req.body before saving to the database for better security.
2. Password hashing:
Using Argon2 righther then BCrypt to hashe the password.
​Argon2 is modern ASIC-resistant and GPU-resistant secure key derivation function, It has better password cracking resistance (when configured correctly) than PBKDF2, Bcrypt and Scrypt.
3. Using secure cookies:
I suggest using secure cookies to passe the refresh token between the front-end and the back-end with https and secure flags.
4. localStorage :
Using localStorage to store jwt is bad, any one with physical access to the user pc can read this sensitive information using only the chrome devtools or the console.
5. Cors:
This code will work fine, but when using different origins for back and front or even the same origin with different port, it will show cors origin errors.
Cors middleware will work perfectly with express.
6. Logs:
Log errors for better administration, using log files or the morgan middleware.
7. Front-end input validation:
Do dome validation in the front-end for better UI experience.

Adel Benyahia

Web application developer (HTML β”‚ CSS β”‚ JS | ReactJS | NextJS | NestJS | MERN)