Web Authentication

Products to look at

See Identity Management
My current pref. is Ory Katros, Supabase(with HTTPOnlyCookies to store the JWT), Pocketbase based on convinience and featuers needed
- Supabase and pocketbase gives me the nice UI which is super nice for prototyping
  - Supabase when using PostgreSQL, Pocketbase when using sqlite
- Ory doesn’t have the UI offering in the open source version but seems like the one to go with if we need anything more than supabase/pocketbase
- We can roll our custom one but since I don’t want to do much backend stuff esp things other ppl have done better, better to avoid it as i really most of the time need the whole suite of things, eg. password reset, confirmation email all of which becomes real complicated if done manually
For API auth, things can be different the following comment has decent suggetion
There’s also something called the phantom token approach which i dont think i need really
- Securing APIs with The Phantom Token Approach | Curity

See Identity Management and API Design
Preference is to use cookies for storing auth stuff.
For user preference etc. local storage is fine.
URL Params / URL args / POST Body : Using these is not recommended but possible for obvious reasons
Cookies
- XSS can be tightened w HTTPOnly cookie
- Browser will automatically send cookies so no additional handling of auth stuff required
- Can be set across subdomains. So you can use the same auth for a.x.com and b.x.com which is cool.
- Easy to clear also
Local storage
- XSS possible
- Only per origin
- Not suitable for sensitive stuff
- Have to send the auth token yourself
Session storage
- Similar to Local Storage but better in this regard
See Cookies
See Web Storage

Assuming we not dealing with OIDC (OpenID Connect) here.
We have two options, Web Sessions and JWT. For both, Cookies are a safe storage mechanism. But not necessarily all the time. Here comes “it depends”.