K
Kinde7mo ago
kbk

getToken from useKindeBrowserClient

Would it be possible for getToken from useKindeBrowserClient to asynchronously respond with token (ideally when isLoading is false)? I need to pass access_token in Authorization header - currently I'm working this around just grabbing access_token from cookies, but this is not ideal. My case is close to: 
const useApiInstance = () => {
  const { getToken } = useKindeBrowserClient();

  return async () => {
    const token = await getToken(); // <- I would love to do this
    const response = await axios.get("/something", { headers: { Authorization: "Bearer token" }});
    return response
  }
}
const useApiInstance = () => {
  const { getToken } = useKindeBrowserClient();

  return async () => {
    const token = await getToken(); // <- I would love to do this
    const response = await axios.get("/something", { headers: { Authorization: "Bearer token" }});
    return response
  }
}
Later I use this like: 
const fetcher = useApiInstance();
const fetcher = useApiInstance();
In above example code is executed before kinde is loaded (isLoaded: false), and getToken just returns null Would be nice if getToken returned promise that would at least wait for stuff to load. Similarly how it is build with useKindeAuth in @kinde-oss/kinde-auth-react (I haven't tried it myself, but getToken returns a promise.)
12 Replies
Oli - Kinde
Oli - Kinde7mo ago
Hey @kbk, Let me ask my team on the best way to solve your use-case. Before I ask my team, are you able to let me know what Kinde SDK you are using? And what version of the Kinde SDK you are using?
kbk
kbk7mo ago
latest version of kinde-auth-nextjs
Oli - Kinde
Oli - Kinde7mo ago
Hey @kbk, Yesterday we updated the nextJS SDK to v2.0.9: https://www.npmjs.com/package/@kinde-oss/kinde-auth-nextjs This version fixed a lot of issues. Can you please confirm you are using this version of the nextJS SDK?
npm
@kinde-oss/kinde-auth-nextjs
Kinde Auth SDK for NextJS. Latest version: 2.0.9, last published: a day ago. Start using @kinde-oss/kinde-auth-nextjs in your project by running npm i @kinde-oss/kinde-auth-nextjs. There are no other projects in the npm registry using @kinde-oss/kinde-auth-nextjs.
kbk
kbk7mo ago
yes, I use this now, but it doesn't seem like there were changes towards KindeState
kbk
kbk7mo ago
where we can find those code changes tho? I don't see latest 2.0.9 in here https://github.com/kinde-oss/kinde-auth-nextjs
GitHub
GitHub - kinde-oss/kinde-auth-nextjs: Kinde NextJS SDK - authentica...
Kinde NextJS SDK - authentication for server rendered apps - GitHub - kinde-oss/kinde-auth-nextjs: Kinde NextJS SDK - authentication for server rendered apps
Oli - Kinde
Oli - Kinde7mo ago
Let me pass this issue onto my nextJS expert teammate and get back to you.
Peteswah
Peteswah7mo ago
Hey @kbk there isn't a way to do that with useKindeBrowserClient unfortunately, but it can be achieved using getKindeSeverSession getKindeServerSession has to be used in a server component or route handler. One solution could be to grab the token in a server component and pass it through to the child client component where you are defining useApiInstance
kbk
kbk7mo ago
Yeah, I think I played with that solution, altho just grabbing access_token from cookies is easier. but, isn't keeping tokens (id, access and refresh) in JS accessible cookies a XSS vulnerability?
Oli - Kinde
Oli - Kinde7mo ago
Hey @kbk , Yes there will more or less be XSS concerns with frontend sessions. CSP (Content Security Policy) can help a lot though.
kbk
kbk7mo ago
should I take any preventive measures myself of is it something kinde handles?
Oli - Kinde
Oli - Kinde7mo ago
Hi @kbk , My team mate who is an expert on this area is off today but they should be back tomorrow, so I can get back to you tomorrow on this.
Oli - Kinde
Oli - Kinde7mo ago
Hey @kbk, So we have CSP set on pages we host to prevent CSP, so like login and register pages. We recommend you set CSP for your app, but what exactly you set will depend on your app, so it is hard to give specific advice. But generally with CSP you would disable inline scripts and whitelist external scripts. I couldn’t find a nice walkthrough article about it, but these are good references; https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP https://web.dev/articles/csp
MDN Web Docs
Content Security Policy (CSP) - HTTP | MDN
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.
web.dev
Content security policy  |  Articles  |  web.dev
Content Security Policy can significantly reduce the risk and impact of cross-site scripting attacks in modern browsers.
Want results from more Discord servers?
Add your server
More Posts
Validating JWT tokens for non-OAuth mechanismsKinde supports non-OAuth mechanisms such as https://kinde.com/docs/authentication-and-access/azure/ Remove an enterpise connectionHow can I remove an enterprise connection from the `/admin/cx/_:nav&m:settings::_:submenu&s:authentiEnforcing permissionshttps://kinde.com/docs/user-management/user-permissions/ talks about how to create permissions. How Matching Users to OrganisationsI'm working on an auth solution for my application. I'm expecting users from multiple different OrgaFeature flagsIs there really no ways to delete or rename Feature flags ??Customize Registration FieldsCan I customize the registration fields? I would like to remove the first name and last name, just pLinking to my sign upHi, I want to link to my sign up account.mydomain.com from some landing pages that are generated bGetting error after signinI am using nuxt module, but when I sign in I am getting the following error, I can not work out whicNew Flutter Package + NextJsHello I am so happy that your Flutter package is released. I am building an website with NextJs and Custom Root DomainLogin works flawlessly. But I do have one question. the custom room domain leads to this page with