Critical Auth Fix — Hash Passwords & Move to Cookie-Based Auth #1
Description
Hey, @hkirat
Our current auth flow has critical risks:
Plaintext passwords in DB
JWT in localStorage (XSS risk)
No session revocation / CSRF protection
Fix Plan (Backend + Frontend):
Backend:
Bcrypt password hashing (zxcvbn for strength check)
Access token (15m) + refresh token (7–30d) in HTTP-only Secure cookies
Refresh token rotation + hashed storage in DB
CSRF protection (csurf)
Rate limiting on /login + Helmet security headers
Frontend:
Remove localStorage token usage
Send credentials with fetch using credentials: "include"
Include CSRF token from cookie/header on state-changing requests
Handle 401 → auto-refresh or redirect to login
Why now: Prevents DB leaks, stops XSS token theft, meets security standards.
Effort: Medium; can be shipped in <1 sprint.
-Noothi Akshith