@ckelley For web I think Auth0 recommends not using or storing refreshtoken, but using silent reauth. On mobile client I assume the sandboxed app storage is considered secure enough for typical apps. Regarding createUser, I guess some kind of limit per device or similar protection could be useful

@trond interesting. Okay, so how about when Auth0 is not used for authentication - say, we're using the email/password auth integration?

Good question, I haven't looked at that. Just checked now, and seems like they're issuing a 30 day token. For a web app, I believe this is not considered as secure, since the browser is handling a 30 day token.

Yeah, documentation (https://www.graph.cool/docs/tutorials/react-apollo-email-oopheesaj9/) also suggests using localStorage in browser to hold the token and then injecting it into the

Authorization

header. From what I've read this prevents CSRF attacks (https://stackoverflow.com/a/27084126), because the browser does not automatically add the

Authorization

header on-request. However, localStore is completely vulnerable to XSS since it can be accessed via JS. (https://stackoverflow.com/a/37396572)

Right, that's why the Auth0 folks are against it