토큰

• on web browser, where do we usually save token (access and refresh)?

On a web browser, the usual way to store access and refresh tokens is to use browser storage mechanisms such as cookies or localStorage. Cookies are small text files that are stored on the user's computer and are sent to the server with each request, while localStorage is a key-value store that persists even after the user closes the browser.

Access tokens are typically stored in cookies or localStorage, depending on the security requirements of the application. Cookies are often used for access tokens when security is a priority, as they can be set to be HttpOnly and Secure, preventing access to the token from JavaScript and only allowing the browser to send them over secure HTTPS connections.

Refresh tokens are typically stored in HttpOnly cookies since they are long-lived and need to be kept secure from JavaScript. By using HttpOnly cookies, the browser can only access the token when sending a request to the server, preventing client-side attacks that try to steal the token.

• how about application for mobile?

In mobile applications, tokens are typically stored in a secure storage area that is accessible only to the application. There are several ways to store tokens securely on mobile devices, including:

Keychain: On iOS, the Keychain provides a secure storage mechanism for sensitive information like tokens. On Android, the Android Keystore provides similar functionality.

SharedPreferences: On Android, SharedPreferences is a lightweight key-value storage mechanism that can be used to store small amounts of data, including tokens.

SQLite database: On both iOS and Android, tokens can be stored in a SQLite database. This is a more flexible option that can handle larger amounts of data.

Local Storage: In some cases, tokens can be stored in local storage on the mobile device. However, this approach is generally less secure than the other options listed above and should be avoided if possible.

• if the tokens are handled by kakao (for social login), then i dont need to save the tokens from kakao into the db right? only the tokens issued by my node should be save in the db?

Correct, if you are using Kakao for social login and the tokens are being handled by Kakao, you do not need to save the tokens issued by Kakao in your database. You only need to save the tokens issued by your Node application.

When a user logs in using Kakao, you will receive an access token and a refresh token from Kakao. These tokens are used by your Node application to access the Kakao API on behalf of the user. You can use these tokens to make API requests to Kakao and retrieve user data. However, you do not need to save these tokens in your database.

Instead, you should save the access token and refresh token issued by your Node application in your database. These tokens are used to authenticate the user when they make subsequent requests to your application.