![]() ![]() To reduce security risks if your SPA is using implicit (we recommend using authorization code flow with PKCE instead) or hybrid flows, you can reduce the absolute token expiration time. A vulnerability leading to a successful XSS attack can be either in the SPA source code or in any third-party JavaScript code (such as bootstrap, jQuery, or Google Analytics) included in the SPA. Storing tokens in browser local storage provides persistence across page refreshes and browser tabs, however if an attacker can achieve running JavaScript in the SPA using a cross-site scripting (XSS) attack, they can retrieve the tokens stored in local storage. To make API calls, your SPA would then use the in-memory copy of the token. If you have a SPA with no corresponding backend server, your SPA should request new tokens on login and store them in memory without any persistence. A protocol needs to be established between the backend and the SPA to allow the secure transfer of the token from the backend to the SPA. If the SPA backend cannot handle the API calls, then it functions similar to a mobile application that stores tokens in the SPA backend, but the SPA needs to fetch the tokens from the backend to perform requests to the API. If the SPA backend can handle the API calls, then it functions similar to a tradition web application that handle tokens server-side using:Īuthorization Code Flow with Proof Key for Code Exchange When the SPA calls multiple APIs that reside in a different domain, access, and optionally, refresh tokens are needed. OAuth adds additional attack vectors without providing any additional value and should be avoided in favor of a traditional cookie-based approach. When the SPA calls only an API that is served from a domain that can share cookies with the domain of the SPA, no tokens are needed. When issuing a token, one must provide a token name, a ticker, the initial supply, the number of decimals for display purpose and optionally additional properties.We recommend using the Auth0 SPA SDK to handle token storage, session management, and other details for you. Issuance of fungible ESDT tokensĮSDT tokens are issued via a request to the Metachain, which is a transaction submitted by the Account which will manage the tokens. Due to the design of ESDT tokens, smart contracts can manage tokens with ease, and they can even react to an ESDT transfer. The protocol guarantees that no Account can modify the storage of ESDT tokens, neither its own nor of other Accounts.ĮSDT tokens can be issued, owned and held by any Account on the Elrond network, which means that both users and smart contracts have the same functionality available to them. ![]() It also implies that an Account can hold balances of any number of custom tokens, in addition to the native EGLD balance. Technically, the balances of ESDT tokens held by an Account are stored directly under the data trie of that Account. Sharding is therefore automatically handled and invisible to the user. Users also do not need to worry about sharding when transacting custom tokens, because the protocol employs the same handling mechanisms for ESDT transactions across shards as the mechanisms used for the EGLD token. ![]() In effect, this means that custom tokens are as fast and as scalable as the native EGLD token itself. And due to the native in-protocol support, transactions with custom tokens do not require the VM at all. ![]() The Elrond network natively supports the issuance of custom tokens, without the need for contracts such as ERC20, but addressing the same use-cases. ESDT stands for Elrond Standard Digital Token.Ĭustom tokens at native speed and scalability, without ERC20 ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |