While building a javascript SPA (single page application) I need to display some pages differently based on if the user is logged in or not.
Auth is handled by JWT which is served via httpOnly cookie and secure headers.
That leaves cookie not accessible from the SPA javascript and that in turn means I don't know if the user is logged in or not.
I did check some posts on how to solve this problem and found some suggestions like
send another cookie which is not httpOnly with some flag like session ID or user ID with expiry date and in the client side JS, use that cookie to see if the user is authenticated.
create an endpoint on API server, something like /is-logged-in and make a http call from JS to check if the user is authenticated or not before displaying the page.
store JWT locally without cookies (obviously a no go due to the security reasons and the amount of code I will have to write to mitigate all kinds of possible stealing attacks)
I am late to the SPA party but I am sure this has to be a long solved problem. I am unable to see something obvious I guess.
Please point me to the right direction.
For completeness, here are some unanswered, semi answered related posts
You have basically two choices: