I am using electron to build a little desktop app to interact with my laravel backend. Im using laravel sanctum here so I can easily get a personal access token via https and then make authorized api requests with it. The token will be stored using node-keytar (main process). I am also using vue.js on the frontend of the electron app.
Now my question is: Do I need to make all authorized api requests in the main process and send the received response via ipc to the renderer process? Or is it safe to make authorized requests (with the personal access token as Bearer token) in the renderer process? Because on the one hand I ve read that as much as possible should be done in the renderer process to ensure performance. But on the other hand I don't know if the token could be intercepted somehow and I can't find much information on this.
Can someone help Thanks in advance!
It is pretty standard for a native client to send tokens directly from the UI to APIs - that is how non Javascript desktop apps would work - eg if coded in Java or C#.
Of course, for an Electron app node integration should be disabled in the renderer process, so the privileged code to use keytar has to run in the main process.
SOMETHING TO COMPARE AGAINST
There is a sample of mine here that uses OAuth for desktop apps with Electron, and keytar for token storage. I call APIs directly when getting data for views, and need to call from the renderer to the main process to deal with token storage.