Should the client or the server take more security precautions?Both should be

1. Should the client or the server take more security precautions?
2.  
3. Both should be secure. The client has to handle different types of threats (social engineering, suspicious login activity). Things such as expiry time are important on the client side because it requires a reauth to maintain access. However,
4.  
5. What's the difference between local storage and session storage?
6.  
7. Local storage is stored for a longer time than session stoarge. Local storage will be stored until it is removed. Session storage will only be stored while the auth is valid. This could mean the browser/tab is still open and expiry time hasn't passed.
8.  
9. What problem does a JWT expiry time solve?
10.  
11. This solves the problem of very old tokens being considered valid by the server despite being issued a long time in the past.
12.  
13. Is a refresh endpoint protected or public?
14.  
15. Protected because in order to gain one, you should have already supplied a valid credentials/token.
16.  
17. What would happen if a refreshed JWT was requested with a JWT that had already expired?
18.  
19. It would return a bad request (400) because the auth is no longer valid. User would need to sign back in to get a good request.
20.  
21. What does it mean to queue a callback?
22.  
23. Assign a callback to be executed after a certain event has occurred. (User clicks a button, user has been idle for 5 minutes, setTimeout timer has run out)
24.  
25. What does the clearTimeout function do and what argument do you pass into it?
26.  
27. Removes the callback moved into the heap by the setTimeout function. Pass in a reference to the timeout you'd like to clear from the heap.
28.  
29. For which of the following events should a refresh request be queued after?
30. A successful user registration request - Depends on the UX of the app. If you have them logged in after registering, yes. If not, no because there would be no jwt to authenticate when timer runs out.
31. A successful login request - Yes.
32. A page load - Yes.
33. A successful API request to a protected endpoint for posting a comment - Yes.
34. A successful refresh request - Yes.
35. A push state navigation event - Yes.
36. A user logs out - No.
37.  
38. What is OIDC?
39.  
40. OpenID Connect. Allows you to use third-party authentication providers to obtain user identity information to log into applications. For example, for certain services, you can log in using Facebook, Twitter, Apple.