I'm currently implementing auth using JWT and I'm having some concerns about security. The application is written in react + golang(backend API)
Given the password grant flow this is how the application works:
User logins with his credentials and he is returned a short-lived JWT (without any sensitive informations) and a refresh token(long-lived). The refresh token is saved in the db(so that it can be revoked if necessary).
Given the fact that i store the tokens in local storage and the app is served via SSL, and the submitted form data on the client is santinized on the backend for protection against XSS, are there any other major security risks?
Alternatively i was also thinking to store the access token on local storage and the refresh token in a http only cookie(protected against CSRF). That way, if an attacker manages to get his hands on the access token, he will have a short window to perform his actions.