integrate multi-back-end authentications
"when u have an app using cookies and can't simply switch to tokens overnight, u have to support both "
for XSS & CSRF avoidance -
not store the token in any browser storage at client side
a) use a unique x-csrf token sent as HTTPOnly cookie
or
b) store access token in memory, write refresh token in a secure HTTPOnly cookie to get a new access token as needed.
References :: hasura