Skip to content
This repository was archived by the owner on Jun 15, 2023. It is now read-only.

Auth token stored in local storage is an XSS vulnerablity #21

Open
altenfreelance opened this issue Sep 1, 2021 · 4 comments
Open

Auth token stored in local storage is an XSS vulnerablity #21

altenfreelance opened this issue Sep 1, 2021 · 4 comments
Assignees
@gardner

Comments

@altenfreelance
Copy link
Contributor

https://dev.to/cotter/localstorage-vs-cookies-all-you-need-to-know-about-storing-jwt-tokens-securely-in-the-front-end-15id

Storing auth token in local storage is an xss vulnerabilty.
@gardner gardner self-assigned this Sep 13, 2021
@Ridder90
Copy link

Ridder90 commented Nov 9, 2021

Actually... I dont see a reference to local storage?

@gardner
Copy link
Owner

gardner commented Jan 6, 2022

I can confirm that it does use localStorage. Please see

react-oauth2-pkce/src/AuthService.ts

Line 113 in 2c33d03

return window.localStorage.getItem(key)

@altenfreelance
Copy link
Contributor Author

https://auth0.com/docs/secure/security-guidance/data-security/token-storage#:~:text=Storing%20tokens%20in%20browser%20local,Analytics)%20included%20in%20the%20SPA.

@robertito121
Copy link

this is definitely using local storage. For PKCE flow, does any body here know what i need to do to refresh this storage back to null when the user actually revokes access to the application on the server? I thought this would have been done automatically but it is not. the auth item still appears under local storage and session storage even after application has been revoked at the server

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@gardner gardner

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gardner @Ridder90 @robertito121 @altenfreelance