search

accounts-js / accounts

Fullstack authentication and accounts-management for Javascript.
https://www.accountsjs.com/
MIT License
1.5k stars 141 forks source link

storing token in localstorage with safari iOS ("The operation is insecure") #1120

Open acomito opened 3 years ago

acomito commented 3 years ago

Not really a bug but thought it could be good to have this conversation here for posterity.

I never noticed this before, but if you try to use localStorage with safari, you get an error "The operation is insecure" and you can't store anything in localStorage.

I think this used to only be in private mode, but I'm seeing it in normal browsing too.

Anybody else running into this as of late? Are you storing your JWT in localstorage or elsewhere (I know this is frowned upon by a lot of people)?

Does accountsjs have other options (sessions/cookies)?

There are some other packages like store.js and localForage that may be a work around

https://github.com/localForage/localForage

I'm using local-storage-fallback right now, which let's people log in, but it won't persist if you refresh the page.

pradel commented 3 years ago

Okay this is really bad, I wasn't aware of this, is there some other recommended storage? As a workaround you can store in js-cookies to get persistent sessions on safari

acomito commented 3 years ago

Were you able to reproduce it?

pradel commented 3 years ago

I didn't try but didn't get any complaints from our users so far

acomito commented 3 years ago

I can't seem to get js-cookie to work on iOS... right now I'm using local-storage-fallback like this


  getLocalStorage: (valueName) => {
    try {
      if (!iOS()) {
        return window.localStorage.getItem(valueName);
      } else {
        return storage.getItem(valueName);
      }
    } catch (err) {
      throw new Error(err.message);
    }
  },
  setLocalStorage: (valueName, valueToSet) => {
    try {
      if (!iOS()) {
        return window.localStorage.setItem(valueName, valueToSet);
      } else {
        return storage.setItem(valueName, valueToSet);
      }
    } catch (err) {
      throw new Error(err.message);
    }
  },
  removeLocalStorage: (valueName) => {
    try {
      if (!iOS()) {
        return window.localStorage.removeItem(valueName);
      } else {
        return storage.removeItem(valueName);
      }
    } catch (err) {
      throw new Error(err.message);
    }
  },

The only issue is if we do a page refresh, it looses the token.