search

dscheerens / ngx-webstorage-service

Module for Angular that provides service wrappers for the Web Storage API
MIT License
65 stars 11 forks source link

wrap token with double quotes #1

Closed zymr-keshav closed 6 years ago

zymr-keshav commented 6 years ago

when we save token and get token back, it wraps token with double quotes if the item type is string; this is vulnerable.

also there is no way to clear all session storage item at once

dscheerens commented 6 years ago

That fact that it inserts quotes around a string is is actually by design since it serializes values as JSON. This is also mentioned in the README.md file:

The storage services can be used to store any value that can be serialized as a JSON string. This means you do not have to serialize and deserialize non-string values yourself, which makes the use of the storage services a bit more ergonomic compared to the direct use of localStorage and sessionStorage.

I don't see why the JSON serialization/deserialization is a vulnerability. Can you explain why "this is vulnerable"?

As for clearing all storage items at once: you are correct. That feature is currently not implemented. I didn't need it at the time, but it will be easy to add. I will make that part of the next release.

zymr-keshav commented 6 years ago

I store JWT token in session storage and I need to send token with request in Header as below format

'Bearer <token value from session storage >'

But when I use your library I explicitly need to jo JSON.parse(token_in_session_storage) before adding it to Header. which leads to confusion. That's why.

there must be one extra parameter whether a user wants to enclose the value in quotes or not.

and By the way what is the difference if I direct use SessionStorage. Please give any example where your library can help and prevent any kind of issue better than the Direct usage of SessionStorage?

dscheerens commented 6 years ago

I addressed the issue by introducing storage transcoders in version 3.0.0 (which I just released). Now you can skip the JSON parsing by using the STRING transcoder:

import { StorageTranscoders } from 'ngx-webstorage-service';

const accessToken = storageService.get('TOKEN_KEY', StorageTranscoders.STRING);

Furthermore I have also added a clear() function to the StorageService interface, which can be used to clear the whole storage.

dscheerens commented 6 years ago

Almost forgot: version 3.0.0 has some small breaking changes. Check the changelog to review them and how to migrate (should be easy).