Closed zymr-keshav closed 6 years ago
That fact that it inserts quotes around a string is is actually by design since it serializes values as JSON. This is also mentioned in the README.md
file:
The storage services can be used to store any value that can be serialized as a JSON string. This means you do not have to serialize and deserialize non-string values yourself, which makes the use of the storage services a bit more ergonomic compared to the direct use of
localStorage
andsessionStorage
.
I don't see why the JSON serialization/deserialization is a vulnerability. Can you explain why "this is vulnerable"?
As for clearing all storage items at once: you are correct. That feature is currently not implemented. I didn't need it at the time, but it will be easy to add. I will make that part of the next release.
I store JWT token in session storage and I need to send token with request in Header as below format
'Bearer <token value from session storage >'
But when I use your library I explicitly need to jo JSON.parse(token_in_session_storage)
before adding it to Header. which leads to confusion. That's why.
there must be one extra parameter whether a user wants to enclose the value in quotes or not.
and By the way what is the difference if I direct use SessionStorage. Please give any example where your library can help and prevent any kind of issue better than the Direct usage of SessionStorage?
I addressed the issue by introducing storage transcoders in version 3.0.0 (which I just released). Now you can skip the JSON parsing by using the STRING transcoder:
import { StorageTranscoders } from 'ngx-webstorage-service';
const accessToken = storageService.get('TOKEN_KEY', StorageTranscoders.STRING);
Furthermore I have also added a clear()
function to the StorageService
interface, which can be used to clear the whole storage.
Almost forgot: version 3.0.0 has some small breaking changes. Check the changelog to review them and how to migrate (should be easy).
when we save token and get token back, it wraps token with double quotes if the item type is string; this is vulnerable.
also there is no way to clear all session storage item at once