gardner / react-oauth2-pkce

React auth provider that works with AWS cognito PKCE🛡️🔒
49 stars 57 forks source link

Auth token stored in local storage is an XSS vulnerablity #21

Open altenfreelance opened 3 years ago

altenfreelance commented 3 years ago

https://dev.to/cotter/localstorage-vs-cookies-all-you-need-to-know-about-storing-jwt-tokens-securely-in-the-front-end-15id

Storing auth token in local storage is an xss vulnerabilty.

Ridder90 commented 3 years ago

Actually... I dont see a reference to local storage?

gardner commented 2 years ago

I can confirm that it does use localStorage. Please see https://github.com/gardner/react-oauth2-pkce/blob/2c33d03a7f40a1059c774cb5d820fd06e0b83b98/src/AuthService.ts#L113

altenfreelance commented 2 years ago

https://auth0.com/docs/secure/security-guidance/data-security/token-storage#:~:text=Storing%20tokens%20in%20browser%20local,Analytics)%20included%20in%20the%20SPA.

robertito121 commented 2 years ago

this is definitely using local storage. For PKCE flow, does any body here know what i need to do to refresh this storage back to null when the user actually revokes access to the application on the server? I thought this would have been done automatically but it is not. the auth item still appears under local storage and session storage even after application has been revoked at the server