Closed VirginiaBalseiro closed 4 weeks ago
Hi @VirginiaBalseiro ,
Thanks for reporting this. Indeed, AMC is on v2.0.0 of the library: https://github.com/inrupt/authorization-management-component/blob/9b8976a9bd153b6cb4622b04d31d569fe16d1b05/package.json#L33.
The refresh token should no be stored in the local storage. However, by default, the session is DPoP-bound, which means without the DPoP key, the refresh token is unusable. The DPoP key not being stored in local storage, this mitigates the severity of the issue (which should be fixed nonetheless).
v2.2.1 should resolve this issue. Let us know if you see it persisting!
Search terms you've used
Impacted package
Which packages do you think might be impacted by the bug ?
Bug description
Refresh tokens are being stored in local storage, posing a significant security risk.
To Reproduce
Expected result
Refresh tokens should generally not be stored in local storage. This is also outlined in the security policy of this repository.
Actual result
Refresh tokens are being stored in local storage.
Environment
Please run
npx envinfo --system --npmPackages --binaries --npmGlobalPackages --browsers
in your project folder and paste the output here:
Additional information
The presence of refresh tokens in local storage can lead to severe security breaches, including unauthorized access to user accounts. Immediate action is required to mitigate this risk and ensure the safety and security of users' data.
Screenshot