Open lukeburns opened 4 years ago
Hey @lukeburns, my reply is so late to this message that its probably no longer useful. But I would like to reply because the programming problem is interesting. As you mentioned, Auth0 advocates the use of session cookies as opposed to local storage for persistent data storage. They say that local storage is less secure than session storage.
Writing document.cookie
is just as easy to write as localStorage.getItem('myCat')
. Neither of these options are secure against XSS. I can tell you right now, that the moment a developer can inject any JavaScript into your website or application, all of you data is vulnerable.
The only true fix to the problem is to completely avoid using external dependencies. Never inject any code from an external dependency. And even when you think you can make an exception because you trust the developer of an external package, you may still be at risk because their package may have sub-dependencies which could be untrustworthy.
Furthermore, the attack may not even come from the website itself. Any extensions installed on your browser can read all of the data. Browser extensions are far more dangerous to your web security than malicious application packages. What you may think is a simple extension that gives you easy to use coupons on your websites may actually be maliciously reading all of you internet traffic and stealing all of your passwords and private information. That's why I would recommend using as few extensions as possible if you are concerned about your security.
When I developed Authpack, I avoided the use of external dependencies as must as possible. I wrote most of the code custom. Every day I focus on reducing my dependance on external dependencies to improve the security of my users.
Kind regards, Jack
This seems like a great project. I notice in your documentation you recommend storing access tokens in local storage, which sounds like a bad idea [1] especially if using authpack's payments feature. Do you plan to implement secure session management (e.g. along the lines of Auth0)?
In particular, see [1]. "If you have a single-page app (SPA) with no corresponding backend server, your SPA should request new tokens on login and store them in memory without any persistence. To make API calls, your SPA would then use the in-memory copy of the token." Auth0 stores sessions on its servers and SPAs simply make silent reauthorization requests when tokens are wiped from memory (e.g. when the is page refreshed) [2]. They also implement PKCE [3] to prevent against token interception attacks.
[1] https://auth0.com/docs/tokens/guides/store-tokens [2] https://auth0.com/blog/introducing-auth0-single-page-apps-spa-js-sdk/#Behind-the-Curtain [3] https://tools.ietf.org/html/rfc7636