search

paulvanbladel / aurelia-auth

:key: Authentication plugin for aurelia
200 stars 74 forks source link

Storage of authentication details fails in Safari when using Private Window #160

Open chriswait opened 7 years ago

chriswait commented 7 years ago

Background:

When Safari is in Private Window mode, localStorage is disabled by design (https://github.com/marcuswestin/store.js/issues/42, https://spin.atomicobject.com/2013/01/23/ios-private-browsing-localstorage/). It appears that conventional checks will report localStorage exists, but calling setItem will cause an error as it only exists in a read-only capacity. These checks are currently conducted in https://github.com/paulvanbladel/aurelia-auth/blob/master/src/storage.js#L16

Issue:

The storage implementation in aurelia-auth tests to see if localStorage is available, but is unable to detect that it is essentially disabled due to Private Window mode.

Thus, when the user attempts to log in, we see the following message in the console: QuotaExceededError: DOM Exception 22: An attempt was made to add something to storage that exceeded the quota. This error is produced during the setoperation in https://github.com/paulvanbladel/aurelia-auth/blob/master/src/storage.js#L12, as we are storing the authentication details coming from the login (the state, in my case).

Potential Mitigation

When checking to see if localStorage exists, aurelia-auth/src/storage.js could also check to see if it is able to write a value to localStorage and read this value back. I'm unsure of what the desired behaviour would be in this case.

Details

liamdawson commented 7 years ago

@chriswait can you set/modify cookies from JS in Safari when in private mode? That could mitigate the storage aspect, so it could fallback to cookie storage if local storage is unavailable.

chriswait commented 7 years ago

@liamdawson Yeah, they can be set/modified, and they're cleared when the private window is closed.

The base config uses localStorage as the default storage (https://github.com/paulvanbladel/aurelia-auth/blob/master/src/base-config.js#L37).

The Storage class only appears able to return localStorage and sessionStorage as the options for storage (lines 16 & 19 of https://github.com/paulvanbladel/aurelia-auth/blob/master/src/storage.js), leading me to believe cookies aren't currently supported in aurelia-auth.

I wondered if falling back to sessionStorage was an option, but it appears to have the same limitations in Safari as localStorage when in Private Browsing mode (http://stackoverflow.com/a/27081419/6031785).

At a minimum, improving the checking to cover the 'read only' case would at least result in a clearer error being reported by aurealia-auth. The long term solution looks like implementing cookies, which would provide storage at least until the browser window is closed.

chriswait commented 7 years ago

Just noticed that storing authentication details using cookies is already a feature request in issue #156 - if cookie-storage were to be implemented then adding some kind of graceful fallback would solve this issue.