react-auth-kit / react-auth-kit

Powerful Auth Management library for ReactJs-based applications
https://authkit.arkadip.dev
MIT License
561 stars 87 forks source link

why sessionStorage is not in scope for token storage in react-auth-kit. #1877

Open Hari-sankoju opened 1 month ago

Hari-sankoju commented 1 month ago

I believe Cookies are not safe and vulnerable. Internal Storage is also available on browser forever if user wont log out and just close the browser. So My question is why sessionStorage is not in scope for token storage in react-auth-kit.

I am able to copy the token from developer tools -> application tab , either from cookies or from internal storage. How can we protect the cookies so that user cannot see or copy the token? Is there any way to store the token in internal storage but encrypted?

amabilee commented 3 weeks ago

React-auth-kit doesn't support sessionStorage for token storage due to its specific implementation and design choices.

For storing tokens in a more secure manner, consider using IndexedDB to encrypt tokens before storing them. This way, even if someone accesses the storage, they won't be able to read the token without the decryption key.

If you want to protect tokens stored in cookies, you can:

  1. Set the HttpOnly flag to prevent JavaScript access.
  2. Use the Secure flag to ensure cookies are only sent over HTTPS.
  3. Set the SameSite attribute to prevent cross-site requests
Hari-sankoju commented 3 weeks ago

can u provide a sample piece of code on how to use indexedDB to store instead of localstorage and how we can tell react-auth-kit to look in that storage?

Hari-sankoju commented 3 weeks ago

If there is any option to encrypt token before storing in localstorage so that external user cannot use that token anywhere. is there any way for that?

amabilee commented 3 weeks ago

For using IndexedDB look here : https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API/Using_IndexedDB

You can use crypto-js for encryption, although is currently discontinued : https://github.com/brix/crypto-js