Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS auth token attack #176

Open
Allcharles opened this issue Apr 9, 2020 · 1 comment
Open

XSS auth token attack #176

Allcharles opened this issue Apr 9, 2020 · 1 comment
Assignees
@Allcharles
Labels
architecture Architectural changes to the software bug Something isn't working triage:medium Medium priority issue or pull request

Comments

@Allcharles
Copy link
Contributor

Storing the auth token in local storage is fine for now, however it leaves the site open to an XSS attack. Following something like this https://blog.angular-university.io/angular-jwt-authentication/ using HTTP cookies with XFRS protection may be another simple solution.
@Allcharles Allcharles added bug Something isn't working architecture Architectural changes to the software labels Apr 9, 2020
@Allcharles Allcharles self-assigned this Apr 9, 2020
@Allcharles Allcharles added the triage:medium Medium priority issue or pull request label Apr 9, 2020
@atruskie
Copy link
Member

atruskie commented Apr 16, 2020
edited
Loading

I'm not convinced using cookies for storage is ideal - we expressly moved away from that concept years ago.

Ok I've done some reading:

  • http-only cookie + XSRF cookie token is ideal for SPA
    • given our relative lack of 3rd party scripts local storage probably continues to be secure for now
    • with the exception of supply-chain attack - but we can't protect against that with these mechanisms currently
  • JWT sent by Authorization header with bearer token ideal for non-spa access
  • server should exclusively accept one of the above methods for a single request

The JWKS thing is interesting, we should add support in the server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Allcharles Allcharles

Labels
architecture Architectural changes to the software bug Something isn't working triage:medium Medium priority issue or pull request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@atruskie @Allcharles