Move auth tokens from localStorage to httpOnly cookies #24

New Issue

Open

opened 2026-04-20 09:37:44 +00:00 by sharang · 0 comments

sharang commented 2026-04-20 09:37:44 +00:00

Owner

Copy Link

Copy Source

Problem

Auth tokens and tenant identifiers are stored in localStorage:

• lib/sdk/academy/api-courses.ts stores authToken in localStorage
• lib/sdk/dsr/api-types.ts reads X-User-ID and X-Tenant-ID from localStorage

localStorage is accessible to any JavaScript running on the page. An XSS vulnerability anywhere in the app allows an attacker to exfiltrate tokens and impersonate users.

Required Actions

1. Move authToken to an httpOnly, Secure, SameSite=Strict cookie set by the backend on login
2. Remove X-User-ID from frontend entirely — derive from JWT on the backend
3. After #5 (tenant isolation fix): X-Tenant-ID is no longer needed on the frontend
4. Update the frontend to rely on the cookie implicitly — no explicit token management in JS code
5. Update CORS config (#8) to include allow_credentials=True with explicit origins

Acceptance Criteria

• localStorage contains no token or tenant data
• document.cookie does not show the auth token (httpOnly flag)
• Authenticated API calls work via cookie without explicit Authorization header
• Depends on: #4, #5, Fix CORS default: restrict allowed origins from wildcard to explicit list (#8)

## Problem Auth tokens and tenant identifiers are stored in `localStorage`: - `lib/sdk/academy/api-courses.ts` stores `authToken` in localStorage - `lib/sdk/dsr/api-types.ts` reads `X-User-ID` and `X-Tenant-ID` from localStorage `localStorage` is accessible to any JavaScript running on the page. An XSS vulnerability anywhere in the app allows an attacker to exfiltrate tokens and impersonate users. ## Required Actions 1. Move `authToken` to an httpOnly, Secure, SameSite=Strict cookie set by the backend on login 2. Remove `X-User-ID` from frontend entirely — derive from JWT on the backend 3. After #5 (tenant isolation fix): `X-Tenant-ID` is no longer needed on the frontend 4. Update the frontend to rely on the cookie implicitly — no explicit token management in JS code 5. Update CORS config (#8) to include `allow_credentials=True` with explicit origins ## Acceptance Criteria - `localStorage` contains no token or tenant data - `document.cookie` does not show the auth token (httpOnly flag) - Authenticated API calls work via cookie without explicit `Authorization` header - Depends on: #4, #5, #8

sharang added this to the M5: Frontend Hardening milestone 2026-04-20 09:37:44 +00:00

sharang added the frontendsecurityseverity: medium labels 2026-04-20 09:37:45 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feature/fisa-702-drittland-risiko

feat/dead-code-cleanup

feature/payment-compliance-module

feature/betriebsrat-compliance-module

last-build/main

Labels

Clear labels

config

Env vars, secrets management, startup validation

data-integrity

Transactions, indexes, pagination

frontend

Next.js, client-side concerns

observability

Logging, audit trails, health checks

reliability

Error handling, retries, circuit breakers

security

Auth, secrets, injection, tenant isolation

severity: critical

System-level risk, data breach or full outage

severity: high

Significant risk, must fix before go-live

severity: medium

Important but not blocking go-live

testing

Test coverage, integration tests

No Label frontend security severity: medium

Milestone

No items

No Milestone M5: Frontend Hardening

Projects

Clear projects

No project

Assignees

Clear assignees

sharang (Sharang Parnerkar) Benjamin_Boenisch

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Benjamin_Boenisch/breakpilot-compliance#24