Comments (16)
Thanks @lukeocodes
The samples and docs are indeed being updated to reflect the new SDK and guidance in this area. If you're interested in an early look, the new samples live here: https://github.com/auth0-samples/auth0-spa-js-react-samples. We'd appreciate any feedback you might have!
Bear in mind that the SDK itself is still in beta and subject to change; any changes might also affect the associated documentation before general release.
Yes it is, here
https://github.com/auth0-samples/auth0-react-samples/blob/embedded-login/02-Custom-Login-Form/src/Auth/Auth.js
@emrbzr That's an out-of-date stale branch you're looking at there, which has deviated from master and contains references to old guidance, particularly around local storage. Apologies for the confusion, the branch has now been removed.
I propose that we have a consensus that even providing examples of insecure localStorage is something that should be rejected.
@dawsbot That is absolutely true and I apologise for the confusion. Such samples should be removed and thanks for calling it out!
from auth0-react-samples.
@dawsbot Absolutely agree. We're trying to be mindful of this going forward, and keeping old documentation up to date with changing guidance has been a bit of a task, but we're getting there. The old SDK is still being maintained for the foreseeable future.
Closing this for now as I think the discussion has run its course, but if anyone feels like there's more to talk about, please feel free to re-open or create another issue.
from auth0-react-samples.
@dawsbot Yes it is, and you can find them at https://github.com/auth0/docs/. You are able to submit PRs there for anything you feel is in error, which will then be reviewed.
In the case of localStorage
vs sessionStorage
, is it not the case that both are still vulnerable to XSS? This is one of the key drivers for moving away from local storage.
from auth0-react-samples.
I agree, this apparently needs updated since other Auth0 employees have advised against storing access tokens in localstorage/cookies.
from auth0-react-samples.
Finding over and over at startups (I consult), that everyone is copy-pasting the example code with localStorage into production.
Please replace this in order to truly stand-behind your goal of security in your product.
from auth0-react-samples.
Thanks for the nudge @dawsbot
The guides and examples are being updated. @elkdanger may be able to better highlight this internally, as I have now left Auth0.
from auth0-react-samples.
When can we get an update to this for the custom login? or any suggested actions? thanks.
from auth0-react-samples.
@emrbzr - Here's a good blog post that shows how.
from auth0-react-samples.
is this still the case? The only thing stored in local storage is isLoggedIn flag https://github.com/auth0-samples/auth0-react-samples/blob/master/01-Login/src/Auth/Auth.js#L54
from auth0-react-samples.
is this still the case? The only thing stored in local storage is isLoggedIn flag https://github.com/auth0-samples/auth0-react-samples/blob/master/01-Login/src/Auth/Auth.js#L54
Yes it is, here
from auth0-react-samples.
EDIT: the code linked by the OP is no longer in this codebase. In fact, nowhere in this codebase is an insecure use of localStorage
any longer. Yet, the insecure code examples storing access_token
in localStorage are still public on Auth0 tutorials.
Can we get some opinions from the core maintainers? I propose that we have a consensus that even providing examples of insecure localStorage
is something that should be rejected.
The primary recent contributors are @lukeocodes, @paulioceano, @luisrudge, and @chenkie.
from auth0-react-samples.
Sounds like a decent approach @elkdanger, thank you for the quick response on this! Something I'd like to highlight is that with all software, folks will be on the "old" version for years from now. And documentation for that will last for years as well.
So although this sparkly new API sounds nice, it doesn't affect the applications that are on "old" auth0.js and will be forever like my current project and all the ones I've ever done.
from auth0-react-samples.
Is the documentation that has the less preferred localStorage
open-source? Sharing that responsibility with the community might help maintain it an easier task. I for one would go PR a fix for this localStorage
-> sessionStorage
🙌
from auth0-react-samples.
@elkdanger Thanks for informing us and removing the outdated branch, are we going to get another updated example about custom login? I think a lot of startups which are also previously mentioned is using the custom login solution. So it might help :)
from auth0-react-samples.
@elkdanger is right. sessionStorage
is just as vulnerable. The vulnerability lies in the discoverability of data in storage.
@dawsbot I'd recommend this article where you can see that malicious code can loop over storage to return keys and values. This makes it vulnerable to mass and generic trawling style attacks that seek vulnerabilities automatically.
from auth0-react-samples.
All great points here, I'm happy we're having a community discussion on this. To address your thoughts @lukeocodes, wouldn't a secure solution require http cookies? That sounds like something auth0 would need to go do.
Does the shiny new SDK provide tokens ONLY via cookies @elkdanger ? I think that's the consensus we're reaching here, but correct me if I'm misunderstanding.
from auth0-react-samples.
Related Issues (20)
- way too many deprecated libraries HOT 9
- `Failed to load resource: the server responded with a status of 400 ()` error with /authorize call - misconfiguration issue HOT 7
- Handle 403 Insufficient Scope errors in UI HOT 1
- Google account picture request forbidden HOT 3
- just a spinning circle HOT 3
- How to configure multiple App Client IDs in auth_config.json file? HOT 1
- Example for User Initiated Account Linking using this library HOT 2
- How to send Organization ID to Auth0Provider? HOT 1
- failed to load resource the server responded with a status of 400 () in React Node HOT 1
- #15 5.788 Cannot find file './auth_config.json' in './src'. Error HOT 1
- Cypress and auth0-react integration not working HOT 3
- Oops... Unauthorized HOT 4
- Do I need to call getAccessTokenSilently every time I make an external API call? HOT 2
- Adjust your current browser settings from 'Strict' to 'Moderate'. HOT 2
- Request failed with status code 404 HOT 1
- Redirecting to page that user logged in from HOT 4
- Chrome - Invalid state HOT 2
- Firefox - Session lost on refresh and SSO does not work HOT 3
- Auth0-react failing silently on succesful login HOT 4
- isAuthenticated is null in auth0-react HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from auth0-react-samples.