access token should not be stored in localstorage? about auth0-react-samples HOT 16 CLOSED

Thanks @lukeocodes

The samples and docs are indeed being updated to reflect the new SDK and guidance in this area. If you're interested in an early look, the new samples live here: https://github.com/auth0-samples/auth0-spa-js-react-samples. We'd appreciate any feedback you might have!

Bear in mind that the SDK itself is still in beta and subject to change; any changes might also affect the associated documentation before general release.

Yes it is, here
https://github.com/auth0-samples/auth0-react-samples/blob/embedded-login/02-Custom-Login-Form/src/Auth/Auth.js

@emrbzr That's an out-of-date stale branch you're looking at there, which has deviated from master and contains references to old guidance, particularly around local storage. Apologies for the confusion, the branch has now been removed.

I propose that we have a consensus that even providing examples of insecure localStorage is something that should be rejected.

@dawsbot That is absolutely true and I apologise for the confusion. Such samples should be removed and thanks for calling it out!

from auth0-react-samples.

@dawsbot Absolutely agree. We're trying to be mindful of this going forward, and keeping old documentation up to date with changing guidance has been a bit of a task, but we're getting there. The old SDK is still being maintained for the foreseeable future.

Closing this for now as I think the discussion has run its course, but if anyone feels like there's more to talk about, please feel free to re-open or create another issue.

from auth0-react-samples.

@dawsbot Yes it is, and you can find them at https://github.com/auth0/docs/. You are able to submit PRs there for anything you feel is in error, which will then be reviewed.

In the case of localStorage vs sessionStorage, is it not the case that both are still vulnerable to XSS? This is one of the key drivers for moving away from local storage.

from auth0-react-samples.

I agree, this apparently needs updated since other Auth0 employees have advised against storing access tokens in localstorage/cookies.

from auth0-react-samples.

Finding over and over at startups (I consult), that everyone is copy-pasting the example code with localStorage into production.

Please replace this in order to truly stand-behind your goal of security in your product.

from auth0-react-samples.

Thanks for the nudge @dawsbot

The guides and examples are being updated. @elkdanger may be able to better highlight this internally, as I have now left Auth0.

from auth0-react-samples.

When can we get an update to this for the custom login? or any suggested actions? thanks.

from auth0-react-samples.

@emrbzr - Here's a good blog post that shows how.

from auth0-react-samples.

is this still the case? The only thing stored in local storage is isLoggedIn flag https://github.com/auth0-samples/auth0-react-samples/blob/master/01-Login/src/Auth/Auth.js#L54

from auth0-react-samples.

is this still the case? The only thing stored in local storage is isLoggedIn flag https://github.com/auth0-samples/auth0-react-samples/blob/master/01-Login/src/Auth/Auth.js#L54

Yes it is, here

https://github.com/auth0-samples/auth0-react-samples/blob/embedded-login/02-Custom-Login-Form/src/Auth/Auth.js

from auth0-react-samples.

EDIT: the code linked by the OP is no longer in this codebase. In fact, nowhere in this codebase is an insecure use of localStorage any longer. Yet, the insecure code examples storing access_token in localStorage are still public on Auth0 tutorials.

Can we get some opinions from the core maintainers? I propose that we have a consensus that even providing examples of insecure localStorage is something that should be rejected.

The primary recent contributors are @lukeocodes, @paulioceano, @luisrudge, and @chenkie.

from auth0-react-samples.

Sounds like a decent approach @elkdanger, thank you for the quick response on this! Something I'd like to highlight is that with all software, folks will be on the "old" version for years from now. And documentation for that will last for years as well.

So although this sparkly new API sounds nice, it doesn't affect the applications that are on "old" auth0.js and will be forever like my current project and all the ones I've ever done.

from auth0-react-samples.

Is the documentation that has the less preferred localStorage open-source? Sharing that responsibility with the community might help maintain it an easier task. I for one would go PR a fix for this localStorage -> sessionStorage 🙌

from auth0-react-samples.

@elkdanger Thanks for informing us and removing the outdated branch, are we going to get another updated example about custom login? I think a lot of startups which are also previously mentioned is using the custom login solution. So it might help :)

from auth0-react-samples.

@elkdanger is right. sessionStorage is just as vulnerable. The vulnerability lies in the discoverability of data in storage.

@dawsbot I'd recommend this article where you can see that malicious code can loop over storage to return keys and values. This makes it vulnerable to mass and generic trawling style attacks that seek vulnerabilities automatically.

from auth0-react-samples.

All great points here, I'm happy we're having a community discussion on this. To address your thoughts @lukeocodes, wouldn't a secure solution require http cookies? That sounds like something auth0 would need to go do.

Does the shiny new SDK provide tokens ONLY via cookies @elkdanger ? I think that's the consensus we're reaching here, but correct me if I'm misunderstanding.

from auth0-react-samples.