Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Retrieve token from cookie instead of query string param

See original GitHub issue

Versions

VSF 1.11
VSF API 1.11

Bug or feature request

Feature request

Detail

Currently, VSF API requires VSF to send a token for most of authenticated requests (cart, order, etc.).

This token is stored in the browser’s local storage, which may easily be retrieved using XSS injection for instance.

A more secure approach may be using cookies to pass this token between VSF and VSF API:

VSF API sends a Set-Cookie header with the token, and strong policy (httponly, secure, samesite, etc.)
VSF (transparently) sends a Cookie header with all VSF API requests

What do you guys think?

Issue Analytics

State:
Created 3 years ago
Reactions:3
Comments:5 (4 by maintainers)

Top GitHub Comments

1reaction

lukeromanowiczcommented, Aug 27, 2020

Actually the goal behind the issue hasn’t been achieved. The point of storing tokens in cookies is that JavaScript can’t access the tokens so even in case of XSS it should stay secure. During the login, the token should be saved in a cookie flagged with same-site, secure and HTTPonly. JavaScript should only be notified of how long that token is supposed to last.

Mentioned PR changed the token transportation method, but the main goal (moving from insecure storage to a secure one) has not been achieved.

1reaction

pkarwcommented, Aug 27, 2020

Hi guys, the tokens can be now pass via Header: but we didn’t find much value in storing them in cookies vs. localStorage. So this option hasn’t been implemented. This PR: https://github.com/DivanteLtd/vue-storefront/pull/4626