DEV Community

Discussion on: How I Fixed JWT Security Flaws in 3 Steps

Collapse
byrro profile image
Renato Byrro Author

I believe this has already been discussed in the comments.

I'm not here to convince you of anything or prove anyone wrong. It's obvious that anyone can store anything in localstorage. If you're confident that storing sensitive credentials in it is perfectly fine, then it's not my responsibility to prove anything wrong or right... Just go for it.

Collapse
lassipulkkinen profile image
Lassi Pulkkinen • Edited on

Oh, I didn't notice that comment before.

Regarding the house analogy, as long as JavaScript has some way to make authorized requests to the API server, the "valuables" (most prominently, access-protected data on the server) aren't really hidden, except for one of them, the token. That is, if you count that as a "valuable" in the first place. In normal circumstances, when the token is kept secure, its value can be thought of as the combined value of everything it grants access to. If an attacker can access the "valuables" without bearing the token themselves, it loses its value in the context of that attack, unless it has some intrinsic value besides the grant of access to protected data. One thing that could constitute this additional value is that with direct possession of a token the attacker can keep accessing the "valuables" after the vulnerability they used is patched or, if it's difficult to exploit, the user closes the browser tab in question. This, however, is a major part of what token expiration times are for, and best practice mandates having those be relatively short.

And, by "you are free to prove me wrong", I meant that I was genuinely interested to hear valid reasoning against what I said, not to underrate the likelihood of existence of such an argument. I'm not confident enough with my judging to take its output as fact, and I wanted to make it clear. I do admit that the way I expressed that was open to misinterpretation and thus problematic.

EDIT: Wait, this still sounds like I was somehow demanding you to argue against this. That's not what I meant. You are free, not responsible, to prove me wrong.