How to store tokens, How to securely store JWT tokens. - DEV Community
This is possible by storing it is a variable inside a closure if it helps, think of it as roughly akin to a private variable inside a class.
Architecturally speaking, the only thing we ever need our session token for is sending an HTTP request, so we can design our closure to expose a fetch function that automatically appends the token value. The only other thing we need exposed is a way to set the token. After setting the token value, it is impossible to read it again.
OAuth adds additional attack vectors without providing any additional value and should be avoided in favor of a traditional cookie-based approach. When the SPA calls multiple APIs that reside in a different domain, access, and optionally, refresh tokens are needed. A protocol needs to be established between the backend and the SPA to allow the secure transfer of the token from the backend to the SPA. If you have a SPA with no corresponding backend server, your SPA should request new tokens on login and store them in memory without any persistence.
Love the bypasses - keep em coming! Service Workers are essentially in browser proxy servers that execute in their own context and will persist between refreshes and new page loads. We can use a service worker to remember our session token for us and then send the session token for any network resources that require it.
How To Add Custom Tokens To MetaMask? [MetaMask Tutorial]
First, we need to register the service worker on the learning options forts that we want the service worker to monitor.
The actual ServiceWorker code how to store tokens a bit complex, but the core functionality should look similar to the Closure logic above.
Пару секунд он глядел на ровную серую поверхность перед его глазами.
To use the token, we can use the magic of service workers to intercept every single fetch call and determine if we need to add the token value. Go ahead and try it out on the PoC page. Close the page and refresh as well, then try sending the authenticated request without requesting a new token - the service worker remembers the previous token!
If you can figure out an exploit please let me know! My goal was to demonstrate through as simple PoCs as possible what each option looks like, and then evaluate the XSS impact and persistence of each.