angular-auth-oidc-client icon indicating copy to clipboard operation
angular-auth-oidc-client copied to clipboard

Published 20 hours ago verified publisher icon damienbod

Promise AbstractStorageProvider

Open jamesikanos opened this issue 5 years ago • 15 comments

I'm looking at creating a PWA so I'm using Refresh Tokens. I, therefore, desire to move away from the default SessionStorage implementation.

IndexedDB and the CacheStorage API (the current recommendations for storing data within PWA's) are only available as asynchronous promise-based APIs.

I would like the AbstractStorageProvider to implement promise-based methods for Read/Write. When being used with SessionStorage/LocalStorage these can simply be returned with empty promises, not affecting the existing implementations.

I've looked into use LocalStorage but this is no longer recommended. See here: https://dev.to/rdegges/please-stop-using-local-storage-1i04

Thank you

jamesikanos avatar Aug 12 '20 08:08 jamesikanos

@jamesikanos Thanks for reporting.

This is a good enhancement. We need this. @FabianGosebrink agree?

Greetings Damien

damienbod avatar Aug 28 '20 12:08 damienbod

This also allows using the cordova secure storage - https://github.com/pradeep1991singh/cordova-plugin-secure-key-store#readme

Johnnyrook777 avatar Feb 03 '21 01:02 Johnnyrook777

We wanted to redo the storage support anyway so I think this might be a good enhancement.

FabianGosebrink avatar Feb 03 '21 07:02 FabianGosebrink

Do you have any design goals on this? My current work-around is more than a bit of a kludge and I'll take a swing at implementing it.

jeffreyabecker avatar Apr 20 '21 23:04 jeffreyabecker

Just echoing support. I wrote an async storage class using Capacitor (using Ionic so like OP, local storage for refresh tokens isn't great) and their Storage plugin (see https://capacitorjs.com/docs/apis/storage ).

Here's what I wrote. To try and give you an idea of how people might implement an async provider. I'll just have to await v12 :)

import { Injectable } from '@angular/core';
import { AbstractSecurityStorage } from 'angular-auth-oidc-client';
import { Plugins } from '@capacitor/core';

@Injectable()
export class CapacitorStorage implements AbstractSecurityStorage {
  public async read(key: string): Promise<any> {
    const result = await Plugins.Storage.get({ key });
    return JSON.parse(result.value);
  }

  public async write(key: string, value: any): Promise<boolean> {
    await Plugins.Storage.set({ key, value: JSON.stringify(value) });
    return true;
  }

  public async remove(key: string): Promise<boolean> {
    await Plugins.Storage.remove({ key });
    return true;
  }
}

philjones88 avatar May 12 '21 09:05 philjones88

Hello!

I'm trying to store the refresh token using "keytar" in an Electron app. keytar only offers an asynchronous interface so... is this feature part of V12 or is it deplyed?

SSchwaiger avatar Jun 18 '21 14:06 SSchwaiger

Hi @SSchwaiger this will not make it in V12. We want to release V12 soon, and don't have the capacity to support this. The session storage and the local storage are synchronous which is the 95% use case of the lib. So supporting both synchronous and asynchronous would require a large effort to implement.

We do plan this feature but have no timeline.

Greetings Damien

damienbod avatar Jun 18 '21 15:06 damienbod

I stumbled upon this and want to react to the claim that LocalStorage is 'not secure'.

I've looked into use LocalStorage but this is no longer recommended. See here: https://dev.to/rdegges/please-stop-using-local-storage-1i04

This article claims that LocalStorage is not secure, because if you are vulnerable to an XSS attack, the attacker could read the contents of the storage. This is true, however, that doesn't mean that LocalStorage should never be used for storing sessions. It means that you need to protect against XSS attacks, which you also should do if you don't store sensitive stuff in LocalStorage. If you comply with the following rules, you won't be easily vulnerable to an XSS attack:

  • Use a proper Content-Security-Policy (without unsafe-* directive for the script-src). Don't use any external Javascript files, host them yourself.
  • Don't support Internet Explorer, or if you must, only IE >= 10, and add the header under the name X-Content-Security-Policy
  • Use Angular or an other SPA framework for developing the web app. With frameworks like Angular it is hard to introduce an XSS vulnerability.
  • Run the web app on its own (sub-)domain. This way only the web app can access the sensitive data, and the web app is protected by 2 very strong layers of security.

Also see this comment on the article.

marklagendijk avatar Sep 09 '21 07:09 marklagendijk

+1 for this feature

trytuna avatar Jun 06 '22 00:06 trytuna

@FabianGosebrink, I hope all is well!

Thank you for contributing as much as you do to this library. I understand this a breaking change, I was wondering if any progress has been made on this? Is this something that I could help complete? I am working on an Ionic application, and I would love to be able to persist the token to the native platform's storage.

I know this would be a large API change, anything I can do to help. Is this ticket on the roadmap for V14? V15?

evancjohnson avatar Sep 04 '22 02:09 evancjohnson

Is this issue still relevant? Ionic only supports Promises?

FabianGosebrink avatar Dec 08 '22 12:12 FabianGosebrink

Is this issue still relevant? Ionic only supports Promises?

IMO, I think at least supporting an observable implementation make sense so custom storage developers can choose to go down the async route or observable.

evancjohnson avatar Dec 08 '22 16:12 evancjohnson

Yes still relevant. We would love to use the Module in our App but we are using an Async Storage solution that is Promise based.

Spinnenzunge avatar Dec 08 '22 20:12 Spinnenzunge

Would be nice if we could use Capacitor Preferences or Capacitior Secure Storage to store Access Token securely.

mariusbolik avatar Jul 14 '23 11:07 mariusbolik