vue-storefront-api icon indicating copy to clipboard operation
vue-storefront-api copied to clipboard

Published 20 hours ago verified publisher icon vuestorefront

Retrieve token from cookie instead of query string param

Open michael-bouvy opened this issue 4 years ago • 5 comments

Versions

  • VSF 1.11
  • VSF API 1.11

Bug or feature request

Feature request

Detail

Currently, VSF API requires VSF to send a token for most of authenticated requests (cart, order, etc.).

This token is stored in the browser's local storage, which may easily be retrieved using XSS injection for instance.

A more secure approach may be using cookies to pass this token between VSF and VSF API:

  • VSF API sends a Set-Cookie header with the token, and strong policy (httponly, secure, samesite, etc.)
  • VSF (transparently) sends a Cookie header with all VSF API requests

What do you guys think?

michael-bouvy avatar Jun 23 '20 12:06 michael-bouvy

Hi Michael. You’re right - by leveraging the same domain, secure cookie features this could be an interesting improvement

By the way @gibkigonzo is working on a very simple change - a configurable option for passing the token via HTTP header (instead of GET parameter)

I guess it would be great to mix these two and have it configutebale for the user @gibkigonzo

pkarw avatar Jun 23 '20 15:06 pkarw

Hi @gibkigonzo, Do you have an update regarding this topic? Thank you.

jonathanribas avatar Aug 27 '20 10:08 jonathanribas

As much as I agree that this feature should be present in VSF API, we can't remove the current solution because many clients do not support cookies (e.g. native mobile apps). I suggest both approaches being opened with suggestion of cookies for more secure token storage

lukeromanowicz avatar Aug 27 '20 10:08 lukeromanowicz

Hi guys, the tokens can be now pass via Header: but we didn't find much value in storing them in cookies vs. localStorage. So this option hasn't been implemented. This PR: https://github.com/DivanteLtd/vue-storefront/pull/4626

pkarw avatar Aug 27 '20 10:08 pkarw

Actually the goal behind the issue hasn't been achieved. The point of storing tokens in cookies is that JavaScript can't access the tokens so even in case of XSS it should stay secure. During the login, the token should be saved in a cookie flagged with same-site, secure and HTTPonly. JavaScript should only be notified of how long that token is supposed to last.

Mentioned PR changed the token transportation method, but the main goal (moving from insecure storage to a secure one) has not been achieved.

lukeromanowicz avatar Aug 27 '20 12:08 lukeromanowicz