Why Novu Web Widget stores auth_token in local storage?
I don't understand why Novu Web Widget needs to store the auth token for APIs like /feed, /unread etc in local storage.
This is not a good practice, since someone running a malacious script in any app (where we are using Novu Widget) can copy local storage contents to their server
The Novu token then allows the attacker to access all notification data of the subscriber.
Is there a way where the web widget can avoid local storage altogether or the only approach is to have our own implementation of web widget of Novu?
3 Replies
@Prateek
Are you using
@novu/notification-center or @novu/react ?@novu/notification-center
Hey Prateek
I have shared the issue with team. @novu/notification-center indeed stores tokens in local storage.
We have launched new inbox component @novu/react which is compatible with @novu/framework based workflows. In this new component, we are using memory to store token, so it is not available in local storage
If you are not looking to migrate to new inbox component, I would recommend you to build custom in-app component using hooks from @novu/notification-center