is it possible to store the token that is created after login into browser localstore
I need to login into extension. I have different flow as of now. But wondering if having user login on website and once successful, update the local store that extension access for the token
1 Reply
Hi @p4j4r5. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
----------------------
Yes, it is possible to store the authentication token in the browser's local storage after a successful login in a Wasp application. However, there are some important considerations and best practices to keep in mind:
1. By default, Wasp uses sessions for authentication and stores the session information in
localStorage on the client side Wasp Auth Sessions (https://wasp-lang.dev/docs/auth/overview#sessions).
2. For Chrome extensions specifically, you can store the token in localStorage after a successful login on the website. The extension can then access this token from localStorage to authenticate API requests. However, this approach comes with security considerations Discord Thread (https://discord.com/channels/686873244791210014/1223328118278983680).
3. It's important to note that storing sensitive information like auth tokens in localStorage can be vulnerable to XSS attacks. There's an ongoing discussion in the Wasp community about potentially switching to more secure methods like HttpOnly cookies for token storage GitHub Issue (https://github.com/wasp-lang/wasp/issues/573).
4. If you decide to use localStorage, you can implement a custom storage solution. The Wasp team is considering providing a managed client storage solution that could help with securely storing and managing such data GitHub Issue (https://github.com/wasp-lang/wasp/issues/1082).
5. When implementing this approach, make sure to handle token invalidation properly. There are ongoing discussions about improving the behavior of token clearing on 401 responses to prevent unintended logouts GitHub Issue (https://github.com/wasp-lang/wasp/issues/1227).
While it's technically possible to store the token in localStorage for your extension to access, it's crucial to carefully consider the security implications and stay updated with best practices in authentication for web applications and extensions.
----------------------
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
----------------------
Sorry @p4j4r5, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist:
Perhaps try again in 15mins?