--- issue: 081 title: "Frontend: auth tokens stored in localStorage — XSS-accessible" severity: medium domain: Authentication labels: [security, frontend, session] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Frontend: auth tokens stored in localStorage — XSS-accessible **Severity:** medium **Domain:** Authentication **Labels:** security, frontend, session ## Description `src/auth/context/jwt/action.ts:100` stores access and refresh tokens in `localStorage`. Any XSS vulnerability can steal these tokens and impersonate the user. The risk is compounded by the lack of a Content-Security-Policy (see ISSUE-083). ## Options 1. Move refresh token to HttpOnly cookie, keep short-lived access token in memory — strong, but requires backend cookie + CSRF work. 2. Keep localStorage but add strict CSP + sanitization to reduce XSS surface — cheaper, weaker. 3. Full cookie-based session with `SameSite=strict` — strongest, largest change to axios/socket auth. ## Recommendation Plan a migration to HttpOnly refresh cookie + in-memory access token, coordinated with backend. This is a large, cross-cutting change that breaks many call sites — treat as a deliberate project. ## Affected Files - `frontend/src/auth/context/jwt/action.ts:100` - `frontend/src/lib/axios.ts` — auth header injection ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-4 - [[ISSUE-083-frontend-no-content-security-policy-header-in-next-config|ISSUE-083]]