Skip to content

Preprod #38

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
MylowMntr merged 16 commits into from
Feb 3, 2026
Merged

Preprod #38

MylowMntr merged 16 commits into from
Feb 3, 2026

Conversation

@MylowMntr
Copy link
Contributor

@MylowMntr MylowMntr commented Feb 3, 2026

No description provided.

Dark-Louis and others added 12 commits November 13, 2025 21:19
@Dark-Louis
Grades subject
70c7db8 
- Added a badge on the grade cards to display the subject
@Dark-Louis
More subjects
3479e80 
- Added more subjects
@Dark-Louis
Merge pull request #35 from MauriaApp/feature/grades-page
56338a6 
Grades subject
@Dark-Louis
Data sync race fix
7776c92 
- Fix initial data sync race causing missing session on startup
@Dark-Louis
Cache persistence
6b3a7a6 
- Set React Query persist maxAge to 30 days
@Dark-Louis
Offline fallback
d3edb50 
- Allow webapp to run under /webapp by setting base path and router basename
@Dark-Louis
Cherry theme
47b4512 
- Added a cherry theme
@Dark-Louis
Pride theme
c19d6a2
@Dark-Louis
Ocean and forest themes
73c40fd 
- Added ocean and forest themes
- Fixed dark and oled hover color
@Dark-Louis
Storage logs
d3444cf 
- Add logs page
- Add loaclStorage logging
@MylowMntr
Merge pull request #36 from MauriaApp/fix/local-storage-mobile
5f34e7e 
Data sync race fix, cache persistence, offline fallback, storage logs
@MylowMntr
Merge pull request #37 from MauriaApp/feature/themes
0ed3fc7 
 Cherry, pride, ocean and forest themes
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 3, 2026
View reviewed changes
src/lib/utils/storage.ts

function writeStorageLogs(logs: StorageLogEntry[]) {
try {
localStorage.setItem(STORAGE_LOGS_KEY, JSON.stringify(logs));

Check failure

Code scanning / CodeQL

Clear text storage of sensitive information High

This stores sensitive data returned by
an access to password
Loading
as clear text.
This stores sensitive data returned by
an access to password
Loading
as clear text.

Copilot Autofix

AI 3 days ago

At a high level, the problem stems from persisting the raw password string in localStorage and then including storage operations involving that key in a generic logging mechanism. The correct fix is to avoid storing the password in clear text in localStorage; if a “remember me”–type mechanism is needed, we should instead store a non-sensitive token (for example, a flag or a server-issued opaque token) or at minimum ensure that the logging layer never logs values or fields that may contain passwords.

Given the constraints (we can only touch the shown snippets), the minimal and safest change that preserves intended behavior is:

  • Stop persisting the raw password in localStorage.
  • Replace the stored "password" entry with a non-sensitive flag indicating the user chose to persist the session (or remove it entirely if not needed).
  • Keep the rest of the logging mechanism unchanged so that it only logs metadata about keys and sizes, never the password value.

Concretely:

  1. In src/lib/api/aurion.ts:

    • Change setSession so it no longer calls saveToStorage("password", password). Instead, have it only store the email, and optionally a boolean/string flag such as "sessionPersisted": "true" if you need to track that.
    • Update getSession so it no longer reads "password" from storage. Since we cannot redesign the whole app, the simplest is to have getSession return null or a partial session when no in-memory password is available, avoiding long-term persisted credentials. If you want to keep auto-fill behavior, you would need an additional design using a secure token, but that is outside the shown snippets.

  2. In src/lib/utils/storage.ts:

    • The main security concern flagged is that tainted data flows into writeStorageLogs via appendStorageLog. Because StorageLogEntry currently does not capture the password value, and the fix in (1) stops storing the password at all, we do not need to modify writeStorageLogs itself. The logging will continue to log non-sensitive metadata only.

  3. In src/pages/secondary/login.tsx:

    • handleSubmit currently calls setSession(email, password) after a successful login. That will still compile after changing setSession’s implementation (since we keep the same signature) but will no longer persist the password in localStorage, only the email (and any non-sensitive flags we may store).

With this approach, no new imports or external libraries are needed. The only necessary edits are to setSession and getSession in src/lib/api/aurion.ts; the logging code in storage.ts remains structurally the same, but it will no longer ever be given a log entry that could contain actual password data because we avoid persisting the password.

Suggested changeset 1
src/lib/api/aurion.ts
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/lib/api/aurion.ts b/src/lib/api/aurion.ts
--- a/src/lib/api/aurion.ts
+++ b/src/lib/api/aurion.ts
@@ -8,13 +8,14 @@
 
 export function getSession() {
     const email = getFromStorage("email");
-    const password = getFromStorage("password");
-    return email && password ? { email, password } : null;
+    // Do not persist or retrieve the password from storage to avoid clear-text credential storage.
+    return email ? { email } : null;
 }
 
 export function setSession(email: string, password: string) {
+    // Only persist non-sensitive session information (email).
+    // The password must not be stored in localStorage or any other long-term client-side storage.
     saveToStorage("email", email);
-    saveToStorage("password", password);
 }
 
 export function fetchUser({
EOF
@@ -8,13 +8,14 @@

export function getSession() {
const email = getFromStorage("email");
const password = getFromStorage("password");
return email && password ? { email, password } : null;
// Do not persist or retrieve the password from storage to avoid clear-text credential storage.
return email ? { email } : null;
}

export function setSession(email: string, password: string) {
// Only persist non-sensitive session information (email).
// The password must not be stored in localStorage or any other long-term client-side storage.
saveToStorage("email", email);
saveToStorage("password", password);
}

export function fetchUser({
Copilot is powered by AI and may make mistakes. Always verify output.
@MylowMntr MylowMntr merged commit 9d74bb0 into main Feb 3, 2026
3 of 4 checks passed
MylowMntr added a commit that referenced this pull request Feb 3, 2026
@MylowMntr @Dark-Louis
Preprod (#38) (#39)
1224dfb 
* Grades subject
- Added a badge on the grade cards to display the subject

* More subjects
- Added more subjects

* Data sync race fix
- Fix initial data sync race causing missing session on startup

* Cache persistence
- Set React Query persist maxAge to 30 days

* Offline fallback
- Allow webapp to run under /webapp by setting base path and router basename

* Cherry theme
- Added a cherry theme

* Pride theme

* Ocean and forest themes
- Added ocean and forest themes
- Fixed dark and oled hover color

* Storage logs
- Add logs page
- Add loaclStorage logging

* Change 'Fierté' to 'Rainbow' in en-US.json

* Update 'pride' translation to 'Arc-en-ciel'

* Update translation for 'pride' in Spanish locale

* Update French translation for 'pride' key

---------

Co-authored-by: Dark-Louis <louis.solty747@gmail.com>
Co-authored-by: Dark-Louis <116973803+Dark-Louis@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MylowMntr @Dark-Louis