Some security questions

[jake-edgenaut]

Hello, I am reviewing some of the Supabase examples and have some minor technical questions. Sorry if these are more generic web development questions—I am sort of new to web security, and I am just wanting to make sure I am following the recommended practices for client access.

1. It seems that the JS auth client already has session management, i.e. it will store tokens in localStorage so that a user can stay logged in (reference: https://github.com/supabase/gotrue-js/blob/master/src/GoTrueClient.ts). However, the Svelte to-do list example seems to be handling session itself, i.e. it also stores the logged in user in localStorage (reference: https://github.com/supabase/supabase/blob/master/examples/sveltejs-todo-list/src/LoggedIn.svelte). Am I looking at things wrong?
2. Related to Add Realtime, allowing realtime-js to initialise sockets from inside #1, I understand that it is bad security practice to store session info in localStorage. Is this indeed the way that it is recommended to be done? Any justification(s) for this? I assume the idea is just to either handle session server-side myself, and/or include the appropriate HTTPS security headers and other mitigations to avoid XSS attacks.

[awalias]

hey @ornithophile

yes we currently store the jwt in local storage, during early discussions we decided that if malicious JS was able to run inside the page it would also be able to access these values via supabase-js's in memory store, however I'm aware certain frameworks like react may have some protection here. We're definitely open to discussion on this one, if you have some ideas feel free to open an issue inside https://github.com/supabase/supabase-js

I'm not sure about the Svelte example specifically, maybe @kiwicopple can add some insights there

[jake-edgenaut]

Hi @awalias, thanks for your response. Neat company you guys have. I'm kind of new to serious front end dev, so just trying to do my due diligence with security for my project. I don't really have any better ideas for purely client-side usage, my understanding is that the most secure way to manage session is to handle it on the server side. But, I also understand that Firebase does it the same way you're doing it (via localStorage). If you all are satisfied with doing things this way on the client side then that's good enough for me, I'll just use the appropriate HTTP headers for XSS mitigation (X-XSS-Protection, etc.) and sanitize inputs, etc. Cheers!