Is it safe to store access_token in cookie/local storage?


#1

Like most modern application I have a front end (Vue) + backend (Django) that powers my GitHub App. Auth flow is simple. I direct users to GitHub OAuth and generate access_token using code received from login callback.

Now the access_token is stored in backend. As usual, front end makes some API calls to backend which in turn makes some calls to the GitHub APIs. Some of these calls are just a passthrough to GitHub. I’m wondering if it’s an acceptable security practice to store the token in front end (either as cookie or local storage) and make calls directly from front end to GitHub APIs.

My hunch is it’s acceptable since the token is specific to that user only. I’m planning to apply for GitHub marketplace listing and the app needs to go through GH security review from what I understand. It would be great if someone from GitHub can chime in.


#2

Knock Knock!


#3

Since the access_token is generated unique for each user it is completely fine.
And this method proposed by you is actually commonly used!

window.localStorage.setItem('access_token', token)

#4

Thanks for your response. I have couple of questions though.

Since the access_token is generated unique for each user it is completely fine.

But won’t it be available to browser extensions? Also, it would be clearly visible under network tabs. What if someone other than logged in user gets to access the browser/computer?

And this method proposed by you is actually commonly used!

Do you know any examples?


#5

:no_mouth: hello amit1rrr , i would like to be in touch with you for an other projet :slight_smile: .


#6

Given this thread, I hope it’s not about hacking somebody’s app :smiley:

For anything other than that, write to me at amit at nurtch.com


#7

Totally understand…


#8

We do the same for Dependabot.

To be clear, by access_token here we’re talking OAuth token and I’m assuming it has no permissions - it just authenticates the user.

The way I see it you’ve got to store something on the client side that identifies them with your app and gives them access to the OAuth methods you’ll be using in the backend. Assuming the OAuth token is really tightly scopes it’s fine for that to be the token. Any browser extension looking to pinch it could also pinch whatever other token you replace it with to impersonate the user on your app, so if your app exposes the same methods as using the OAuth token directly would then you’re not really adding any security by putting it behind a level of indirection.


#9

To be clear, by access_token here we’re talking OAuth token and I’m assuming it has no permissions - it just authenticates the user.

No, it’s the access_token you get in step 2 here. It can be used to make API calls etc (not just login).

Any browser extension looking to pinch it could also pinch whatever other token you replace it with to impersonate the user on your app, so if your app exposes the same methods as using the OAuth token directly would then you’re not really adding any security by putting it behind a level of indirection.

I’m using Django sessions to authenticate between client and my server. Assuming that get’s compromised (by extensions etc.) the user can still only make calls to APIs on my server. Which are limited set of APIs. Plus the session invalidates when users logs out. But leaking GitHub access_token could mean freely making calls to Github using that token forever (until that token is deemed invalid by GitHub).


#10

Ah, OK, I thought you were talking about a GitHub App (not an OAuth app) using https://developer.github.com/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps/.

In that case I’d be more careful, given the permissions of those tokens. It’s not unusual with the GitHub OAuth flow to have to ask for significantly more permissions than your app plans to use (since with OAuth the permissions aren’t very fine-grained). Exposing the access token that has all of those permissions directly therefore has the potential to do more harm than just exposing a token that would allow a third party to interact with your app.


#11

:hugs: no no hacking someone app lol , it’s for creat an app , i got idea by for devellopping the program i’m down loll , so i need u
i haven’t count in nurtch.com platform, so if you can give me your email or another mean to reach you :grinning: