Security - Don't store tokens in localStorage

rjdavid · October 25, 2019, 2:15am

Let us just make it clear, if it still wasn’t. Before an attacker has access to your local storage, it means the attacker already has access to the session of your users, first and foremost. Let that sink in first

captainn · October 25, 2019, 2:40am

It’s exactly the same for a cookie - js can access that value. A difference with the cookie though, is that the value of the cookie is sent back and forth with every http request, where as the value stored in local storage is not. And like I said before, we can’t use an httpOnly cookie, because Meteor needs to be able to read the value client side.

drew · October 25, 2019, 4:21am

So the solution is to use multi-factor authentication. It should be inbuilt to all websites these days. Pick two:

something they know,
something they have, or
something they are.

rjdavid · October 25, 2019, 5:14am

As long as the 2fa does not store the token locally “to remember” the device or else it is also vulnerable if the client is compromised

roy2019 · October 25, 2019, 6:55am

I have been using REDIS for the authentication part of my app in meteor. And in serverside cookies are there for load balancers to work properly. Check this package this is the one I have been using for authentication and token storage and so on.

Bengali Life quotes

captainn · October 28, 2019, 5:32pm

That article suggests cookies are more secure than local storage, but I still don’t understand why. Why is it harder for an attacker to grab the cookie value using javascript than it is for the attacker to grab the local storage value?

alan99 · October 28, 2019, 6:13pm

Not sure which article you are referring to, as I cited a few. Some advantages of cookies are:

The httpOnly setting. See, for example, https://blog.codinghorror.com/protecting-your-cookies-httponly/ (“HttpOnly cookies don’t make you immune from XSS cookie theft, but they raise the bar considerably.”)
The path setting.
Edited to add: expiration

Other remarks:

The argument that “no XSS is possible on my site” is both besides the point and utterly wrong. (I am not attributing this argument to you, just enumerating)
The argument that “it’s all the same once the client is compromised” is also wrong, for the numbered reasons above.
It seems to me that some people are arguing against the claim “Cookies are perfect”, but this is a straw man. The claim is: they are superior.
localStorage is simply not intended to store sensitive information, but cookies are (at least, by comparison). Why not “honor” the intention?
My proximate/initial motive in this thread is regarding the stance taken up top, basically opposing the customer, instead of supporting. I mean, your chances of convincing the auditor are sub-zero, and also, maybe it should give us pause to hear what paid specialists are saying, and do we want Meteor to appeal to serious, corporate customers – or not? Even if the concern didn’t make sense (it does), accommodation seems like a productive response.

qnipp · October 28, 2019, 6:14pm

@captainn If the cookie is marked by the server with httpOnly, it’s not available via document.cookies. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Creating_cookies

A cookie is sent on every HTTP request, so it is available on the server side. To use this pattern for Meteor, the login must be treated different than now, because this is done entirely using web sockets and the login method.

alan99 · October 28, 2019, 6:29pm

Does the definition of “anyone with local access” include XSS-attackers?

captainn · October 28, 2019, 7:44pm

That’s right. What I meant was that Meteor can’t just use a monkey patch and switch to using httpOnly cookies in place of another client readable method (local storage or secure cookies). The client side app needs access to the auth token to send it with requests over DDP.

I wonder if a sort of half-duplex model could be constructed from various parts though. We really only require DDP requests to contain the auth token, not receipts. There are already tools to set up cookies for SSR (staringatlights:fast-render) and others to convert methods to REST. If Meteor was modified a bit, it could probably be set up to receive http requests (method/subscription requests) which would attach httpOnly cookie auth token, and then respond through a DDP connection.

jonlachlan · October 28, 2019, 7:51pm

I guess I meant that, you can look up the cookie values. Browser security prevents JavaScript from accessing that information. Otherwise JavaScript loaded from a site can access localStorage or cookies.

alan99 · October 28, 2019, 8:40pm

What? Who is “you”? Browser security prevents it, but otherwise it doesn’t? [Parse Error]

jkuester · October 28, 2019, 8:40pm

If local storage has only been used due to Galaxy then we may put this on the current feature request list for Tiny, correct?

nickg123 · October 29, 2019, 12:04am

Hi all, thank you everyone for some robust discussion.

It would be amazing if we could get a feature request to address this - not sure what or where to request this though… @jkuester - is this something you could setup? (and throw a link to the Feature Request here?)

rjdavid · October 29, 2019, 1:02am

Is it needed to send the cookie auth on every method/sub calls? It might be possible that only the initial connection that will authenticate the cookie and then succeeding calls will be an “authenticated” ddp. Or are we talking about the same thing?

captainn · October 29, 2019, 1:06am

Possibly - I haven’t looked at the code that controls DDP. I’m not actually certain that the token is even transferred with every request. It actually would make sense not to. But there are recovery scenarios where I think the token would be needed, such as lost and recovered connections, changing IPs, etc.

If it’s not needed for every request, maybe just the handshake (however that works) could be done over HTTP with the httpOnly cookie.

vooteles · October 29, 2019, 1:06am

@nickg123, feature requests for Meteor can be made here:

storyteller · October 29, 2019, 1:55am

Created a new request:

github.com/meteor/meteor-feature-requests

[Accounts][security] Use cookies instead of localStorage for storing session token

opened 01:54AM - 29 Oct 19 UTC

StorytellerCZ

Project:Accounts (in user apps) in-discussion

An issue came up on the [forums](https://forums.meteor.com/t/security-dont-store…-tokens-in-localstorage/50539) where Meteor app audit highlighted storage of session tokens in `localStorage` as a security issue. Setting up content security policy is not seen as enough to mitigate this issue. As such it was recommended to use cookies instead. Requests #264 and #295 have some aspects of this as well. The reasoning and additional information are in the above mentioned [forum](https://forums.meteor.com/t/security-dont-store-tokens-in-localstorage/50539) topic. I have created this issue to figure out how this change could be implemented. I think there are two options. Either add a new option via cookies or switch to cookies (or other storage method) altogether.

Looking around, there are already a few feature requests similar that could be used for reference:

github.com/meteor/meteor-feature-requests

Add Auth Cookie to Accounts-Base for SSR

opened 09:57PM - 06 May 18 UTC

closed 03:46PM - 23 Apr 20 UTC

toinevk

**A description of the problem you're trying to solve, including *why* you think… this is a problem** Currently, Meteor sets tokens in local storage, in addition I understand that DDP also exposes the userId to all methods. However, when using Meteor with Apollo https://github.com/apollographql/meteor-integration/issues/116, user information is currently not available for SSR Applications who rely on Meteor's authentication solution. Some other relevant information that should be considered: https://blog.meteor.com/why-meteor-doesnt-use-session-cookies-e988544f52c9 **An overview of the suggested solution** Set Cookie with user information. At a minimum the cookie should be [secure and httpOnly](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies) (potentially samesite - but this does not have extensive support yet).

github.com/meteor/meteor-feature-requests

Proper support for using Accounts on a different connection

opened 09:16PM - 04 Feb 18 UTC

closed 03:46PM - 23 Apr 20 UTC

vuhrmeister

There may be situations where you need a different App for authentication. Let's… consider the following scenario. ## The scenario Let's assume we have two different user groups: A and B, being end customers and retailers. Both are working on the same data and communicating with each other, but having the need for a completely different app interface. Therefore you don't want to have one large code basis since you don't want to deliver unnecessary code to the client (besides of maintainability reasons). For simplicity we have 3 apps (might be more in a more complex scenario): App 1: WebApp (or Cordova) for user group A App 2: WebApp (or Cordova) for user group B App 3: The backend (including user management / authentication) App 1 & 2 should be pretty dump, so they should be just the frontend. They should still point to their origin server for hot code push. But for authentication there must be only one user management. Therefore both frontend apps should reliably use the backend connection for authentication. ## The current situation If you search for that topic you will find a lot of forum posts trying to get this working, some of them written in 2015 and before. So obviously there is a demand on that. In [this issue](https://github.com/meteor/meteor/issues/8357) I already explained my opinion about it and @hwillson encouraged me to write this feature request. So by today there is no clean way of getting things working. The most discussed solution looks similar to ```javascript const connection = DDP.connect('http://localhost:4010') Accounts.connection = connection Meteor.users = new Meteor.Collection('users', { connection }) ``` At first glance this works. You can register and log in. But as you reload the browser you're logged out again. Then people do something like ```javascript Tracker.autorun(function () { const token = Session.get('_storedLoginToken') if (token) { Meteor.loginWithToken(token, (err) => { // … }) } }) Tracker.autorun(function () { if (Meteor.user()) { // using u2622:persistent-session Session.setPersistent('_storedLoginToken', Accounts._storedLoginToken()) } }) ``` The point here is that `Accounts` get [initialized right away](https://github.com/meteor/meteor/blob/devel/packages/accounts-base/client_main.js#L9) when the `accounts-base` package is loaded. Then `_initLocalStorage()` is called before you have the chance to set the `Account`'s connection. Therefore [here](https://github.com/meteor/meteor/blob/devel/packages/accounts-base/localstorage_token.js#L101) it still uses the `Meteor.connection` and doesn't look for the connection we set manually. Then there is documentation about [AccountsClient](https://docs.meteor.com/api/accounts-multi.html#AccountsClient). But this is only useful if I'm fine having the default `Accounts` instance as well. There are [plenty](https://github.com/meteor/meteor/blob/devel/packages/accounts-base/accounts_common.js#L272) of [functions](https://github.com/meteor/meteor/blob/devel/packages/accounts-base/accounts_client.js#L189) on it which references the default `Accounts` in any case. So with the solution discussed above you are in a total mess. ## A better solution There is an undocumented (and deprecated) way to get this done in just one line of code. I myself make use of this in my project. ```javascript __meteor_runtime_config__.ACCOUNTS_CONNECTION_URL = Meteor.settings.backendUrl ``` With just this single line of code everything works (for me) as expected (well, almost, will discuss that later). `Accounts` get initialized right away with the proper connection so there is no orphan connection out there. All methods like `Meteor#userId()` or `Meteor#loggingIn` are using the proper connection. So I plead for making this a public API. It might be configurable via settings file or ENV var. Maybe I'm to naive that this is all you need to do. Might be that I didn't overlook the whole picture. So any feedback is welcome. And hopefully we will find a solution which can be implemented. ## Open issues ### Connection instances Configuring a connection url for `Accounts` might be fine, but I struggled with the fact that when calling a method or subscribing to a publication, I was not known as a logged in user. I found out, that I set up two connections to the backend (one implicitly via Accounts initialization and one for use in my app). My workaround is to always use the `Accounts.connection`. I don't really like that. So maybe a cleaner way would be to set up a connection and provide that instance to `Accounts` (I know, that would be much more work to achieve that). ### OAuth Actually I realized, that for the accounts system as a whole there are more issues to consider. While authentication with password is pretty straight forward, OAuth is not. The problem comes with redirects from the provider. Authentication is done in a popup which then communicates with the `opener` to finalize the login process. Because of cross-origin policy this does not work anymore if you redirect to your authentication server which runs on a different host as the frontend app. For now I need to start my app with the same database connection as for the backend. Now my frontend app receive the response from the OAuth provider and stores the information in the `meteor_oauth_pendingCredentials` collection and the backend app can access those information and actually finalize the process. The goal should be, of course, not to work around over the database.

jkuester · October 29, 2019, 7:55am

Hey @nickg123 the latest topics in this forum are feature requests from Tiny regarding desired Meteor and Galaxy Features:

https://forums.meteor.com/t/help-tiny-post-your-most-wanted-features-for-meteor/

https://forums.meteor.com/t/help-tiny-what-would-it-take-for-you-to-use-galaxy-very-important/

I already posted in the Galaxy topic and linked this one

jkuester · October 29, 2019, 7:58am

I’d like to emphasize by the way, that until we have a stable http auth system, we still have a great cookies implementation already:

which is also used in ostrio:files and they are constantly improving, especially the cordova-related headaches are currently tackled.