Bug Summary
src/features/Auth/v1/Store/Auth.Store.ts uses Zustand's persist middleware with the default storage backend, which is localStorage:
const useAuthStore = create<AuthState>()(
persist(
(set) => ({
token: null,
user: null,
setAuthData: (user: User) => set({ user }),
clearAuthData: () => set({ user: null, token: null }),
}),
{
name: "auth-storage", // key written to localStorage
},
),
);localStorage is accessible to any JavaScript running in the same origin. In a Tauri application where CSP is disabled (see related issue), this is especially dangerous because injected scripts can read localStorage.getItem('auth-storage') and extract the full auth token and user object without any restriction.
Even with CSP enabled, localStorage is not suitable for storing authentication tokens because:
- It is synchronously readable by all JavaScript on the page, including third-party libraries.
- It persists indefinitely until explicitly cleared, even after the user closes the application.
- It is not HttpOnly -- the fundamental property that makes cookies resistant to XSS-based token theft.
For a Tauri desktop app, sensitive credentials should be stored using Tauri's secure storage plugin (tauri-plugin-stronghold or the OS keychain via tauri-plugin-store with encryption) rather than plaintext localStorage.
Expected Behavior
Auth tokens should not be persisted in localStorage. Session state should be kept in memory only (without the persist middleware) and re-established on app launch via a secure token refresh flow. If persistence is required, use an encrypted store.
Actual Behavior
Auth state (including token and user data) is serialised to plaintext localStorage on every state update.
Affected File
src/features/Auth/v1/Store/Auth.Store.ts
@NexGenStudioDev I would like to work on this issue. Could you please assign/ it to me? Contributing under NSoC '26.
Bug Summary
src/features/Auth/v1/Store/Auth.Store.tsuses Zustand'spersistmiddleware with the default storage backend, which islocalStorage:localStorageis accessible to any JavaScript running in the same origin. In a Tauri application where CSP is disabled (see related issue), this is especially dangerous because injected scripts can readlocalStorage.getItem('auth-storage')and extract the full auth token and user object without any restriction.Even with CSP enabled,
localStorageis not suitable for storing authentication tokens because:For a Tauri desktop app, sensitive credentials should be stored using Tauri's secure storage plugin (
tauri-plugin-strongholdor the OS keychain viatauri-plugin-storewith encryption) rather than plaintextlocalStorage.Expected Behavior
Auth tokens should not be persisted in
localStorage. Session state should be kept in memory only (without thepersistmiddleware) and re-established on app launch via a secure token refresh flow. If persistence is required, use an encrypted store.Actual Behavior
Auth state (including token and user data) is serialised to plaintext
localStorageon every state update.Affected File
src/features/Auth/v1/Store/Auth.Store.ts@NexGenStudioDev I would like to work on this issue. Could you please assign/ it to me? Contributing under NSoC '26.