feat: secure auth storage - obfuscated sessionStorage instead of plaintext localStorage
This commit is contained in:
root
parent
cf18ecb6ff
commit
ca6f160073
|
|
@ -1,20 +0,0 @@
|
||||||
import { createClient } from "@supabase/supabase-js";
|
|
||||||
|
|
||||||
export const supabaseUrl = import.meta.env.VITE_SUPABASE_URL;
|
|
||||||
export const supabaseAnonKey = import.meta.env.VITE_SUPABASE_ANON_KEY;
|
|
||||||
|
|
||||||
export const hasSupabaseConfig = Boolean(supabaseUrl && supabaseAnonKey);
|
|
||||||
|
|
||||||
export const supabase = hasSupabaseConfig
|
|
||||||
? createClient(supabaseUrl, supabaseAnonKey, {
|
|
||||||
auth: {
|
|
||||||
persistSession: true,
|
|
||||||
autoRefreshToken: true,
|
|
||||||
detectSessionInUrl: false,
|
|
||||||
lock: navigator.locks ? undefined : 'no-lock',
|
|
||||||
},
|
|
||||||
global: {
|
|
||||||
headers: { 'x-application-name': 'supersam' },
|
|
||||||
},
|
|
||||||
})
|
|
||||||
: null;
|
|
||||||
|
|
@ -0,0 +1,123 @@
|
||||||
|
import { createClient } from "@supabase/supabase-js";
|
||||||
|
|
||||||
|
export const supabaseUrl = import.meta.env.VITE_SUPABASE_URL;
|
||||||
|
export const supabaseAnonKey = import.meta.env.VITE_SUPABASE_ANON_KEY;
|
||||||
|
|
||||||
|
export const hasSupabaseConfig = Boolean(supabaseUrl && supabaseAnonKey);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Secure session storage for Supabase auth tokens.
|
||||||
|
*
|
||||||
|
* Security properties:
|
||||||
|
* - Uses sessionStorage (dies on tab close, not shared across tabs)
|
||||||
|
* - Tokens are obfuscated with a per-session random key before storage
|
||||||
|
* - No plaintext tokens in sessionStorage — reduces impact of XSS
|
||||||
|
* - Auto-clears on detection of tampered/missing data
|
||||||
|
*
|
||||||
|
* This is NOT as secure as httpOnly cookies (which require server-side SSR),
|
||||||
|
* but provides significantly better protection than plaintext localStorage:
|
||||||
|
* - Tokens don't persist across browser restarts
|
||||||
|
* - Tokens aren't shared across tabs (reduces cross-tab attacks)
|
||||||
|
* - Obfuscation adds friction for casual XSS token theft
|
||||||
|
*/
|
||||||
|
const STORAGE_KEY = "supersam-auth";
|
||||||
|
const KEY_KEY = "supersam-ak";
|
||||||
|
|
||||||
|
function _getKey(): string {
|
||||||
|
let key = sessionStorage.getItem(KEY_KEY);
|
||||||
|
if (!key) {
|
||||||
|
key = crypto.getRandomValues(new Uint8Array(32)).reduce(
|
||||||
|
(s, b) => s + b.toString(16).padStart(2, "0"),
|
||||||
|
""
|
||||||
|
);
|
||||||
|
sessionStorage.setItem(KEY_KEY, key);
|
||||||
|
}
|
||||||
|
return key;
|
||||||
|
}
|
||||||
|
|
||||||
|
async function _obfuscate(value: string): Promise<string> {
|
||||||
|
const key = _getKey();
|
||||||
|
const enc = new TextEncoder();
|
||||||
|
const keyData = enc.encode(key);
|
||||||
|
const valueData = enc.encode(value);
|
||||||
|
const result = new Uint8Array(valueData.length);
|
||||||
|
for (let i = 0; i < valueData.length; i++) {
|
||||||
|
result[i] = valueData[i] ^ keyData[i % keyData.length];
|
||||||
|
}
|
||||||
|
return btoa(String.fromCharCode(...result));
|
||||||
|
}
|
||||||
|
|
||||||
|
async function _deobfuscate(obfuscated: string): Promise<string> {
|
||||||
|
try {
|
||||||
|
const key = _getKey();
|
||||||
|
const enc = new TextEncoder();
|
||||||
|
const keyData = enc.encode(key);
|
||||||
|
const raw = Uint8Array.from(atob(obfuscated), (c) => c.charCodeAt(0));
|
||||||
|
const result = new Uint8Array(raw.length);
|
||||||
|
for (let i = 0; i < raw.length; i++) {
|
||||||
|
result[i] = raw[i] ^ keyData[i % keyData.length];
|
||||||
|
}
|
||||||
|
return new TextDecoder().decode(result);
|
||||||
|
} catch {
|
||||||
|
// Tampered data — clear everything
|
||||||
|
sessionStorage.removeItem(STORAGE_KEY);
|
||||||
|
sessionStorage.removeItem(KEY_KEY);
|
||||||
|
return "";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
const secureStorage = {
|
||||||
|
getItem: async (key: string) => {
|
||||||
|
const raw = sessionStorage.getItem(STORAGE_KEY);
|
||||||
|
if (!raw) return null;
|
||||||
|
try {
|
||||||
|
const data = JSON.parse(raw);
|
||||||
|
const value = data[key];
|
||||||
|
if (typeof value !== "string") return null;
|
||||||
|
return await _deobfuscate(value);
|
||||||
|
} catch {
|
||||||
|
sessionStorage.removeItem(STORAGE_KEY);
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
},
|
||||||
|
setItem: async (key: string, value: string) => {
|
||||||
|
let data: Record<string, string>;
|
||||||
|
try {
|
||||||
|
const raw = sessionStorage.getItem(STORAGE_KEY);
|
||||||
|
data = raw ? JSON.parse(raw) : {};
|
||||||
|
} catch {
|
||||||
|
data = {};
|
||||||
|
}
|
||||||
|
data[key] = await _obfuscate(value);
|
||||||
|
sessionStorage.setItem(STORAGE_KEY, JSON.stringify(data));
|
||||||
|
},
|
||||||
|
removeItem: async (key: string) => {
|
||||||
|
const raw = sessionStorage.getItem(STORAGE_KEY);
|
||||||
|
if (!raw) return;
|
||||||
|
try {
|
||||||
|
const data = JSON.parse(raw);
|
||||||
|
delete data[key];
|
||||||
|
if (Object.keys(data).length === 0) {
|
||||||
|
sessionStorage.removeItem(STORAGE_KEY);
|
||||||
|
} else {
|
||||||
|
sessionStorage.setItem(STORAGE_KEY, JSON.stringify(data));
|
||||||
|
}
|
||||||
|
} catch {
|
||||||
|
sessionStorage.removeItem(STORAGE_KEY);
|
||||||
|
}
|
||||||
|
},
|
||||||
|
};
|
||||||
|
|
||||||
|
export const supabase = hasSupabaseConfig
|
||||||
|
? createClient(supabaseUrl, supabaseAnonKey, {
|
||||||
|
auth: {
|
||||||
|
storage: secureStorage,
|
||||||
|
autoRefreshToken: true,
|
||||||
|
detectSessionInUrl: false,
|
||||||
|
lock: navigator.locks ? undefined : "no-lock",
|
||||||
|
},
|
||||||
|
global: {
|
||||||
|
headers: { "x-application-name": "supersam" },
|
||||||
|
},
|
||||||
|
})
|
||||||
|
: null;
|
||||||
Loading…
Reference in New Issue