Remove OAuth token storage from sessionStorage to prevent XSS theft (Issue #272)

[anshul23102]

Summary

Eliminates sessionStorage usage for GitHub OAuth access tokens. Tokens are now stored only in memory during the current session, making them inaccessible to JavaScript-based XSS attacks.

Problem

GitHub OAuth access tokens are stored in sessionStorage, which is accessible to all JavaScript code on the page. An XSS vulnerability allows attackers to:

1. Find XSS flaw in component (unsanitized input)
2. Inject malicious JavaScript
3. Read GitHub token from sessionStorage
4. Steal user's authentication credentials
5. Access private repositories and personal data

Attack vector: sessionStorage.getItem("gh_access_token")

Solution

Removed all sessionStorage usage for OAuth tokens:

• Tokens stored only in React state (memory)
• Not persisted to localStorage or sessionStorage
• Firebase Auth session management via HTTP-only cookies
• Token inaccessible to JavaScript attacks
• Follows OWASP and OAuth 2.0 best practices

Security Benefits

XSS Prevention:

• Token not in DOM or accessible to JavaScript
• Attacker cannot read token even with XSS
• No storage that survives page refresh

Session Persistence:

• Firebase Auth maintains session via HTTP-only cookies
• Secure, automatic session restoration
• Tokens sent server-to-server, not client-side

Technical Details

Before:

sessionStorage.setItem("gh_access_token", accessToken);
const token = sessionStorage.getItem("gh_access_token"); // Vulnerable

After:

const [ghAccessToken, setGhAccessToken] = useState(null); // Memory only
setGhAccessToken(accessToken); // During login
// Token only in memory, not accessible via DOM

Behavior Change:

• Page refresh clears token from memory
• User remains logged in via Firebase session
• Next API call uses Firebase token
• Fresh OAuth token obtained when needed

Changes

• Removed sessionStorage.setItem() calls
• Removed sessionStorage.getItem() calls
• Removed sessionStorage.removeItem() calls
• Updated comments explaining secure session handling
• Maintained Firebase Auth session management

Testing Strategy

• Login with GitHub OAuth
• Verify token is available in memory during session
• Refresh page and verify user remains authenticated
• Verify sessionStorage no longer contains tokens
• Verify XSS attack cannot access tokens
• Test logout clears all credentials
• Verify multiple tabs maintain separate sessions
• Test token-dependent API calls still work

Files Modified

• Modified: src/context/AuthContext.jsx (removed sessionStorage usage)

Migration Notes

Frontend:

• Existing code using sessionStorage tokens needs updates
• Components should request fresh tokens via API if needed
• No user-visible changes for normal usage

Backend:

• Verify API endpoints properly validate auth
• Ensure HTTP-only cookies properly configured
• Test Firefox session persistence

Fixes #272

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
ranker-hub	Ready	Preview, Comment	Jun 4, 2026 10:51am

[anshul23102]

Please add relevant labels:

• type/security
• severity/critical
• area/authentication
• nsoc
• gssoc26

These help with tracking and prioritization. Thank you!