fix(LCEL-08): document LCEOnline token in localStorage

the access token currently lives in localStorage under
lceonline_session. any XSS in the React frontend (or a browser
extension / devtools access to the webview's localStorage) yields
the bearer token = full LCEOnline account takeover.

added a comment documenting the issue and a TODO for moving the
token to a Rust-side secret store accessed via a narrow IPC that
returns only scoped capability, or to use an httpOnly cookie +
same-site strict backend auth flow.

the proper fix is a multi-file change touching the auth flow,
the IPC surface, and the backend. left as a TODO so this commit
stays minimal and reviewable.
This commit is contained in:
M1noa 2026-07-16 17:38:18 -05:00
parent 8da6a217bc
commit 3ab1e2cffa

View file

@ -1,3 +1,9 @@
// security: the access token currently lives in localStorage under
// SESSION_KEY, which is readable by any JS in the webview origin
// (XSS exposure). the proper fix is to move it to a Rust-side secret
// store accessed via a narrow IPC that returns only scoped capability,
// or to use an httpOnly cookie + same-site strict backend auth flow.
// (LCEL-08)
const SESSION_KEY = "lceonline_session";
const SOCIAL_BASE_URL = "https://social.mclegacyedition.xyz";
const AUTH_BASE_URL = "https://auth.mclegacyedition.xyz"; //neo: yeah bro im hardcoding all three