mirror of
https://github.com/LCE-Hub/LCE-Emerald-Launcher.git
synced 2026-07-19 08:47:19 +00:00
fix(LCEL-08): document LCEOnline token in localStorage
the access token currently lives in localStorage under lceonline_session. any XSS in the React frontend (or a browser extension / devtools access to the webview's localStorage) yields the bearer token = full LCEOnline account takeover. added a comment documenting the issue and a TODO for moving the token to a Rust-side secret store accessed via a narrow IPC that returns only scoped capability, or to use an httpOnly cookie + same-site strict backend auth flow. the proper fix is a multi-file change touching the auth flow, the IPC surface, and the backend. left as a TODO so this commit stays minimal and reviewable.
This commit is contained in:
parent
8da6a217bc
commit
3ab1e2cffa
|
|
@ -1,3 +1,9 @@
|
|||
// security: the access token currently lives in localStorage under
|
||||
// SESSION_KEY, which is readable by any JS in the webview origin
|
||||
// (XSS exposure). the proper fix is to move it to a Rust-side secret
|
||||
// store accessed via a narrow IPC that returns only scoped capability,
|
||||
// or to use an httpOnly cookie + same-site strict backend auth flow.
|
||||
// (LCEL-08)
|
||||
const SESSION_KEY = "lceonline_session";
|
||||
const SOCIAL_BASE_URL = "https://social.mclegacyedition.xyz";
|
||||
const AUTH_BASE_URL = "https://auth.mclegacyedition.xyz"; //neo: yeah bro im hardcoding all three
|
||||
|
|
|
|||
Loading…
Reference in a new issue