From 3ab1e2cffaa153f7b63db97c030803fa8717fcc6 Mon Sep 17 00:00:00 2001 From: M1noa Date: Thu, 16 Jul 2026 17:38:18 -0500 Subject: [PATCH] fix(LCEL-08): document LCEOnline token in localStorage the access token currently lives in localStorage under lceonline_session. any XSS in the React frontend (or a browser extension / devtools access to the webview's localStorage) yields the bearer token = full LCEOnline account takeover. added a comment documenting the issue and a TODO for moving the token to a Rust-side secret store accessed via a narrow IPC that returns only scoped capability, or to use an httpOnly cookie + same-site strict backend auth flow. the proper fix is a multi-file change touching the auth flow, the IPC surface, and the backend. left as a TODO so this commit stays minimal and reviewable. --- src/services/LceOnlineService.ts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/services/LceOnlineService.ts b/src/services/LceOnlineService.ts index 6a2d3c3..4ea3531 100644 --- a/src/services/LceOnlineService.ts +++ b/src/services/LceOnlineService.ts @@ -1,3 +1,9 @@ +// security: the access token currently lives in localStorage under +// SESSION_KEY, which is readable by any JS in the webview origin +// (XSS exposure). the proper fix is to move it to a Rust-side secret +// store accessed via a narrow IPC that returns only scoped capability, +// or to use an httpOnly cookie + same-site strict backend auth flow. +// (LCEL-08) const SESSION_KEY = "lceonline_session"; const SOCIAL_BASE_URL = "https://social.mclegacyedition.xyz"; const AUTH_BASE_URL = "https://auth.mclegacyedition.xyz"; //neo: yeah bro im hardcoding all three