The currently logged in user’s Access Token is stored inside the web browsers HTML5 local storage. This means that it will be stored in plaintext, which can result in an attacker stealing the Access Token and sending it to a server they control.
Is it possible to refrain from storing sensitive user information inside the web browsers local storage.
Great question Ty.
You are correct that we store it in LocalStorage. However, it is worth noting that localStorage is bound to the URL that stored it. The only way security could be compromised is in the event of an XSS vulnerability, and we have mitigation strategies in place to prevent that. Additionally, as a part of being a registered Salesforce ISV, our product is reviewed by Salesforce’s security team and any outstanding security issues are remediated prior to certification and listing.
Eventually we would like to remove the need to store the token there, but for reasons such as legacy support, this is tricky. We are reviewing internally and considering making the switch in a future release. Thank you for your honest feedback and for being a member of the Skuid Community!