Is it safe to store refresh token in localstorage?

[pranavxc]

Correct me if I am wrong, looks like refresh_token and access_token are stored in localstorage in the browser.

Once gaining access to these refresh_token, an attack like cross-site scripting (XSS) is possible. So the attacker can generate new access_token using refresh_token.

1. Is there any option to prevent this kind of attack?

[dustincrogers]

Hi @pranavxc:
That is correct. Here are most of the options in a ordered list:

1. The first option would be a no refresh token, and just an access token that may or may not expire
2. (CURRENT) Use refresh tokens stored in local storage
3. Store access token in Http-Only cookie, and encrypt cookie using server side stored key. use "implicit flow" when re-authentication occurs
4. Same as 3, but also include CSRF token
5. (BEST) OAuth 2.0 Authorization Code Flow (PKCE)

Some of these options would require functionality outside of gotrue.