[H6] Dashboard JWT in sessionStorage, blindly attached as Bearer, no exp/refresh/idle-timeout #20

Open
opened 2026-06-05 17:35:49 -07:00 by azcomputerguru · 0 comments

Severity: High

Component(s): dashboard

Affected file(s):

  • dashboard/src/auth/AuthProvider.tsx
  • dashboard/src/api/client.ts

Problem:
The dashboard stores the JWT in sessionStorage and blindly attaches it as a Bearer token, with no expiry handling, refresh, or idle timeout.

Recommended fix:
Respect exp, add proactive refresh/logout and an idle timeout; longer-term move to an httpOnly cookie (coordinate with P1).

Remediation phase: P4

From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding H6) and REMEDIATION-PLAN.md (P4).

**Severity:** High **Component(s):** dashboard **Affected file(s):** - `dashboard/src/auth/AuthProvider.tsx` - `dashboard/src/api/client.ts` **Problem:** The dashboard stores the JWT in `sessionStorage` and blindly attaches it as a Bearer token, with no expiry handling, refresh, or idle timeout. **Recommended fix:** Respect `exp`, add proactive refresh/logout and an idle timeout; longer-term move to an httpOnly cookie (coordinate with P1). **Remediation phase:** P4 From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding H6) and REMEDIATION-PLAN.md (P4).
azcomputerguru added the severity:highcomponent:dashboardsecurity labels 2026-06-05 17:35:49 -07:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: azcomputerguru/guru-connect#20