[H6] Dashboard JWT in sessionStorage, blindly attached as Bearer, no exp/refresh/idle-timeout #20
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Severity: High
Component(s): dashboard
Affected file(s):
dashboard/src/auth/AuthProvider.tsxdashboard/src/api/client.tsProblem:
The dashboard stores the JWT in
sessionStorageand blindly attaches it as a Bearer token, with no expiry handling, refresh, or idle timeout.Recommended fix:
Respect
exp, add proactive refresh/logout and an idle timeout; longer-term move to an httpOnly cookie (coordinate with P1).Remediation phase: P4
From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding H6) and REMEDIATION-PLAN.md (P4).