1

The documentation of octokit/core.js shows examples of using the module in the browser but doesn't show how the token was acquired or where it is stored. So, I assume the token is readily available in the browser.

If storing tokens in the browser is not secure then is there any use case where accessing GitHub API using a browser is valid?

drishit96
  • 327
  • 1
  • 2
  • 18

1 Answers1

0

I couldn't find a way to get the token from octokit. I followed the Github Web app flow - https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps#web-application-flow

What I did was store token in browser as a httpOnly cookie, then pass to my nodejs server to call Github APIs

idiglove
  • 325
  • 3
  • 10
  • The problem with storing the token in a httpOnly cookie is that they can be accessed by extensions installed in the browser. I don't know how to prevent that. If you do, please add that to the answer as well. – drishit96 Sep 22 '21 at 06:09
  • Oh I didnt know that, thats a very hacky way of getting a cookie though xD Maybe storing the cookie in a DB along with start time of storing it would do? – idiglove Sep 23 '21 at 07:17
  • Are you talking about indexeddb? If yes, then extensions can access that too. I see no way to securely store a secret in a browser. – drishit96 Sep 25 '21 at 08:44
  • This might help https://dev.to/cotter/localstorage-vs-cookies-all-you-need-to-know-about-storing-jwt-tokens-securely-in-the-front-end-15id – idiglove Sep 26 '21 at 23:30