Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
monkey patch Meteor.Accounts to store login token in sessionStoage instead of localStorage
// monkey patch Meteor.Accounts to store login token in sessionStoage instead of localStorage
// https://forums.meteor.com/t/security-dont-store-tokens-in-localstorage/50539/13
// original code: https://github.com/meteor/meteor/blob/af26e8b052a5135033e561cf4e4347eee585ab3b/packages/accounts-base/accounts_client.js#L477
Accounts._storeLoginToken = function(userId, token, tokenExpires) {
Meteor._localStorage.setItem(this.USER_ID_KEY, userId);
sessionStorage.setItem(this.LOGIN_TOKEN_KEY, token);
if (! tokenExpires)
tokenExpires = this._tokenExpiration(new Date());
Meteor._localStorage.setItem(this.LOGIN_TOKEN_EXPIRES_KEY, tokenExpires);
// to ensure that the localstorage poller doesn't end up trying to
// connect a second time
this._lastLoginTokenWhenPolled = token;
};
Accounts._unstoreLoginToken = function() {
Meteor._localStorage.removeItem(this.USER_ID_KEY);
sessionStorage.removeItem(this.LOGIN_TOKEN_KEY);
Meteor._localStorage.removeItem(this.LOGIN_TOKEN_EXPIRES_KEY);
// to ensure that the localstorage poller doesn't end up trying to
// connect a second time
this._lastLoginTokenWhenPolled = null;
};
// This is private, but it is exported for now because it is used by a
// test in accounts-password.
Accounts._storedLoginToken = function() {
return sessionStorage.getItem(this.LOGIN_TOKEN_KEY);
};
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment