Skip to content

fix: use localStorage for auth tokens to enable cross-tab sessions#335

Merged
marccampbell merged 2 commits into
mainfrom
fix/cross-tab-auth
Jun 2, 2026
Merged

fix: use localStorage for auth tokens to enable cross-tab sessions#335
marccampbell merged 2 commits into
mainfrom
fix/cross-tab-auth

Conversation

@elasticclaw-factory

@elasticclaw-factory elasticclaw-factory Bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Fixes #329

Previously auth tokens were stored in sessionStorage, which is scoped to a single browser tab. This meant users had to re-authenticate in every new tab.

Changes

  • Create web/lib/auth-storage.ts as a centralized auth storage helper
  • Switch token storage from sessionStorage to localStorage
  • Keep OAuth CSRF state in sessionStorage (it should be per-tab)
  • Update all direct sessionStorage reads/writes to use the helper across:
    • web/lib/api.ts (resolveToken, getTokenSync, clearConfig)
    • web/app/login/page.tsx (login + OAuth callback)
    • web/app/page.tsx (admin status check)
    • web/components/sidebar.tsx (logout)
    • web/hooks/use-branding.ts (branding fetch)
    • web/app/settings/[[...parts]]/settings-content.tsx (all settings API calls)

Verification

  • npx next build passes (TypeScript + static generation)
  • go build ./... passes

fix: use localStorage for auth tokens to enable cross-tab sessions
35c31ab 
Previously auth tokens were stored in sessionStorage, which is scoped to a
single browser tab. This meant users had to re-authenticate in every new tab.

- Create web/lib/auth-storage.ts as a centralized auth storage helper
- Switch token storage from sessionStorage to localStorage
- Keep OAuth CSRF state in sessionStorage (it should be per-tab)
- Update all direct sessionStorage reads/writes to use the helper:
  - web/lib/api.ts (resolveToken, getTokenSync, clearConfig)
  - web/app/login/page.tsx (login + OAuth callback)
  - web/app/page.tsx (admin status check)
  - web/components/sidebar.tsx (logout)
  - web/hooks/use-branding.ts (branding fetch)
  - web/app/settings/[[...parts]]/settings-content.tsx (all settings API calls)

Fixes #329
@greptile-apps

greptile-apps Bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Security Review
  • Session persistence after browser close (web/lib/auth-storage.ts): Moving ec_github_token and ec_hub_token from sessionStorage to localStorage means auth tokens survive browser close. Users on shared machines who close the browser without signing out remain authenticated. GitHub OAuth tokens have long server-side lifetimes, so the exposure window can span weeks.

Reviews (1): Last reviewed commit: "fix: use localStorage for auth tokens to..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Jun 2, 2026
View reviewed changes
Comment thread web/lib/auth-storage.ts Outdated
Comment thread web/lib/api.ts
@greptile-apps

greptile-apps Bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Reviews (2): Last reviewed commit: "Address cross-tab auth review feedback" | Re-trigger Greptile

@marccampbell marccampbell merged commit 5c2352e into main Jun 2, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Auth session is scoped to a single browser tab

1 participant

@marccampbell