Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

💡 [REQUEST] - Investigate possibility to migrate to WebWorker #200

Open
soofstad opened this issue Oct 28, 2024 · 2 comments
Open

💡 [REQUEST] - Investigate possibility to migrate to WebWorker #200

soofstad opened this issue Oct 28, 2024 · 2 comments
Labels
question Further information is requested

Comments

@soofstad
Copy link
Owner

soofstad commented Oct 28, 2024
edited
Loading

Summary

WebWorker is the only technology that can offer XSS safe storage of secrets and offer some token data information to the client.
We should investigate/test if it's possible to migrate this library to use that.

Basic Example

const worker = new Worker("worker.js");
let userData;
let userId = '5f8d7bd2418fef006838d504'

// send data, e.g. userID to a worker
userData = worker.postMessage(userId)

-----------------------------------------
// object in which the secret will be stored
const secretCache = {}
const tokenUrl = 'https://backend.example.com/token/'

onmessage = async (userId) => {
  if (!secretCache.userId)
    // fetch a token for the user
    try {
      response = await fetch(tokenUrl + userId);
    } catch (error) {
      return;
    }   
    json = await response.json();

    // store the secret token in the secretCache with the userId as a key
    secretCache.userId = json.token

  // retrieve data based on token
  const userUrl = 'https://backend.example.com/user/'
  const data = { 
    userId: userId,
    token: secretCache.userId
  }
  try {
    let response = await fetch(userUrl, {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json'
      },  
      body: JSON.stringify(data)
    }); 
  } catch (error) {
    return;
  }
  json = await response.json();

  // return the retrieved data to the main application
  postmessage(data)
}

Drawbacks

Possible that some current features will not be supported.

Unresolved questions

No response

Implementation PR

No response

Reference Issues

No response
@soofstad soofstad added the question Further information is requested label Oct 28, 2024
@sebastianvitterso
Copy link
Collaborator

You referred to this page as a source for the claim that "WebWorker is the only technology that can offer XSS safe storage of secrets". While that might be true, I don't think it can work for our use-case, since the secret is only safe as long as it never escapes the WebWorker. In the case of this library, we want/need to expose the secret in some way to the developer (in React), and as such it is actually no longer safe. If the developer can reach it (which they must to use it in their application), then an attacker may also reach it.

So I think the article describes a process of moving all API-interfacing logic into the WebWorker environment, which I'm sure is a very efficient and super-secure solution, but I don't think we can assume that all library users will be doing that.

And it would for sure be the most breaking'est change we'll ever have if we transition to this 😅 .

@soofstad
Copy link
Owner Author

soofstad commented Nov 5, 2024
edited by sebastianvitterso
Loading

Agree, think you're right. This is my feeling as well that WebWorker is not a good fit for what we are trying to do.
Still, would like to get more familiar with the technology, and figure out what it can, and cannot provide 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@soofstad @sebastianvitterso