Skip to content

Comments

feat: implement PKCE code_verifier storage in sessionStorage for brow…#509

Open
nadeem-cs wants to merge 1 commit intodevelopmentfrom
enhancement/DX-4341
Open

feat: implement PKCE code_verifier storage in sessionStorage for brow…#509
nadeem-cs wants to merge 1 commit intodevelopmentfrom
enhancement/DX-4341

Conversation

@nadeem-cs
Copy link
Contributor

@nadeem-cs nadeem-cs commented Feb 20, 2026

…ser SPAs

  • Added pkceStorage.js module to handle code_verifier persistence.
  • Updated OAuthHandler to utilize sessionStorage for storing and retrieving code_verifier.
  • Enhanced token exchange process to clear code_verifier on success or error to prevent replay attacks.
  • Added unit tests for PKCE storage functionality.

@nadeem-cs
feat: implement PKCE code_verifier storage in sessionStorage for brow…
36ce251 
…ser SPAs

- Added `pkceStorage.js` module to handle code_verifier persistence.
- Updated `OAuthHandler` to utilize sessionStorage for storing and retrieving code_verifier.
- Enhanced token exchange process to clear code_verifier on success or error to prevent replay attacks.
- Added unit tests for PKCE storage functionality.
@nadeem-cs nadeem-cs requested a review from a team as a code owner February 20, 2026 13:06
@github-actions
Copy link

github-actions bot commented Feb 20, 2026

Coverage report for commit: 36ce251
File: coverage/clover.xml

Cover ┌─────────────────────────┐ Freq.
   0% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  10% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  20% │ ██░░░░░░░░░░░░░░░░░░░░░ │  2.2%
  30% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  40% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  50% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  60% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  70% │ ██████░░░░░░░░░░░░░░░░░ │  8.7%
  80% │ ███████████████████████ │ 39.1%
  90% │ █████████████░░░░░░░░░░ │ 21.7%
 100% │ █████████████████░░░░░░ │ 28.3%
      └─────────────────────────┘
 *Legend:* █ = Current Distribution
Summary - Lines: 82.46% | Methods: 95.88% | Branches: 68.29%
FilesLinesMethodsBranches
lib
   contentstack.js100.00%100.00%100.00%
   contentstackClient.js83.02%92.86%69.35%
   contentstackCollection.js94.12%100.00%86.67%
   entity.js76.22%100.00%64.00%
lib/core
   Util.js77.68%94.44%62.82%
   concurrency-queue.js71.99%72.22%66.05%
   contentstackError.js100.00%100.00%100.00%
   contentstackHTTPClient.js85.71%92.31%74.76%
   errorMessages.js100.00%100.00%75.00%
   oauthHandler.js90.85%100.00%68.63%
   pkceStorage.js100.00%100.00%100.00%
lib/organization
   index.js72.73%100.00%53.09%
lib/organization/teams
   index.js89.47%100.00%65.79%
lib/organization/teams/stackRoleMappings
   index.js78.57%100.00%51.16%
lib/organization/teams/teamUsers
   index.js100.00%100.00%93.75%
lib/query
   index.js73.91%100.00%61.82%
lib/stack/asset/folders
   index.js100.00%100.00%100.00%
lib/stack/asset
   index.js86.42%100.00%74.26%
lib/stack/auditlog
   index.js91.67%100.00%71.88%
lib/stack/branch
   compare.js68.18%100.00%62.50%
   index.js94.87%100.00%77.78%
   mergeQueue.js83.33%100.00%63.16%
lib/stack/branchAlias
   index.js79.31%100.00%60.98%
lib/stack/contentType/entry
   index.js83.04%100.00%59.29%
lib/stack/contentType/entry/variants
   index.js79.31%100.00%61.54%
lib/stack/contentType
   index.js84.85%100.00%70.51%
lib/stack/deliveryToken
   index.js95.24%80.00%89.47%
lib/stack/deliveryToken/previewToken
   index.js21.43%25.00%14.29%
lib/stack/environment
   index.js100.00%100.00%100.00%
lib/stack/extension
   index.js93.88%100.00%85.71%
lib/stack/globalField
   index.js91.67%100.00%82.35%
lib/stack
   index.js80.66%92.86%70.61%
lib/stack/label
   index.js100.00%100.00%100.00%
lib/stack/locale
   index.js100.00%100.00%100.00%
lib/stack/managementToken
   index.js100.00%100.00%94.44%
lib/stack/release
   index.js80.00%100.00%60.32%
lib/stack/roles
   index.js100.00%100.00%100.00%
lib/stack/taxonomy
   index.js80.60%100.00%57.95%
lib/stack/taxonomy/terms
   index.js78.57%100.00%57.69%
lib/stack/variantGroup
   index.js81.58%100.00%60.47%
lib/stack/variantGroup/variants
   index.js77.50%100.00%54.90%
lib/stack/variants
   index.js76.32%100.00%53.19%
lib/stack/webhook
   index.js84.48%100.00%67.80%
lib/stack/workflow
   index.js83.64%100.00%67.69%
lib/stack/workflow/publishRules
   index.js100.00%100.00%100.00%
lib/user
   index.js91.43%100.00%78.57%

🤖 comment via lucassabreu/comment-coverage-clover

aman19K
aman19K reviewed Feb 20, 2026
View reviewed changes
lib/core/pkceStorage.js
codeVerifier,
expiresAt: Date.now() + PKCE_STORAGE_EXPIRY_MS
})
window.sessionStorage.setItem(key, value)
Copy link
Contributor

@aman19K aman19K Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nadeem-cs , can we use httpcookies instead of session storage? Session storage might create security issue.

Copy link
Contributor Author

@nadeem-cs nadeem-cs Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aman19K Actually using sessionStorage is more recommended approach for the issue we're trying to resolve here - browser compatibility. It does not give any security concern. It will be only risky if the app has XSS bug , only then it can read the session cookie. Otherwise this is more recommended approach.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aman19K aman19K aman19K left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nadeem-cs @aman19K