Add 12 ADRs documenting frontend architecture decisions
This commit is contained in:
@@ -0,0 +1,26 @@
|
||||
# ADR 0005: JWT Authentication Stored in localStorage
|
||||
|
||||
**Date:** 2026-04-26
|
||||
**Status:** Accepted
|
||||
|
||||
## Context
|
||||
|
||||
The application requires persistent authentication across browser sessions. The two main options for token storage are:
|
||||
|
||||
- **`localStorage`** — accessible via JavaScript; survives tab/window close; vulnerable to XSS.
|
||||
- **httpOnly cookies** — inaccessible to JavaScript; protected from XSS; requires CSRF protection.
|
||||
|
||||
The application is not publicly accessible — it is used internally by a known, controlled user base. The attack surface for XSS is limited.
|
||||
|
||||
## Decision
|
||||
|
||||
Store the JWT token in `localStorage` under the key `jwtToken`. `JwtService` handles read/write/delete operations. `UserService` exposes `currentUser` (BehaviorSubject) and `isAuthenticated` (ReplaySubject) observables consumed by guards and the layout.
|
||||
|
||||
An `APP_INITIALIZER` in `app.config.ts` calls `userService.getCurrentUser()` on startup if a token exists, ensuring guards can rely on `isAuthenticated` being populated before the first navigation.
|
||||
|
||||
## Consequences
|
||||
|
||||
- **Positive:** Simple implementation. No server-side session management. Works seamlessly with Angular's functional guards.
|
||||
- **Positive:** Token persists across browser restarts without requiring re-login.
|
||||
- **Risk:** XSS attacks could exfiltrate the token. Acceptable given the non-public nature of the application.
|
||||
- **Future consideration:** If the application becomes publicly accessible or handles sensitive data, migrate to httpOnly cookies with CSRF tokens.
|
||||
Reference in New Issue
Block a user