Files
adastra_app/docs/decisions/0005-jwt-authentication-localstorage.md
julien c8e2fba13e docs(adr): convert all ADRs to MADR 2.1.2 format
Rewrites all 12 frontend ADRs from a custom structure to the MADR 2.1.2
template required by the VS Code ADR Manager extension: bullet metadata
(Status/Date), standardised section headings, "Chosen option: X, because Y"
wording, and explicit Pros/Cons blocks per option.
2026-04-26 16:50:34 +02:00

1.6 KiB

Store JWT authentication token in localStorage

  • Status: accepted
  • Date: 2026-04-26

Context and Problem Statement

The application requires persistent authentication across browser sessions. Where should the JWT token be stored client-side?

Decision Drivers

  • Application is internal — used by a known, controlled user base; not publicly accessible.
  • Implementation simplicity.
  • Compatibility with Angular functional guards and the APP_INITIALIZER auth bootstrap.

Considered Options

  • Store JWT in localStorage
  • Store JWT in an httpOnly cookie

Decision Outcome

Chosen option: "Store JWT in localStorage", because the application is internal with a controlled user base, making the XSS risk acceptable, and localStorage avoids the additional CSRF complexity of cookie-based auth.

Positive Consequences

  • Simple implementation — no server-side session management.
  • Token persists across browser restarts without requiring re-login.
  • Works seamlessly with Angular functional guards and APP_INITIALIZER.

Negative Consequences

  • Accessible to JavaScript — an XSS attack could exfiltrate the token.
  • If the application ever becomes publicly accessible or handles sensitive data, this decision must be revisited.

Pros and Cons of the Options

Store JWT in localStorage

  • Good, because simple to implement and operate.
  • Good, because survives browser restarts.
  • Bad, because XSS-vulnerable.
  • Good, because inaccessible to JavaScript — XSS-safe.
  • Bad, because requires CSRF protection (SameSite cookie policy or CSRF tokens).
  • Bad, because more complex server-side coordination.