c8e2fba13e
Rewrites all 12 frontend ADRs from a custom structure to the MADR 2.1.2 template required by the VS Code ADR Manager extension: bullet metadata (Status/Date), standardised section headings, "Chosen option: X, because Y" wording, and explicit Pros/Cons blocks per option.
1.6 KiB
1.6 KiB
Store JWT authentication token in localStorage
- Status: accepted
- Date: 2026-04-26
Context and Problem Statement
The application requires persistent authentication across browser sessions. Where should the JWT token be stored client-side?
Decision Drivers
- Application is internal — used by a known, controlled user base; not publicly accessible.
- Implementation simplicity.
- Compatibility with Angular functional guards and the APP_INITIALIZER auth bootstrap.
Considered Options
- Store JWT in localStorage
- Store JWT in an httpOnly cookie
Decision Outcome
Chosen option: "Store JWT in localStorage", because the application is internal with a controlled user base, making the XSS risk acceptable, and localStorage avoids the additional CSRF complexity of cookie-based auth.
Positive Consequences
- Simple implementation — no server-side session management.
- Token persists across browser restarts without requiring re-login.
- Works seamlessly with Angular functional guards and
APP_INITIALIZER.
Negative Consequences
- Accessible to JavaScript — an XSS attack could exfiltrate the token.
- If the application ever becomes publicly accessible or handles sensitive data, this decision must be revisited.
Pros and Cons of the Options
Store JWT in localStorage
- Good, because simple to implement and operate.
- Good, because survives browser restarts.
- Bad, because XSS-vulnerable.
Store JWT in an httpOnly cookie
- Good, because inaccessible to JavaScript — XSS-safe.
- Bad, because requires CSRF protection (SameSite cookie policy or CSRF tokens).
- Bad, because more complex server-side coordination.