I think that the PEPhub authentication flow could be improved for slightly better security and ergonomics. Right now we mint a single JWT and then store it in localStorage. The JWT is valid for ~3 days. Its actually quite insecure to store JWTs in localStorage and its even more insecure to have a JWT last that long as it enables you to impresonate that individual for as long as its valid.
PEPhub isn't storing any crazy sensitive information so its probably fine as a first-pass.. but with a bit more work we can probably make it a lot more secure using a JWT + refresh token flow that stores them in httpOnly cookies instead of localStorage.
I think that the PEPhub authentication flow could be improved for slightly better security and ergonomics. Right now we mint a single JWT and then store it in
localStorage. The JWT is valid for ~3 days. Its actually quite insecure to store JWTs inlocalStorageand its even more insecure to have a JWT last that long as it enables you to impresonate that individual for as long as its valid.PEPhub isn't storing any crazy sensitive information so its probably fine as a first-pass.. but with a bit more work we can probably make it a lot more secure using a JWT + refresh token flow that stores them in
httpOnlycookies instead oflocalStorage.