[Security] Sensitive Credential Exposure via URL and localStorage
Description:
Sensitive credentials are being handled insecurely:
getTokenFromUrl() reads tokens from ?auth_token= or ?token=.geminiService.ts stores API keys in plaintext within localStorage.
Impact:
- Tokens in URLs are leaked through browser history, logs, and
Referer headers.
- API keys in
localStorage are vulnerable to XSS attacks.
Proposed Solution:
- HA Token: Transition to Home Assistant’s native
hass object/Auth provider. Remove URL parsing logic.
- Gemini Key: (Short-term) Move to
sessionStorage with a UI warning. (Long-term) Implement a serverless proxy to hold the key.
[Security] Sensitive Credential Exposure via URL and localStorage
Description:
Sensitive credentials are being handled insecurely:
getTokenFromUrl()reads tokens from?auth_token=or?token=.geminiService.tsstores API keys in plaintext withinlocalStorage.Impact:
Refererheaders.localStorageare vulnerable to XSS attacks.Proposed Solution:
hassobject/Auth provider. Remove URL parsing logic.sessionStoragewith a UI warning. (Long-term) Implement a serverless proxy to hold the key.