Security Audit: Auth Tokens Stored in localStorage Expose Platform to XSS Token Theft

A security audit has identified a critical architectural vulnerability in the platform's authentication system. Both access and refresh tokens are currently stored in the browser's `localStorage`. This storage mechanism makes the tokens accessible to any JavaScript code executing on the page. The primary risk is that if an attacker successfully exploits a Cross-Site Scripting (XSS) vulnerability elsewhere in the application, they could write malicious JavaScript to exfiltrate these tokens directly from `localStorage`. The impact of such a breach is severe: an attacker could steal both the access and refresh tokens, leading to a persistent session hijack where they maintain unauthorized access to a user's account. The affected code is located in `AuthContext.tsx` at lines 137-138 and in `apiClient.ts` at lines 146-147. The recommended fix involves a significant architectural change to the authentication flow. It is advised to move refresh tokens to `httpOnly` cookies, which are not accessible via JavaScript, thereby mitigating the theft vector. Access tokens could then be managed in the application's memory (not in `localStorage`) for Single Page Application (SPA) use, with a silent refresh mechanism leveraging the secure `httpOnly` cookie. This remediation requires careful planning due to its impact on the core auth flow.