Critical Security Flaw: JWT Tokens Stored in localStorage Expose Website to XSS Attacks

A high-severity security vulnerability has been identified in a website's authentication system, where sensitive JSON Web Tokens (JWT) are stored in the browser's `localStorage`. This implementation flaw creates a direct pathway for Cross-Site Scripting (XSS) attacks, allowing any malicious script injected into the page to steal user authentication credentials. The exposure is located in the `website/src/lib/auth.ts` file, where the tokens are handled client-side without adequate protection.

The core of the vulnerability lies in the use of `localStorage.setItem('jwt_token', token)` and subsequent retrieval via `localStorage.getItem('jwt_token')`. This practice is fundamentally insecure because `localStorage` is accessible to any JavaScript running in the same origin context. Consequently, a successful XSS attack could lead to session theft, where an attacker exfiltrates the JWT token, potentially resulting in complete account compromise for any logged-in user.

The recommended and industry-standard mitigation is to move token storage from `localStorage` to HttpOnly cookies. This involves server-side configuration to set a cookie with the `httpOnly`, `secure`, and `sameSite` flags, which prevents client-side JavaScript from accessing the token directly. This change would ensure authentication credentials are only sent automatically with HTTP requests and are shielded from XSS-based exfiltration, significantly hardening the application's security posture against a common but critical attack vector.