Security Flaw: Angular App Exposes User Session Data via localStorage, High XSS Risk

A critical security vulnerability has been identified in an Angular-based web application, where sensitive user session data is being stored in the browser's localStorage. This implementation flaw, located in the `error.interceptor.ts` file, directly exposes authentication tokens or user identities to any JavaScript code executing on the page. The use of localStorage for this purpose fundamentally bypasses key browser security mechanisms, creating a prime target for Cross-Site Scripting (XSS) attacks.

The core of the issue is in the client-side code at `web/client/.../error.interceptor.ts:18`, which reads user data directly from localStorage. This practice is a well-known anti-pattern in web security. If an attacker can exploit any XSS vector within the application—whether through a third-party library, an Angular template injection flaw, or other means—they can trivially exfiltrate the session data stored locally. This would allow them to impersonate the user and hijack their active session.

The recommended fix involves a fundamental architectural shift. Developers are urged to remove all sensitive user data from localStorage immediately. The proper solution is to store only a non-sensitive session identifier within a `Secure`, `HttpOnly`, and `SameSite=Strict` cookie—a pattern already supported by the application's backend. User state should then be managed in memory via Angular services like `AuthService` or `UserService`, which rehydrate data securely from a protected `/auth/session` API endpoint after each page load. Given the direct path to full account compromise, this issue has been flagged with **High** priority, demanding urgent remediation to prevent potential credential theft and unauthorized access.