Feirb Web App Security Flaw: 7-Day Refresh Token Exposed in localStorage, Vulnerable to XSS Exfiltration

A critical security vulnerability has been identified in the Feirb web application, where the 7-day refresh token is stored in the browser's `localStorage`. This storage mechanism is fully readable by any JavaScript executing on the page, creating a direct path for attackers to exfiltrate the token if an XSS vulnerability is present. Once stolen, this token grants an attacker long-term, offline access to a user's account, effectively enabling a persistent account takeover.

The flaw is systemic, embedded across multiple core components of the application. The `auth.js` file handles token storage and retrieval via `localStorage`, while the `JwtAuthenticationStateProvider.cs` and `AuthDelegatingHandler.cs` services read from this insecure location for authentication state and automatic token refresh. The `AuthEndpoints.cs` API endpoint completes the chain by returning the refresh token in its response body. While the risk assessment notes a low likelihood of XSS in the Blazor WASM framework due to its DOM diffing and limited JS interop, the potential impact is rated as high, with no current mitigation in place to protect the exposed token.

This architecture presents a significant security debt. The reliance on client-side storage for a high-value credential like a refresh token contradicts standard security practices for protecting long-lived sessions. The exposure persists even with a low XSS risk, as the token remains a static, accessible target. The proposed solution—moving the refresh token out of `localStorage`—is a necessary hardening step to eliminate this persistent attack vector and align the application's authentication flow with secure design principles.