Security Audit Flags Critical JWT Token Storage Vulnerability in Web Application

A security audit has identified a critical vulnerability in a web application's authentication system. The application currently stores JWT access and refresh tokens in the browser's `localStorage`, a practice explicitly warned against by OWASP. This implementation flaw means that any successful Cross-Site Scripting (XSS) attack on the page would grant an attacker immediate and complete access to user accounts, leading to full account takeover.

The core risk stems from `localStorage` being fully accessible to any JavaScript executing on the page. The audit details that tokens are managed via a frontend store (`useAuthStore` in `web/src/stores/auth.ts`) and sent via an `Authorization: Bearer` header from `web/src/lib/api.ts`. This architecture leaves the entire authentication mechanism exposed to client-side script injection.

To remediate the vulnerability, the audit prescribes a fundamental architectural shift. The fix requires moving token storage from `localStorage` to `HttpOnly`, `Secure`, and `SameSite=Strict` cookies, which the browser sends automatically and are inaccessible to JavaScript. This change must be implemented on the backend within the identity service (`services/identity-svc/handler.go`) and the API gateway (`services/api-gateway/main.go`). Furthermore, because moving to cookies introduces a risk of Cross-Site Request Forgery (CSRF), the audit mandates implementing a CSRF token using the double-submit cookie pattern for all state-changing requests. The frontend logic for manually managing and sending tokens must be entirely removed.