storing token in localstorage with safari iOS ("The operation is insecure")

[acomito]

Not really a bug but thought it could be good to have this conversation here for posterity.

I never noticed this before, but if you try to use localStorage with safari, you get an error "The operation is insecure" and you can't store anything in localStorage.

I think this used to only be in private mode, but I'm seeing it in normal browsing too.

Anybody else running into this as of late? Are you storing your JWT in localstorage or elsewhere (I know this is frowned upon by a lot of people)?

Does accountsjs have other options (sessions/cookies)?

There are some other packages like store.js and localForage that may be a work around

https://github.com/localForage/localForage

I'm using local-storage-fallback right now, which let's people log in, but it won't persist if you refresh the page.

[pradel]

Okay this is really bad, I wasn't aware of this, is there some other recommended storage?
As a workaround you can store in js-cookies to get persistent sessions on safari

[acomito]

Were you able to reproduce it?

[pradel]

I didn't try but didn't get any complaints from our users so far

[acomito]

I can't seem to get js-cookie to work on iOS... right now I'm using local-storage-fallback like this

  getLocalStorage: (valueName) => {
    try {
      if (!iOS()) {
        return window.localStorage.getItem(valueName);
      } else {
        return storage.getItem(valueName);
      }
    } catch (err) {
      throw new Error(err.message);
    }
  },
  setLocalStorage: (valueName, valueToSet) => {
    try {
      if (!iOS()) {
        return window.localStorage.setItem(valueName, valueToSet);
      } else {
        return storage.setItem(valueName, valueToSet);
      }
    } catch (err) {
      throw new Error(err.message);
    }
  },
  removeLocalStorage: (valueName) => {
    try {
      if (!iOS()) {
        return window.localStorage.removeItem(valueName);
      } else {
        return storage.removeItem(valueName);
      }
    } catch (err) {
      throw new Error(err.message);
    }
  },

The only issue is if we do a page refresh, it looses the token.