Task Description
Conduct a comprehensive security review of the @cloudoperators/greenhouse-auth-provider package that
enables authentication state sharing between the Greenhouse shell application and embedded
micro-frontend plugins (e.g., Heureka). This review should assess the security posture of JWT token
handling, trust boundaries, and cross-plugin authentication in our micro-frontend architecture.
Implementation PR: #1471
Package Location: /packages/greenhouse-auth-provider
Example Integration: /apps/heureka
Sub-tasks
Security-Critical Aspects
1. Token Handling & Storage
- JWT tokens passed in-memory via snapshot pattern
- No localStorage/sessionStorage persistence
- Tokens included in
AuthState objects: { status: "authenticated", token: string, userId: string, userName: string }
Questions:
- Is in-memory token storage sufficient?
- Should tokens be stored separately from user metadata?
2. Trust Boundary Model
- Shell (Trusted): Owns
AuthStore with setAuthState() method
- Plugins (Untrusted): Receive read-only
EmbeddedAuth interface with only getSnapshot() method
- Plugins explicitly stripped of
setAuthState before receiving auth object
Questions:
- Is the trust boundary adequately enforced at TypeScript type level?
- Could malicious plugins bypass the read-only interface?
- Should we add runtime validation to prevent privilege escalation?
3. State Synchronization Pattern
- Shell remounts plugins when auth state changes
getSnapshot() returns shallow copy ({ ...state }) on each call
Questions:
- Is shallow copying sufficient for preventing state mutation attacks?
4. Cross-Plugin Token Access
- All embedded plugins receive the same authentication state
- No plugin-specific scoping
Questions:
- What happens if one plugin is compromised?
5. XSS & Injection Attack Surface
- Tokens accessible via
useAuth() hook in plugin components
- Plugins run arbitrary JavaScript in same origin as shell
Questions:
- What protections exist against XSS stealing tokens from compromised plugins?
- Should we implement Content Security Policy (CSP) headers?
- How do we mitigate supply chain attack risks in plugin dependencies?
Architecture Summary
┌─────────────────────────────────────┐
│ Greenhouse Shell (Trusted) │
│ - createAuthStore() │
│ - setAuthState({ token, user }) │
│ - Manages login/logout │
└────────────┬────────────────────────┘
│ passes { getSnapshot }
↓
┌─────────────────────────────────────┐
│ Plugin (Heureka, etc.) - Untrusted │
│ │
│ useAuth() → { token, userId } │
│ │
└─────────────────────────────────────┘
Key Security Questions for Review
- Is the snapshot-based pattern secure for handling JWTs in micro-frontends?
- Should we add token encryption at rest (even in memory)?
- Do we need audit logging for authentication state changes?
- What security headers/policies should we enforce?
- Is the shallow copy in
getSnapshot() sufficient, or should we deep-freeze objects?
- What threat model should we use for evaluating plugin compromise scenarios?
Related Issues
Additional Context
Testing Gaps:
- No penetration testing for token theft scenarios
- No validation of plugin isolation guarantees
- No fuzzing of state synchronization edge cases
Documentation:
- Package README:
/packages/greenhouse-auth-provider/README.md
- Shell implementation:
createAuthStore.ts - stores auth state and provides snapshot access
- Plugin implementation:
AuthProvider.tsx - wraps plugins with read-only auth context
- Auth contract:
auth-contract.ts - defines AuthState and EmbeddedAuth interfaces
Labels: security, authentication, architecture-review, greenhouse, micro-frontend
Priority: High (authentication is foundational security control)
Task Description
Conduct a comprehensive security review of the
@cloudoperators/greenhouse-auth-providerpackage thatenables authentication state sharing between the Greenhouse shell application and embedded
micro-frontend plugins (e.g., Heureka). This review should assess the security posture of JWT token
handling, trust boundaries, and cross-plugin authentication in our micro-frontend architecture.
Implementation PR: #1471
Package Location:
/packages/greenhouse-auth-providerExample Integration:
/apps/heurekaSub-tasks
etc.)
Security-Critical Aspects
1. Token Handling & Storage
AuthStateobjects:{ status: "authenticated", token: string, userId: string, userName: string }Questions:
2. Trust Boundary Model
AuthStorewithsetAuthState()methodEmbeddedAuthinterface with onlygetSnapshot()methodsetAuthStatebefore receiving auth objectQuestions:
3. State Synchronization Pattern
getSnapshot()returns shallow copy ({ ...state }) on each callQuestions:
4. Cross-Plugin Token Access
Questions:
5. XSS & Injection Attack Surface
useAuth()hook in plugin componentsQuestions:
Architecture Summary
┌─────────────────────────────────────┐
│ Greenhouse Shell (Trusted) │
│ - createAuthStore() │
│ - setAuthState({ token, user }) │
│ - Manages login/logout │
└────────────┬────────────────────────┘
│ passes { getSnapshot }
↓
┌─────────────────────────────────────┐
│ Plugin (Heureka, etc.) - Untrusted │
│ │
│ useAuth() → { token, userId } │
│ │
└─────────────────────────────────────┘
Key Security Questions for Review
getSnapshot()sufficient, or should we deep-freeze objects?Related Issues
Additional Context
Testing Gaps:
Documentation:
/packages/greenhouse-auth-provider/README.mdcreateAuthStore.ts- stores auth state and provides snapshot accessAuthProvider.tsx- wraps plugins with read-only auth contextauth-contract.ts- definesAuthStateandEmbeddedAuthinterfacesLabels:
security,authentication,architecture-review,greenhouse,micro-frontendPriority: High (authentication is foundational security control)