Use env var to determine session or local storage

changelog/unreleased/enhancement-allow-local-storage-for-auth-token

@@ -0,0 +1,8 @@
+Enhancement: Allow local storage for auth token
+
+We've introduced a new env var WEB_OPTION_TOKEN_STORAGE_LOCAL, when set to true(default), the auth token will be stored in the
+browser's local storage instead the session storage, this will effect in a persisted login state across multiple
+browser tabs.
+
+https://github.com/owncloud/web/pull/9386
+https://github.com/owncloud/web/issues/9325

docs/getting-started.md

@@ -73,6 +73,7 @@ Depending on the backend you are using, there are sample config files provided i
 - `options.editor.autosaveInterval` Specifies the time interval for the autosave of editor apps in seconds.
 - `options.contextHelpersReadMore` Specifies whether the "Read more" link should be displayed or not.
 - `options.openLinksWithDefaultApp` Specifies whether single file link shares should be opened with default app or not.
+- `options.tokenStorageLocal` Specifies whether the access token will be stored in the local storage when set to `true` or in the session storage when set to `false`. If stored in the local storage, login state will be persisted across multiple browser tabs, means no additional logins are required. Defaults to `true`.
 
 #### Scripts and Styles
 

packages/web-pkg/src/configuration/manager.ts

@@ -95,6 +95,7 @@ export class ConfigurationManager {
       get(options, 'openLinksWithDefaultApp', true)
     )
     set(this.optionsConfiguration, 'upload.companionUrl', get(options, 'upload.companionUrl', ''))
+    set(this.optionsConfiguration, 'tokenStorageLocal', get(options, 'tokenStorageLocal', true))
   }
 
   get options(): OptionsConfiguration {

packages/web-pkg/src/configuration/types.ts

@@ -20,6 +20,7 @@ export interface OptionsConfiguration {
   logoutUrl?: string
   contextHelpersReadMore?: boolean
   openLinksWithDefaultApp?: boolean
+  tokenStorageLocal?: boolean
 }
 
 export interface OAuth2Configuration {

packages/web-runtime/src/services/auth/userManager.ts

@@ -34,14 +34,17 @@ export class UserManager extends OidcUserManager {
   private _unloadReason: UnloadReason
   private ability: Ability
   private language: Language
-
+  private browserStorage: Storage
   public areEventHandlersRegistered: boolean
 
   constructor(options: UserManagerOptions) {
+    const browserStorage = options.configurationManager.options.tokenStorageLocal
+      ? localStorage
+      : sessionStorage
     const storePrefix = 'oc_oAuth.'
     const userStore = new WebStorageStateStore({
       prefix: storePrefix,
-      store: sessionStorage
+      store: browserStorage
     })
     const openIdConfig: UserManagerSettings = {
       userStore,
@@ -89,6 +92,7 @@ export class UserManager extends OidcUserManager {
 
     super(openIdConfig)
     this.storePrefix = storePrefix
+    this.browserStorage = browserStorage
     this.clientService = options.clientService
     this.configurationManager = options.configurationManager
     this.store = options.store
@@ -116,16 +120,16 @@ export class UserManager extends OidcUserManager {
   }
 
   getAndClearPostLoginRedirectUrl(): string {
-    const url = sessionStorage.getItem(postLoginRedirectUrlKey) || '/'
-    sessionStorage.removeItem(postLoginRedirectUrlKey)
+    const url = this.browserStorage.getItem(postLoginRedirectUrlKey) || '/'
+    this.browserStorage.removeItem(postLoginRedirectUrlKey)
     return url
   }
 
   setPostLoginRedirectUrl(url?: string): void {
     if (url) {
-      sessionStorage.setItem(postLoginRedirectUrlKey, url)
+      this.browserStorage.setItem(postLoginRedirectUrlKey, url)
     } else {
-      sessionStorage.removeItem(postLoginRedirectUrlKey)
+      this.browserStorage.removeItem(postLoginRedirectUrlKey)
     }
   }
 

packages/web-runtime/src/store/config.ts

@@ -68,6 +68,7 @@ const state = {
     sharingRecipientsPerPage: 200,
     contextHelpersReadMore: true,
     openLinksWithDefaultApp: true,
+    tokenStorageLocal: true,
     privacyUrl: '',
     imprintUrl: '',
     accessDeniedHelpUrl: ''