Hey team,
We have a security issue with the uppy-auth-token handled via localStorage. We don’t want to save the token on the client’s machine, we see a vulnerability here: if user works on the shared machine there is a chance that another user could steal his token.
I looked over the code of uppy and companion and didn’t find a way to handle uppy-auth via a cookie. I found only thumbnail-related logic that works as we’d like other endpoints to work.
Could you please tell me how we can handle uppy-auth-token via http-only cookies without saving it in the client’s localStorage?