I think your design is flawed. You are not really providing any security without random values unique to each domain and user. Please refer to NIST SP 800-132 for more information.

I assume each app instance has its own secureLS instance with its own salt, such that one SecureLS can't decrypt a token set by another SecureLS. I get that that is a big point of security, but my use case is logging in via an API call to the backend using LS to set the token into LS using Cypress for E2E testing. If Cypress runtime uses one secure-ls import and Vue uses another, is it even possible for these to talk, with the right configuration or is that an impossibility? We're getting a could not parse JSON error in Cypress's console from secure-ls.js:256 and that would make sense if this is not possible to decrypt

Hi,

I am using Secure-ls it was working nice when I was not using Angular in strict Mode but when I am using it in Angular strict mode then it is throwing exception.

Error: node_modules/secure-ls/dist/secure-ls.d.ts:4:9 - error TS2305: Module '"../../@types/crypto-js"' has no exported member 'CipherHelper'.

4 import {CipherHelper, Encoder} from 'crypto-js';
          ~~~~~~~~~~~~
node_modules/secure-ls/dist/secure-ls.d.ts:4:23 - error TS2305: Module '"../../@types/crypto-js"' has no exported member 'Encoder'.

4 import {CipherHelper, Encoder} from 'crypto-js';

@softvar Please provide solution for this

This is the repo here

I was wondering if this repo was still being maintained &/ is active?

@softvar @luish Some would like to contribute.

At package.json there is

    "lz-string": "^1.4.4"

It will take version 1.5.0. Unfotnatelly this version is not compatible.

After all we have error:

Error: node_modules/secure-ls/dist/secure-ls.d.ts:24:24 - error TS2694: Namespace '".....node_modules/secure-ls/node_modules/lz-string/typings/lz-string"' has no exported member 'LZStringStatic'.

24     LZString: LZString.LZStringStatic;

If I force in my project "lz-string": "1.4.4" , version 1.5.0 will appear inside node_modules/secure-ls/node_modules.
There is no nice workaround with this, but only to delete this internal node_modules.

Please change dependencies to

    "lz-string": "1.4.4"

Update crypto-js to fix vulnerability issues: GHSA-xwcq-pm8m-c4vf

Especially under this config:

new SecureLS({ encodingType: 'aes' })

found this critical warning as I ran yarn audit
https://www.npmjs.com/advisories/1094461

Repo gives error could not parse json or t is null if the ls.get has a blank data and the further code do not run. i think repo tries to parse a blank data if ls.get data has null value then repo should not try to decrypt the data, this problem occurs only in Mozilla Firefox version 61, i have not tested in older versions

Also the library is not working in Internet Explorer and Microsoft Edge with the invalid argument error

I initialized the object SecureLs in head, i successfully stored the data in local storage with aes is encryption, i closed my browser and opened again and when i reached the page it says t is null, but i was surprised that this happens only in Mozilla Firefox (works fine in chrome and safari)

Hy, when i try to import in to my angular6 project:
import SecureLS from 'secure-ls'

but i receive this messages:

ERROR in node_modules/secure-ls/dist/secure-ls.d.ts(12,21): error TS1122: A tuple type element list cannot be empty.
src/app/pages/login/login.component.ts(16,8): error TS1192: Module
"node_modules/secure-ls/dist/secure-ls" has no default export.

Can anyone help me, with this?

We are using this in salesforce lighting and classic. The only issue is, when we try to set a localstorage value from VisualForce page, it gets set in different origin, for eg; https://testdev--c.cs9.visual.force.com, but when we try to set it from lightning it gets set in https://testdev--lightning.force.com.

This is normal. but the strange thing is I am able to view the keys of "https://testdev--c.cs9.visual.force.com" origin while accessing ls.getAllKeys() from "https://testdev--lightning.force.com", but the values aren't available even if I use the same secret key.

• vuex-persistedstate version: 4.0.0
• node version: 14.17.0
• npm (or yarn) version: 6.14.13
• secure-ls version:1.2.6
• vue version: 3.0.0
• vuex version: 4.0.0

Relevant code or config

import { createStore, Store } from 'vuex';
import { State } from 'vue'
import user, { IUserInfoState } from './modules/user';
import global, { IGlobalState } from './modules/global';
import SecureLS from 'secure-ls'
import createPersistedState from 'vuex-persistedstate'

declare module '@vue/runtime-core' {
  interface State {
    user: IUserInfoState;
    global: IGlobalState;
  }
  interface ComponentCustomProperties {
    $store: Store<State>
  }
}

const ls = new SecureLS({ isCompression: false })
window.sessionStorage.getItem = (key) => ls.get(key) 
window.sessionStorage.setItem = (key, value) => ls.set(key, value)
window.sessionStorage.removeItem = (key) => ls.remove(key)

export default createStore<State>({
  modules: {
    user,
    global,
  },
  plugins: [
    createPersistedState({ storage: window.sessionStorage })
  ]
});

I want to encrypt the sessionStorage using secure-ls. But with the code above, the secure-ls only encrypted the localStorage. I already issued this problem in the repository of vue-persistedstate. But they said this is scure-ls's issue. Anyone knows why? Please do tell.

Heya, i'm sorry if this is a stupid question, i'm no security expert.
but if everything has to be two-way, then the secret has to be accessible for every attacker... right?
so is it really just obfuscating the data, or is there a real encryption at work here, which is hard (or virtually impossible?) to break?

would someone explain it to me?
thanks :)

any javascript Object doesn't save on local storage on mac devices only, but other device working finely

When trying to get a value from localStorage using the get() method, I receive an error stating

Error: Malformed UTF-8 data

This only happens when using non-Base64 encoding.

The stack trace shows:

Error: Malformed UTF-8 data
    at Object.stringify (secure-ls.js:1845)
    at init.toString (secure-ls.js:957)
    at SecureLS.get (secure-ls.js:248)

Error: Malformed UTF-8 data
this error occurs in every 3 to 4 days
while after clearing the local Storage Data solve this error but user cannot do the same is there any alternative for this issue ?
or can you fix this bug ?

declare namespace SecureLS{
interface Base64 {
_keyStr: string;
encode(e: string);
decode(e: string);
}
}

is in the latest published version on npm.

Typescript complains with:

ERROR in ./node_modules/secure-ls/dist/secure-ls.d.ts
39:9 'decode', which lacks return-type annotation, implicitly has an 'any' return type.
37 | _keyStr: string;
38 | encode(e: string);

39 | decode(e: string);
| ^
40 | }
41 | }

'use strict';
// https://github.com/championswimmer/vuex-persist#readme
import createPersistedState from 'vuex-persistedstate';

import SecureLS from 'secure-ls';

const encryptedLocalStorage = new SecureLS(
    {
        encodingType: 'aes',
        encryptionSecret: 'D#xsQ6>P(_)Wrw;A',
        isCompression: false,
    },
);

const plugins = [
    createPersistedState({
                             storage: {
                                 getItem:    key => encryptedLocalStorage.get(key),
                                 setItem:    (key, value) => encryptedLocalStorage.set(key, value),
                                 removeItem: key => encryptedLocalStorage.remove(key),
                             },
                         }),
];

export default plugins;

import plugins                from './plugin/plugins';
import Vuex, {ModuleTree}     from 'vuex';
import Vue                    from 'vue';

Vue.use(Vuex);
const store = new Vuex.Store(
    {
        strict: 'production' !== process.env.NODE_ENV,
        devtools:  'production' !== process.env.NODE_ENV,
        modules,
        plugins,
    },
);
export default store;

Impossible to clear, update cached, encoded values. They are always old, outdated which cause a lot of issues, like expired token and its impossible to replace it.
Possibly related to
https://github.com/championswimmer/vuex-persist#readme
and
removeItem: key => encryptedLocalStorage.remove(key),

 "secure-ls": "^1.2.6",
    "source-map-loader": "^0.2.4",
    "standard": "^14.3.1",
    "uglifyjs-webpack-plugin": "^2.1.3",
    "url-loader": "^4.1.1",
    "vue": "^2.6.11",
    "vue-class-component": "^7.2.3",
    "vue-property-decorator": "^9.1.2",
    "vue-resource": "^1.2.1",
    "vue-router": "^3.0.1",
    "vue-router-multiguard": "^1.0.3",
    "vue-style-loader": "^4.1.0",
    "vue-template-loader": "^1.1.0",
    "vuex": "^3.0.1",
    "vuex-class": "^0.3.2",
    "vuex-persistedstate": "^4.0.0-beta.3",
    "vuex-router-sync": "^5.0.0"

How to remove or prevent _secure__ls__metadata key?

Hi Varun Malhotra, do you have any planning to let secure-ls support sessionStorage?

Why in god's name is it necessary to store the encryptionSecret unencrypted?

I'm using secure ls for a single page app.
When my web page loads I need a way to detect if there is an existing instance of secure-ls.
If I invoke lib = new SecureLS() each time I reload the page the current instance is overwritten and all data
from the previous session is lost.

I use onload() callback to initalize secureLS. Is there a way around this issue?

Not highest priority, but it would be nice if we could choose our own _secure_ls_metadata to cover up bit more.

encryptionNamespace just add another string to "_secure_ls_metadata"

While encrypting the local storage using secure-ls, its running fine in Chrome, Firefox but the entire app is not showing when running with Edge.

Originally posted by @jas- in #13 (comment)

I am trying to use secure-ls to encrypt local data of my Parse Server Application in a react-native project.
when typing the following two lines, I get the error "secure-ls can't find variable localStorage":

import SecureLS from 'secure-ls';
const ls = new SecureLS({ isCompression: false });

Could you tell me how to fix this error?

Looking for Firefox and Chromium support on Ubuntu Linux.

When using encryptionNamespace, removeAll() removes the default metaKey (from utils.metaKey) instead of the namespace metaKey from getMetaKey()

There is a problem with Microsoft Edge Local Storage and SecureLS. The problem is as explained here .

I managed to make it work on Edge by settings the compression off like this:
new SecureLS({ encodingType: 'aes', isCompression: false, encryptionSecret: '60f697d5-9aa9-4af3-a3e8-c1d4952fc7c2' });

But still there are problems as _secure_ls_metadata is not set.

Adding support for a different storage type like sessionStorage or a custom solution might be useful. I made and tested the changes in a fork, PR coming soon.

When I've installed secure-ls with pnpm and run it with esBuild I get:

X [ERROR] TS2694: Namespace '"C:/devprojects/node_modules/.pnpm/[email protected]/node_modules/lz-string/typings/lz-string"' has no exported member 'LZStringStatic'. [plugin angular-compiler]

node_modules/.pnpm/[email protected]/node_modules/secure-ls/dist/secure-ls.d.ts:24:23:
  24 │     LZString: LZString.LZStringStatic;
     ╵                        ~~~~~~~~~~~~~~

Hi, I don't know if this is intentional.

When using multiple nameSpaces then using clear(), all localStorage get deleted.

Hi,
I am using NextJs, and getting the error

ReferenceError: localStorage is not defined

when my code is

import * as  SecureLS from 'secure-ls';
var ls = new SecureLS({})

@gauravmuk Please help me resolve the issue.

• Actual behavior:
  If a user wants to switch from a unencrypted localStorage to secure-ls, he/she has to rewrite most of the current storage method calls as secure-ls uses different APIs (e.g. get(key) instead of getItem(key) and so on )

-Desired behavior
In order to simplify secure-ls adoption in place of a unencrypted storage, if it could comply the Storage API https://developer.mozilla.org/en-US/docs/Web/API/Storage this could make a developer life much easier, and allow better third party integration.

This would require implementing the five Storage interface methods:
Storage.key()
Storage.getItem()
Storage.setItem()
Storage.removeItem()
Storage.clear()

or just remap current method names

Hi,

Firefox 54.0 (64-bit) osX is returning this error: TypeError: e is null...

// },
/ 9 /
//
.
.
.
e = e.replace(/[^A-Za-z0-9\+\/\=]/g, '');

Line 1900

I'm trying to use secure-ls with Angular 6 it working fine but I get the error on build log

ERROR in node_modules/secure-ls/dist/secure-ls.d.ts(17,21): error TS1122: A tuple type element list cannot be empty.

import * as SecureLS from 'secure-ls'

https://stackoverflow.com/questions/17280390/can-local-storage-ever-be-considered-secure

Hi, I am wondering if there is any typing for secure-ls in order to use it in Angular 6+ ?

It look like firefox can't process the secure ls. On shutdow browser and relaod the store wont react. I have to remove de storage before it wil load again.

In Chrome everything works fine

Hello,

I trying to build my project with quasar (vuejs) but i got those errors :

ERROR in .../node_modules/secure-ls/dist/secure-ls.d.ts(4,9): TS2305: Module '"../../@types/crypto-js"' has no exported member 'CipherHelper'.

ERROR in /home/jer/leihia/leihia-vuejs/node_modules/secure-ls/dist/secure-ls.d.ts(4,23): TS2305: Module '"../../@types/crypto-js"' has no exported member 'Encoder'

I got that in my index.ts (store) :

var ls = new SecureLS({});

so I changed to this:

import * as SecureLS from 'secure-ls'
var ls = new SecureLS({});

But stil got original error messages + another one :
TS2351: This expression is not constructable. Type 'typeof SecureLS' has no construct signatures.

Tried with last version even 1.2.5.

I would love any help cause your solution is perfect for my project.
Thanks!

how to remove data when encryptionSecret change rather then throw off error
I do test with default setting then later change the encryptionSecret unable to access my app till I clear all the stored data

I used the demo here: and set up some data in the SecureLS with a password, and encryption system is AES.

Then in the browser console of same page I deliberately created another instance of SecureLS but this time with empty password

var ls = new SecureLS({encodingType: 'aes', isCompression: true, encryptionSecret: ""});
then i wrote console.log(ls)

It revealed everything. How come? Maybe I have misunderstood something?

Thanks