I don't really see that you are gaining anything by keeping the token in memory. The refresh token is already persisted. And if anything it seems like you are making things worse, but maybe I'm missing something.
So for example:
Login to the site
Go to some page
Open a new empty tab
Paste in a url to another page on the site I want to go to (ex. /super-goats)
In this circumstance I would expect to have a valid session in both tabs, but I don't see how I could have.
If you are invoking the refresh token in the second tab, I would expect the token existing in memory in tab 1 to now be invalidated, in which case the page no longer works correctly. In the best case it will refresh the token again, but at this point you are basically reauthenticating a bunch of times if the user is jumping between tabs.
Again unless I'm missing something.
Also, to me this doesn't solve anything. You really had 2 issues and I only see one being solved here.
1. Tokens lasting forever or for a long time.
This should never be the case and tokens should always be provided with refresh token such that tokens are constantly refreshed.
But there isn't a good reason here for keeping the auth token in memory, I don't see that you gain anything keeping it in memory.
2. You site allowed an XSS attack
Really this is the point that needs to be addressed. I think your efforts would better be spent by investing in stronger Content Security Policy that better prevents XSS on the site.
Really if this isn't solved you haven't gained anything. I can still access the refresh token and hijack the session and I still have access to the token in memory.
So overall I guess, I don't see that you've solved anything by moving it to memory. You've just made the user experience worse.
I don't really see that you are gaining anything by keeping the token in memory. The refresh token is already persisted. And if anything it seems like you are making things worse, but maybe I'm missing something.
So for example:
In this circumstance I would expect to have a valid session in both tabs, but I don't see how I could have.
If you are invoking the refresh token in the second tab, I would expect the token existing in memory in tab 1 to now be invalidated, in which case the page no longer works correctly. In the best case it will refresh the token again, but at this point you are basically reauthenticating a bunch of times if the user is jumping between tabs.
Again unless I'm missing something.
Also, to me this doesn't solve anything. You really had 2 issues and I only see one being solved here.
1. Tokens lasting forever or for a long time.
This should never be the case and tokens should always be provided with refresh token such that tokens are constantly refreshed.
But there isn't a good reason here for keeping the auth token in memory, I don't see that you gain anything keeping it in memory.
2. You site allowed an XSS attack
Really this is the point that needs to be addressed. I think your efforts would better be spent by investing in stronger Content Security Policy that better prevents XSS on the site.
Really if this isn't solved you haven't gained anything. I can still access the refresh token and hijack the session and I still have access to the token in memory.
So overall I guess, I don't see that you've solved anything by moving it to memory. You've just made the user experience worse.
Exactly this