Just noticed/realized today that I can search my browser history for access_token and find usable tokens for rs accounts. Not sure how much it matters for security purposes, but would be interested to know if there was already a discussion about this.

That’s not specific to remoteStorage, but to the OAuth 2.0 Implicit Grant flow.

It’s important to know that only your browser will see the access token, but not any proxies or servers other than the one hosting the remoteStorage account. This is due to the fact that the token property is a URI fragment, not a query parameter.

Anything behind a # character will not be sent to the server and is only intended for clients. This is also why you will find private keys in URL fragments of web apps like CryptPad or Wormhole for example.

That said, we just added optional support for the Authorization Gode grant with PKCE to the December update of the spec draft. This will improve the security of the OAuth flow quite a bit once deployed. App developers will be able to just update remoteStorage.js which will use this newer OAuth flow whenever it sees that a server supports it.