SECURITY VULNERABILITY FIXED:
Registration form was storing passwords in plain text in localStorage,
creating a severe XSS vulnerability where attackers could steal credentials.
Changes Made:
1. **RegisterForm.tsx:**
- REMOVED localStorage persistence of registration_progress (lines 110-146)
- Password, email, and all form data now kept in memory only
- Added cleanup effect to remove any existing registration_progress data
- Form data is submitted directly to backend via secure API calls
2. **WizardContext.tsx:**
- REMOVED localStorage persistence of wizard state (lines 98-116)
- All onboarding progress now tracked exclusively via backend API
- Added cleanup effect to remove any existing wizardState data
- Updated resetWizard to not reference localStorage
3. **Architecture Change:**
- All user data and progress tracking now uses backend APIs exclusively
- Backend APIs already exist: /api/v1/auth/register, onboarding_progress.py
- No sensitive data stored in browser localStorage
Impact:
- Prevents credential theft via XSS attacks
- Ensures data security and consistency across sessions
- Aligns with security best practices (OWASP guidelines)
Backend Support:
- services/auth/app/api/auth_operations.py handles registration
- services/auth/app/api/onboarding_progress.py tracks wizard progress
- All data persisted securely in PostgreSQL database
