Addresses vulnerabilities #752 and #738 by migrating API key storage from localStorage to sessionStorage to prevent XSS exposure

[sujal111]

Discussion 🗣
Context
This issue addresses security vulnerabilities #752 and #738 related to API key storage exposure via XSS attacks. The current implementation uses localStorage, which persists indefinitely and can be accessed by malicious scripts injected via XSS.

Detailed Description
Problem: API keys encrypted with WebAuthn PRF are stored in localStorage, making them accessible to XSS attacks despite encryption. While decryption requires the WebAuthn credential, the encrypted data itself is vulnerable to theft or tampering.
Solution: Migrate encrypted API key storage from localStorage to sessionStorage. This limits data persistence to the current browser session, reducing the attack window as sessionStorage is cleared when the tab is closed.

[kartikrautan]

Moving the encrypted API keys from localStorage to sessionStorage doesn’t materially mitigate XSS risk, since both are equally accessible to injected scripts, and the real protection boundary is the WebAuthn-bound encryption, not the storage mechanism.