Get and store auth_token in chrome extension

About

Asked 3/1, 2018 at 12:33 Answered 3/1, 2018 at 14:36

google-chrome session authentication google-chrome-extension storage

I am implementing a chrome extension. Where an user log in(email and password) and get auth token from 3rd party. I want to store this auth token so when sending another request to same party I can use this token. What is good approach to do this. Should I store it ? If yes how? Else what should I do?

Overwinter answered 3/1, 2018 at 12:33 Comment(1)

developer.chrome.com/extensions/identity – Luehrmann 4/1, 2018 at 3:5

You can save it in Storage.

Step 1: You need to add the storage permission in manifest.json

"permissions": [ "storage" ],

Step 2: Set the token in storage

chrome.storage.local.set({ "authToken": <YOUR_TOKEN_HERE> }, function(){
    //  Data's been saved boys and girls, go on home
});

Step 3: Get the token from storage

var authToken='';
chrome.storage.local.get(["authToken"], function(items){
    debugger;
    // NOTE: check syntax here, about accessing 'authToken'
    authToken= items.authToken
});

Lapwing answered 3/1, 2018 at 14:36 Comment(7)

Is it safe to store token in storage ? Can I use sessionStorage ? – Overwinter 4/1, 2018 at 6:15

safety point of view no one method is safe at front end but in sessionStorage any user can see the token easily using dev tool so i am suggesstion to tyou is use chrome.storage.local.get(). – Lapwing 4/1, 2018 at 8:45

@PankajRupapara Yes, they can see the token using the dev tool, but they are only seeing their own token. The problem with sessionStorage arises when a hacker can access it via cross-site-scripting (XSS). – Nicolettenicoli 4/4, 2019 at 6:51

It says here developer.chrome.com/extensions/storage that "Confidential user information should not be stored! The storage area isn't encrypted." So is it safe to store tokens? I'm not sure. Seems okay but it could mean that anyone that has access to your PC might be able to access the token – Dragster 14/4, 2020 at 14:15

Your JWT itself is encrypted, no? So even if someone has access to it, what could they do with it? Reverse-engineer it? They do not know the seed(s) you used to generate the JWT (on your server). In theory your server should be checking JWT legitimacy along with other signals to make sure someone is authorized. Regarding "confidential user information", I think that is in reference to personal data as plain text ie username, email, ip, etc. which obviously IS super exposed when kept in cookies or localStorage. – Bracken 18/12, 2022 at 16:33

Using localStorage to store JWT seems to be fine as long as you take security steps. See this article: pragmaticwebsecurity.com/articles/oauthoidc/… – Bracken 18/12, 2022 at 16:39

@Bracken you are so wrong; everyone, please disregard their comment for your app's security. – Sattler 15/7 at 15:42

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags