I have an express app using krakenjs/lusca to protect against CSRF attacks, which works for all routes within my domain. However, I also have a chrome extension that I would like to be able to use to POST to the app from any domain. From my research, I believe I should use token based authentication, so I have two questions:
- How should I generate and send that token to the extension to permit the app to authenticate the request from the extension?
- How should I store that token with the extension?
The answers I have found concern having an api which the server makes requests to, and token storage that relies on local storage (which I don't think will solve my problem since the extension should be able POST from arbitrary domains). I appreciate any help! Thank you.
You cannot protect your endpoint for the extension 100% but there are some solutions to limit other people from using it in unexpected ways. The simplest solution is using JsonWebToken. Server will encrypt an object has a predefined structure e.g {email: '[email protected]', created_date: new Date()} and send it back to the extension. When server receives extension's requests, it will try to decrypt the token and see if the data is valid (followed predefined format) before responding. For more secure, you should do some authentication e.g. let user login to google first to see if they are actually who they claim to be before issuing the token...I suggest you research how OAuth2 flows work to get a reference!
There are a few options to store the token on extension. I prefer to store it on chrome.storage.sync https://developer.chrome.com/extensions/storage#property-sync. When the extension first load, it should check if there is a token stored and call server to get one if there is not any.