Syncing chrome extension and web app auth
First off, I love better auth, thank you for building this.
I am building a chrome extension together with a web-app. Both have SSO / Google OAuth enabled. SSO is really painful on the chrome extension, but works in the web-app. Generally in terms of UX, I want to be able to "share" the session from the web-app to the chrome extension, so that if the web-app is authenticated, the chrome extension can basically just inherit that session.
I've figured out how to do this via a custom server-side plugin:
- The extension has sufficient permissions to get the session_token set on the web-app (cookie)
- It POSTs this token to the custom sync-session endpoint (on the web-app)
- This endpoint validates the token, checks it has a valid session, and calls setSessionCookie.
The response sets the cookie on the extension, and we're done. This way the user only has to log in once.
My question is: is this safe / reasonable? I wasn't able to figure out a different way of implementing this, and I'm concerned that this can be exploited if a bad actor somehow got a hold of another user's session token, because then they could just hit "sync-session" and in theory log into the application. Is that the case, or am I overthinking this?
Thanks, apologies for the long question. Happy to share the code for the plugin if that helps.
1 Reply
Actually, I believe that this is just a regular session-token hijacking, but wondering if, because the input to my sync-session endpoint is a raw token value (unsigned), there is added attack surface area
Would love some input from the auth gods!