9

I'm building a chrome extension that facilitates the creation of contacts straight from the browser without needing to go to my devise-powered rails app itself. Contacts#Create requires authentication so I'm wondering how I can do send authenticated requests from the extension.

I've enabled devise TokenAuthenticatable and so my users have an authtoken. I've written a method in my extensions js that posts to my rails app's contacts#create action. For testing, I've simply hard coded my own auth token in, which seems to work. But how can the extension access the auth tokens for users? It doesn't seem right/secure to store this token into a cookie.

I think I'm supposed to use chrome.cookies to access and do something with my app's session info somehow. But I only get a sessionID here.

any help appreciated!

Austin Wang
  • 899
  • 9
  • 19

2 Answers2

1

Although not from a chrome extension, I was building something similar that would work from terminal. I ended up bypassing devise and creating by own token authentication that would allow users to access just the one controller#action I needed. That way you can minimize the damage if the token gets stolen.

So anyway, I would allow users to generate (and regenerate) tokens within the rails app interface and make it so that the extension asks for the token on the very first launch. I'd store the token itself in localStorage.

Jiří Pospíšil
  • 14,296
  • 2
  • 41
  • 52
  • 1
    Thank you. This is helpful and I think it will work. However I'm curious whether storing tokens in the localStorage is a best practice, whether it is secure and whether other extensions / web apps could access it with out user permission or knowledge. – Austin Wang Dec 10 '12 at 21:27
0

You can also check authentifiation_tokenstored in your app cookie.

You can achieve this using the chrome.cookies.getAll() method detailed here - https://developer.chrome.com/extensions/cookies#method-getAll

Martin
  • 71
  • 1
  • 2