5

I've looked all over and cannot find a definitive way to safely store a JWT for an API inside a Chrome Extension.

My app allows users to log into their 3rd party account over an HTTPS connection, which then returns a token to use for further API requests. 

var credentials = {
  "email": username,
  "password": password
};

$http({
  method: 'POST',
  url: 'https://api/login',
  data: credentials,
  headers: {
    'Content-Type': 'application/json'
  }
}).then(function successCallback(response) {
   // Token provided here
})

What is the best and safest possible way to then store the token inside the Chrome Extension to be used for further API calls down the line?

Chrome Docs say LocalStorage and Session Storage is not secure.

I don't want users to have to login every time they open the Chrome Extension.

Any help is greatly appreciated. Thank you

CyrisXD
  • 147
  • 9
  • "Safely" or "securely" are buzzwords that don't have a precise technical meaning. Anything stored in the browser is not secure since your extension and its data, and the browser code and data can be inspected and abused by someone who gained local access (or via an RCE bug). – wOxxOm Jun 26 '18 at 12:19
  • How did you end up doing this? – Miguel Stevens Oct 25 '18 at 01:56
  • @Notflip I didn't. Didn't feel safe enough storing people's tokens. I'm not 100% sure of a safe way. – CyrisXD Oct 26 '18 at 02:14

1 Answers1

-1

All i am saying is you can use Google Chrome's storage API to do this as well. Unlike localStorage, this is accessible from content scripts as well. you can't access the localstorage.getitem(token) inside content script, Sol: chrome.storage.local.set/get

jdragon jds
  • 1
  • 1
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Cristik Feb 01 '22 at 15:00