I have a website + extension similar to 1Password -- user connects to a website once in a while, obtains a Cookie and some Bearer Token and then only uses the extension (background.js + userscript.js modes) going forward. I don't have expectation that user will visit the website frequently enough to renew the Cookie. I don't want the user to have a pop up every morning to update the Bearer. This kinda forces me to put a high expiration value to the Bearer.
I'm trying to balance the security and UX and see how can I secure the Bearer better to make it harded to leak outside of the browser. Better mTLS stragey.
I found the existing API MediaDeviceInfo.deviceId that can provide the deviceId within my context. This potentially may help me to implement the "One-Time Password" strategy where my server and the extension installation gets to know the deviceId, and each new Bearer gets generated by the combination of a time window and deviceId.
The problem is I basically making deviceId and the algorithm as exposed as the original Bearer Token, so the bad actor (whoever they are) can reproduce them on another host same as the original Bearer. Well, same as the main cookie, in fact.
- Are there better solutions here? Libraries?
- Should I give up and fallback to a regular pop-up/iframe with my website to refresh expired Bearers using cookies? I feel this is what 1Password is doing
- Or can I have a one-time Bearer exchange to setup a parallel cookie context inside the bg.js extension and let the browser+server to refresh them
