On The Business of Chrome Extensions and Sensitive Information
This is a response to a concern raised regarding access tokens while engaging with Spotify’s Oauth2 endpoint.
See that video here:
Yes, anyone who downloads your Chrome Extension can see ALL of the code you’ve written.
This brings us to the main concern which is,
“Can’t people then use the access tokens or even the client id present in your code?”
Short answer is “Yes” to both of those.
Let’s tackle the access token.
The access token will not give you or anyone access to truly sensitive information about the user.
No passwords.
No credit card details.
The access token will only give information and allow modification of information you request in the SCOPES parameter of the OAuth2 request.
The access token can be saved in the RAM(as a variable) or in local storage for a more permanent solution.
However, in order for an access token to be circulating in your app at all, there first needs to be an access token.
In order for there to first be an access token, someone has to first login with VALID CREDENTIALS.
So anyone downloading your Chrome Extension and inspecting your code, faces 3 scenarios:
1. The user logs in with THEIR credentials which in this case means they “OWN” the token; they can access it if they want.
2. The user logs in with SOMEONE ELSE’S credentials for which they DO have PERMISSION which in this case means they “OWN” the token; they can access it if they want.
3. THE MAIN CONCERN — the user logs in with valid credentials and someone else gains access WITHOUT PERMISSION to the
Chrome Extension — either digitally or physically — and so therefore can access the user’s token; this isn’t our burden.
At some point, responsibility is passed on to the user regarding their credentials.
Our app neither stores user passwords, nor does it store anything that could lead to severe data breaches.
Also, Spotify access tokens expire in 60 minutes and our Chrome Extension “dumps” the token every 60 minutes.
We have a simple access token with the ability to gain and modify crucial user information yes, but nothing too compromising.
I have to reiterate, we only get an access token if the user logs in successfully.
It’s up to them to keep their login credentials secure.
If they don’t have a firewall up, that’s on them.
If they don’t have anti-spy/malware installed, that’s on them.
If they log in, step away from their PC, and someone physically operates their PC to look at the extension code while they’re away, that’s on them.
Let’s tackle the client id.
This is simple.
People can use your client id to make requests to the Spotify API. They could even spam this.
However, Spotify has “rate limiting”. So if your client id makes too many requests to Spotify in a given period, they put your app on a “timeout” for ‘x’ number of seconds.
I hope this addresses concerns about people who download your Chrome Extension being able to see the source code.
If you have a better way of dealing with access tokens (not JWTs) in
Chrome Extensions, feel free to contact me on Twitter, Instagram, or Email.
