fix: remove auth token from /health, secure extension bootstrap (CRITICAL-02 + HIGH-03)

- Remove token from /health response (was leaked to any localhost process) - Write .auth.json to extension dir for Manifest V3 bootstrap - sidebar-agent reads token from state file via BROWSE_STATE_FILE env var - Remove getToken handler from extension (token via health broadcast) - Extension loads token before first health poll to prevent race condition
2026-05-06 21:46:40 +02:00 · 2026-03-27 22:13:45 -07:00
parent 11695e3aca
commit e16bf23ca0
6 changed files with 114 additions and 40 deletions
@@ -30,6 +30,19 @@ function getBaseUrl() {
  return serverPort ? `http://127.0.0.1:${serverPort}` : null;
 }

+// ─── Auth Token Bootstrap ─────────────────────────────────────
+
+async function loadAuthToken() {
+  if (authToken) return;
+  try {
+    const resp = await fetch(chrome.runtime.getURL('.auth.json'));
+    if (resp.ok) {
+      const data = await resp.json();
+      if (data.token) authToken = data.token;
+    }
+  } catch {}
+}
+
 // ─── Health Polling ────────────────────────────────────────────

 async function checkHealth() {
@@ -39,13 +52,14 @@ async function checkHealth() {
    return;
  }

+  // Retry loading auth token if we don't have one yet
+  if (!authToken) await loadAuthToken();
+
  try {
    const resp = await fetch(`${base}/health`, { signal: AbortSignal.timeout(3000) });
    if (!resp.ok) { setDisconnected(); return; }
    const data = await resp.json();
    if (data.status === 'healthy') {
-      // Capture auth token from health response
-      if (data.token) authToken = data.token;
      // Forward chatEnabled so sidepanel can show/hide chat tab
      setConnected({ ...data, chatEnabled: !!data.chatEnabled });
    } else {
@@ -62,8 +76,8 @@ function setConnected(healthData) {
  chrome.action.setBadgeBackgroundColor({ color: '#F59E0B' });
  chrome.action.setBadgeText({ text: ' ' });

-  // Broadcast health to popup and side panel
-  chrome.runtime.sendMessage({ type: 'health', data: healthData }).catch(() => {});
+  // Broadcast health to popup and side panel (include token for sidepanel auth)
+  chrome.runtime.sendMessage({ type: 'health', data: { ...healthData, token: authToken } }).catch(() => {});

  // Notify content scripts on connection change
  if (wasDisconnected) {
@@ -74,7 +88,7 @@ function setConnected(healthData) {
 function setDisconnected() {
  const wasConnected = isConnected;
  isConnected = false;
-  authToken = null;
+  // Keep authToken — it comes from .auth.json, not /health
  chrome.action.setBadgeText({ text: '' });

  chrome.runtime.sendMessage({ type: 'health', data: null }).catch(() => {});
@@ -128,7 +142,9 @@ async function fetchAndRelayRefs() {
  if (!base || !isConnected) return;

  try {
-    const resp = await fetch(`${base}/refs`, { signal: AbortSignal.timeout(3000) });
+    const headers = {};
+    if (authToken) headers['Authorization'] = `Bearer ${authToken}`;
+    const resp = await fetch(`${base}/refs`, { signal: AbortSignal.timeout(3000), headers });
    if (!resp.ok) return;
    const data = await resp.json();

@@ -163,10 +179,7 @@ chrome.runtime.onMessage.addListener((msg, sender, sendResponse) => {
    return true;
  }

-  if (msg.type === 'getToken') {
-    sendResponse({ token: authToken });
-    return true;
-  }
+  // getToken handler removed — token distributed via health broadcast

  if (msg.type === 'fetchRefs') {
    fetchAndRelayRefs().then(() => sendResponse({ ok: true }));
@@ -237,7 +250,10 @@ chrome.runtime.onInstalled.addListener(async () => {

 // ─── Startup ────────────────────────────────────────────────────

-loadPort().then(() => {
-  checkHealth();
-  healthInterval = setInterval(checkHealth, 10000);
+// Load auth token BEFORE first health poll (token no longer in /health response)
+loadAuthToken().then(() => {
+  loadPort().then(() => {
+    checkHealth();
+    healthInterval = setInterval(checkHealth, 10000);
+  });
 });
@@ -413,7 +413,7 @@ function createEntryElement(entry) {
  div.innerHTML = `
    <div class="entry-header">
      <span class="entry-time">${formatTime(entry.timestamp)}</span>
-      <span class="entry-command">${entry.command || entry.type}</span>
+      <span class="entry-command">${escapeHtml(entry.command || entry.type)}</span>
    </div>
    ${argsText ? `<div class="entry-args">${escapeHtml(argsText)}</div>` : ''}
    ${entry.type === 'command_end' ? `
@@ -469,7 +469,8 @@ function connectSSE() {
  if (!serverUrl) return;
  if (eventSource) { eventSource.close(); eventSource = null; }

-  const url = `${serverUrl}/activity/stream?after=${lastId}`;
+  const tokenParam = serverToken ? `&token=${serverToken}` : '';
+  const url = `${serverUrl}/activity/stream?after=${lastId}${tokenParam}`;
  eventSource = new EventSource(url);

  eventSource.addEventListener('activity', (e) => {
@@ -493,7 +494,9 @@ function connectSSE() {
 async function fetchRefs() {
  if (!serverUrl) return;
  try {
-    const resp = await fetch(`${serverUrl}/refs`, { signal: AbortSignal.timeout(3000) });
+    const headers = {};
+    if (serverToken) headers['Authorization'] = `Bearer ${serverToken}`;
+    const resp = await fetch(`${serverUrl}/refs`, { signal: AbortSignal.timeout(3000), headers });
    if (!resp.ok) return;
    const data = await resp.json();

@@ -594,10 +597,8 @@ function tryConnect() {
  chrome.runtime.sendMessage({ type: 'getPort' }, (resp) => {
    if (resp && resp.port && resp.connected) {
      const url = `http://127.0.0.1:${resp.port}`;
-      // Get the token from background
-      chrome.runtime.sendMessage({ type: 'getToken' }, (tokenResp) => {
-        updateConnection(url, tokenResp?.token);
-      });
+      // Token arrives via health broadcast from background.js
+      updateConnection(url, null);
    } else {
      setTimeout(tryConnect, 2000);
    }