Skip to content

fix(extension): keep auth handoff private#1273

Open
GautamSharma99 wants to merge 1 commit into
supermemoryai:mainfrom
GautamSharma99:fix/extension-private-auth-handoff
Open

fix(extension): keep auth handoff private#1273
GautamSharma99 wants to merge 1 commit into
supermemoryai:mainfrom
GautamSharma99:fix/extension-private-auth-handoff

Conversation

@GautamSharma99

Copy link
Copy Markdown
Contributor

Summary

The browser-extension login flow previously sent the reusable Better Auth session
token through window.postMessage.

Although targetOrigin restricted the destination origin, every script and
content script listening on the Supermemory page could still observe the token.

This PR moves authentication synchronization entirely into extension-controlled
contexts:

  • removes the raw session-token window.postMessage broadcast
  • has the content script request authentication synchronization from the
    background worker
  • reads the HttpOnly Better Auth cookie using the scoped extension cookies
    permission
  • validates the session through /v3/session before storing it
  • accepts authentication requests only from flagged Supermemory pages
  • removes the authentication URL flag after a successful handoff
  • supports production and local-development Better Auth cookie names

Security impact

The reusable session token is no longer exposed through the page’s JavaScript
message bus. Page scripts, analytics dependencies, and extensions that merely
inject scripts into app.supermemory.ai can no longer passively capture it.

Tests

Added regression coverage for:

  • allowed Supermemory authentication URLs
  • lookalike and insecure origins
  • production and development cookie names
  • session validation and user-data mapping
  • rejected callers and invalid sessions
  • absence of page-level credential broadcasting

Validation completed:

  • focused tests: 5 passing
  • browser-extension TypeScript compile: passing
  • browser-extension production build: passing
  • Biome checks: passing

The repository-wide suite has unrelated existing failures in MCP OAuth
expectations, Tools tests, and memory-graph rendering tests.

@graphite-app graphite-app Bot added the extension related to Supermemory Chrome Extension label Jul 12, 2026
})
if (!response.ok) throw new Error("Session validation failed")

const session = (await response.json()) as ExtensionSessionResponse

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line uses a type assertion (as ExtensionSessionResponse) on the result of response.json(). According to the style guide rule 'Use type annotations instead of assertions for object literals', type assertions should be avoided when a type annotation can be used instead. While this is not an object literal, the broader rule 'Avoid unnecessary type assertions' applies here. Since response.json() returns Promise<any>, a cleaner approach would be to define a typed wrapper or use a type annotation on the variable declaration: const session: ExtensionSessionResponse = await response.json() instead of casting with as.

Suggested change
const session = (await response.json()) as ExtensionSessionResponse
const session: ExtensionSessionResponse = await response.json()

Spotted by Graphite (based on custom rule: TypeScript style guide (Google))

Fix in Graphite


Is this helpful? React 👍 or 👎 to let us know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

extension related to Supermemory Chrome Extension

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant