fix(extension): keep auth handoff private#1273
Conversation
| }) | ||
| if (!response.ok) throw new Error("Session validation failed") | ||
|
|
||
| const session = (await response.json()) as ExtensionSessionResponse |
There was a problem hiding this comment.
This line uses a type assertion (as ExtensionSessionResponse) on the result of response.json(). According to the style guide rule 'Use type annotations instead of assertions for object literals', type assertions should be avoided when a type annotation can be used instead. While this is not an object literal, the broader rule 'Avoid unnecessary type assertions' applies here. Since response.json() returns Promise<any>, a cleaner approach would be to define a typed wrapper or use a type annotation on the variable declaration: const session: ExtensionSessionResponse = await response.json() instead of casting with as.
| const session = (await response.json()) as ExtensionSessionResponse | |
| const session: ExtensionSessionResponse = await response.json() |
Spotted by Graphite (based on custom rule: TypeScript style guide (Google))
Is this helpful? React 👍 or 👎 to let us know.
Summary
The browser-extension login flow previously sent the reusable Better Auth session
token through
window.postMessage.Although
targetOriginrestricted the destination origin, every script andcontent script listening on the Supermemory page could still observe the token.
This PR moves authentication synchronization entirely into extension-controlled
contexts:
window.postMessagebroadcastbackground worker
cookiespermission
/v3/sessionbefore storing itSecurity impact
The reusable session token is no longer exposed through the page’s JavaScript
message bus. Page scripts, analytics dependencies, and extensions that merely
inject scripts into
app.supermemory.aican no longer passively capture it.Tests
Added regression coverage for:
Validation completed:
The repository-wide suite has unrelated existing failures in MCP OAuth
expectations, Tools tests, and memory-graph rendering tests.