Clustify-Chromium/background.js at main · BitForge95/Clustify-Chromium · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
const _browser = typeof globalThis.browser !== "undefined" ? globalThis.browser : chrome;

const CLIENT_ID = "494456271943-4hhnth42rf95i6ooatvfuao3tq89m1fl.apps.googleusercontent.com";
// SECURITY FIX: Downgraded to least privilege scope
const SCOPES = "https://www.googleapis.com/auth/gmail.modify";
const REDIRECT_URI = _browser.identity.getRedirectURL();

// Helper to generate a random string for CSRF protection
function generateRandomString() {
  const array = new Uint32Array(4);
  crypto.getRandomValues(array);
  return Array.from(array, dec => dec.toString(16).padStart(8, "0")).join("");
}

async function getAuthToken() {
  return new Promise((resolve, reject) => {
    // SECURITY FIX: Generate and include a state parameter
    const stateString = generateRandomString();
    const authUrl = `https://accounts.google.com/o/oauth2/auth?client_id=${CLIENT_ID}&response_type=token&redirect_uri=${encodeURIComponent(REDIRECT_URI)}&scope=${encodeURIComponent(SCOPES)}&state=${stateString}`;

    _browser.identity.launchWebAuthFlow(
      { interactive: true, url: authUrl },
      async (redirectUrl) => {
        if (_browser.runtime.lastError || !redirectUrl) {
          reject(_browser.runtime.lastError || "No redirect URL");
          return;
        }

        const fragment = redirectUrl.split("#")[1];
        if (!fragment) {
          reject("No fragment found in redirect URL");
          return;
        }

        const params = new URLSearchParams(fragment);
        const accessToken = params.get("access_token");
        const returnedState = params.get("state");
        const expiresIn = params.get("expires_in");

        // SECURITY FIX: Verify the state to prevent CSRF
        if (returnedState !== stateString) {
          reject("State mismatch. Potential CSRF attack.");
          return;
        }

        if (accessToken) {
          try {
            // SECURITY FIX: Use session storage so token isn't written to disk
            await _browser.storage.session.set({
              authToken: accessToken,
              tokenExpiry: Date.now() + (parseInt(expiresIn) * 1000)
            });
            resolve(accessToken);
          } catch (storageError) {
            reject(storageError);
          }
        } else {
          reject("No access token found in redirect URL");
        }
      }
    );
  });
}

_browser.runtime.onMessage.addListener((message, sender, sendResponse) => {
  if (message.action === "getToken") {
    getAuthToken()
      .then(token => sendResponse({ success: true, token: token }))
      .catch(error => sendResponse({ success: false, error: error.message || error }));
    return true;
  }

  if (message.action === "checkToken") {
    // Updated to check session storage instead of local
    _browser.storage.session.get(['authToken', 'tokenExpiry'])
      .then(stored => {
        const hasValidToken = stored.authToken && stored.tokenExpiry && Date.now() < stored.tokenExpiry;
        sendResponse({
          success: true,
          hasValidToken: hasValidToken,
          token: hasValidToken ? stored.authToken : null
        });
      })
      .catch(error => sendResponse({ success: false, error: error.message }));
    return true;
  }

  if (message.action === "clearToken") {
    console.log("🗑️ Revoking and clearing stored token");

    _browser.storage.session.get(['authToken'])
      .then(stored => {
        // 1. If we have a token, tell Google's servers to officially revoke it
        if (stored.authToken) {
          fetch(`https://oauth2.googleapis.com/revoke?token=${stored.authToken}`, {
            method: 'POST',
            headers: { 'Content-Type': 'application/x-www-form-urlencoded' }
          }).catch(err => console.error("Failed to revoke token with Google:", err));
        }

        // 2. Clear it from the extension's local session memory
        return _browser.storage.session.remove(['authToken', 'tokenExpiry']);
      })
      .then(() => {
        console.log("✅ Token fully cleared and revoked");
        sendResponse({ success: true });
      })
      .catch(error => {
        console.error("❌ Error during logout:", error);
        sendResponse({ success: false, error: error.message });
      });

    return true;
  }
});