thinkreview-browser-extension/content-webapp-auth.js at main · Thinkode/thinkreview-browser-extension · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
/**
 * Content script for ThinkReview webapp domain
 * Listens for Firebase auth state changes and notifies the extension
 *
 * Security: This script only runs on trusted webapp domains
 */

(function() {
  'use strict';

  // Debug toggle: set to false to disable console logs in production
  const DEBUG = false;

  // Logger functions - loaded dynamically to avoid module import issues in content scripts
  // Provide fallback functions immediately, then upgrade when logger loads
  // Check if variables already exist to avoid redeclaration errors (though IIFE should prevent this)
  var dbgLog = (...args) => { if (DEBUG) console.log('[ThinkReview Extension]', ...args); };
  var dbgWarn = (...args) => { if (DEBUG) console.warn('[ThinkReview Extension]', ...args); };
  var dbgError = (...args) => { if (DEBUG) console.error('[ThinkReview Extension]', ...args); };

  // Initialize logger functions with dynamic import
  (async () => {
    try {
      const loggerModule = await import(chrome.runtime.getURL('utils/logger.js'));
      dbgLog = loggerModule.dbgLog;
      dbgWarn = loggerModule.dbgWarn;
      dbgError = loggerModule.dbgError;
    } catch (error) {
      dbgWarn('Failed to load logger module, using console fallback:', error);
    }
  })();

  // Origin validation - imported from utils/origin-validator.js
  // Using dynamic import since content scripts can't use static ES6 imports
  let isValidOrigin;
  let originValidatorLoaded = false;

  // Load the origin validator utility
  (async () => {
    try {
      const module = await import(chrome.runtime.getURL('utils/origin-validator.js'));
      isValidOrigin = module.isValidOrigin;
      originValidatorLoaded = true;
      initializeContentScript();
    } catch (error) {
      dbgError('Failed to load origin validator utility:', error);
      // Don't initialize if we can't load the shared utility - ensures we always use the single source of truth
      dbgError('Content script initialization aborted due to missing origin validator');
    }
  })();

  function initializeContentScript() {
    if (!originValidatorLoaded) return;

    // Listen for request to open extension page — runs on any domain (including localhost)
    // so the button works in dev environments too. Low-risk: only opens a new tab.
    window.addEventListener('thinkreview-open-extension', () => {
      dbgLog('Received open-extension event from webapp');
      try {
        chrome.runtime.sendMessage({ type: 'OPEN_EXTENSION_PAGE' }, (response) => {
          if (chrome.runtime.lastError) {
            dbgWarn('Failed to open extension page:', chrome.runtime.lastError);
          } else {
            dbgLog('Open extension page response:', response);
          }
        });
      } catch (error) {
        dbgError('Error sending open-extension message:', error);
      }
    });

    const currentOrigin = window.location.hostname;
    const isAllowedOrigin = isValidOrigin(currentOrigin);

    if (!isAllowedOrigin) {
      dbgWarn('Content script loaded on unauthorized domain:', currentOrigin);
      return; // Don't run on wrong domain
    }

    dbgLog('Webapp auth content script loaded on:', currentOrigin);

    // Maximum age for auth data (5 minutes)
    const MAX_AUTH_AGE = 5 * 60 * 1000;

    /**
     * Validates user data structure
     */
    function validateUserData(userData) {
      if (!userData) return false;
      if (!userData.email || typeof userData.email !== 'string') return false;
      if (!userData.uid || typeof userData.uid !== 'string') return false;
      return true;
    }

    /**
     * Sends auth state to extension background script
     */
    function sendAuthToExtension(userData, timestamp) {
      // SECURITY: Validate data before sending
      if (!validateUserData(userData)) {
        dbgWarn('Invalid user data structure:', userData);
        return;
      }

      // SECURITY: Check timestamp freshness
      if (timestamp && (Date.now() - timestamp > MAX_AUTH_AGE)) {
        dbgWarn('Auth data is stale, ignoring');
        return;
      }

      try {
        chrome.runtime.sendMessage({
          type: 'webapp-auth-changed',
          userData: userData,
          timestamp: timestamp || Date.now(),
          origin: window.location.origin
        }, (response) => {
          if (chrome.runtime.lastError) {
            dbgWarn('Failed to send auth message:', chrome.runtime.lastError);
          } else if (response && response.success) {
            dbgLog('Auth state synced to extension');
          }
        });
      } catch (error) {
        console.error('Error sending auth message:', error);
      }
    }

    // Listen for custom events from webapp (login only)
    window.addEventListener('thinkreview-auth-changed', (event) => {
      dbgLog('Received auth-changed event:', event.detail);

      // Only handle login events, ignore logout (event.detail === null)
      if (event.detail !== null) {
        // Login/auth state change
        sendAuthToExtension(event.detail, Date.now());
      }
    });

    // Listen for postMessage from webapp (backup method, login only)
    window.addEventListener('message', (event) => {
      // SECURITY: Parse and validate event.origin using the same strict logic as initial domain check
      try {
        const eventOriginUrl = new URL(event.origin);
        const eventHostname = eventOriginUrl.hostname;

        // Validate the origin hostname using shared utility
        if (!isValidOrigin(eventHostname)) {
          dbgLog('Rejected postMessage from unauthorized origin:', event.origin);
          return; // Ignore messages from unauthorized origins
        }

        // Same-origin: event.origin must match window.location.origin to prevent spoofing
        if (event.origin !== window.location.origin) {
          dbgLog('Rejected postMessage from different origin:', event.origin, 'expected:', window.location.origin);
          return;
        }
      } catch (error) {
        // Invalid origin URL, reject
        dbgWarn('Invalid postMessage origin:', event.origin, error);
        return;
      }

      if (event.data && event.data.type === 'thinkreview-auth-state') {
        dbgLog('Received auth state via postMessage:', event.data);

        // Only handle login events, ignore logout (event.data.userData === null)
        if (event.data.userData !== null) {
          // Login/auth state change
          sendAuthToExtension(event.data.userData, event.data.timestamp);
        }
      }
    });

    dbgLog('Webapp auth listener initialized');
  }
})();