DevDojo

Products

Tails

Create websites with TailwindCSS

Static

Create a static website

MarkdownX

The Markdown editor of the future

Pines

Create websites with TailwindCSS

Wave

Start building the next great SaaS

Designer

Create web designs with AI

Coming Soon

View All of Our Products

Community

Join 131,040 other developers as we learn, build, and grow together.

Connect with fellow developers and gain access to tools that will help you build a profitable SaaS 🚀

Community

🏠 Home 🙋 Questions 🍿 Videos 🎓 Courses 🤓 Snippets 🤣 Fun

Rewards

⭐ Points 🎖 Badges 💰 DevCoin 🏆 Contests

Resources

📘 Guides 📚 eBooks 💡 Topics

Meet the Team

Tony Lea

Founder / Developer

Bobby Iliev

Co-Founder / DevOps

Boyan Iliev

Developer / DevOps

View All Users

Pricing

About

🦺

Help & Support

Have a question or need help

🤝

Sponsorships

Learn about sponsorships

📄

Terms of Service

The boring legal stuff

Home /
Community /
Questions /
Storing Wave sessions with browser extension

Storing Wave sessions with browser extension

Produkt Visit User Profile

produkt ・

Jan 29th, 2025 04:15 PM

I am building a browser extension to communicate with my Wave API from. 3rd party site. I am discovering that stateless JWT might not be the best way to do this without having the user log in each session, although feel free to correct me if I’m wrong. What is the best and safest way to allow my browser extension to save the users session?

Report

bobbyiliev ・

Jan 31st, 2025 12:04 AM

Hey there! 👋

Not an expert in web browser extensions, but based on discussions like this one on Stack Overflow, the general recommendation is to use OAuth 2.0 for authentication.

Storing JWTs in local storage or directly in the extension isn’t ideal because it makes them vulnerable to theft. Instead, consider using Chrome’s identity API or securely storing tokens using the chrome.storage API.

That way, you avoid passing sensitive credentials directly and keep things more secure!

Hope this helps!

Report

produkt ・

Jan 31st, 2025 06:38 AM

Another option I saw that might be more secure is using httpOnly cookies. I noticed when using Insomnia for testing the API that sometimes an httpOnly cookie is set. At what point is that generated and set for the user? On initial login/authentication? It's hard to tell in Insomnia. Does that mean subsequent requests to my API endpoints without a JWT token are already authenticated? Does this method require manual reauthentication with a refresh token? Will this work with my browser extension?

Report

bobbyiliev ・

Jan 31st, 2025 03:11 PM

As per the docs here, the default API authentication is stateless JWT, meaning there’s no session stored for the user—each request needs a valid JWT token. So, httpOnly cookies won’t work out of the box for keeping users authenticated like they would in a stateful Sanctum setup.

If you want session-based auth (cookies instead of JWTs), you'd need to integrate Sanctum yourself. Otherwise, your best bet is refresh tokens or OAuth 2.0 for long-term authentication.

Will this work with my browser extension?

Well, that depends on how you've built it. If your extension sends requests with a JWT, it should work fine. If you're relying on session cookies, Wave won’t handle that by default. So, it’s either stick with JWTs or modify Wave to support Sanctum if you want session-based auth.

Report

produkt ・

Feb 9th, 2025 12:19 PM

So it seems like if I want session-based auth with my browser extension then I need Sanctum, since there isn't really a safe way to use JWT with sessions. Do you have any advice for integrating Sanctum with Wave or should I just follow standard Sanctum installation as Laravel recommends? I've never used it before.

Report