Harden auth storage and sign-in guards

[jonmartin721]

Summary

• keep GitHub auth in session storage instead of persisting it locally, and clear legacy auth storage keys
• validate the GitHub device-flow verification URL before opening a tab
• restore avatar URL sanitization in the optimized renderer and tighten the extension page CSP
• update security/privacy copy and changelog entries to match the new auth behavior
• add and update tests for session-only auth, auth URL validation, and avatar fallback handling

Testing

• npm run lint
• npm test -- --runInBand

Notes

• GitHub sign-in no longer survives a browser restart because the auth session is no longer stored on disk

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security and privacy of GitHub authentication within the extension. By transitioning to session-only storage for authentication tokens and implementing robust URL validation, the risk of persistent token exposure and malicious redirects is mitigated. Additionally, stricter content security policies and image sanitization further harden the extension against potential vulnerabilities, providing users with a more secure experience.

Highlights

• Authentication Storage: GitHub authentication sessions are now stored exclusively in Chrome session storage, meaning they will not persist across browser restarts. This change also includes logic to clear any legacy authentication data previously stored locally.
• URL Validation: Added validation for the GitHub device-flow verification URL to ensure its authenticity before opening a new browser tab, preventing potential phishing or malicious redirects.
• Content Security Policy (CSP) & Avatar Sanitization: The extension's Content Security Policy has been tightened to restrict image sources, and avatar URLs in the optimized renderer are now sanitized to prevent loading images from untrusted sources.
• Documentation Updates: Privacy and security documentation, as well as changelog entries, have been updated to accurately reflect the new authentication storage behavior and enhanced security measures.
• Testing: New and updated tests cover the session-only authentication, GitHub authentication URL validation, and the fallback handling for invalid avatar URLs.

Changelog

• CHANGELOG.md
  • Added new security entries for the unreleased version, detailing changes to GitHub sign-in sessions, device-flow URL validation, and CSP rules.
• PRIVACY.md
  • Updated the description of GitHub OAuth session storage to clarify its session-only persistence and clearing upon browser session end or disconnection.
  • Modified the explanation of GitHub sign-in data storage to emphasize session storage and non-persistence across browser restarts.
  • Updated the safeguards section to state that the GitHub auth session is kept in session storage only, replacing the previous encryption and local persistence description.
• SECURITY.md
  • Updated the GitHub Sign-In Storage section to reflect that auth sessions are kept in chrome.storage.session only and that legacy on-disk storage is cleared.
• manifest.json
  • Tightened the img-src directive in the content_security_policy for extension_pages to explicitly allow specific GitHub domains and data URIs, removing the broad https:.
• options/options.html
  • Updated the security information text to state that GitHub sign-in sessions are stored in Chrome session storage and cleared when the browser session ends.
• options/options.js
  • Imported clearAuthSession from storage-helpers.js.
  • Added a call to await clearAuthSession() within the resetSettings function to ensure all authentication data is cleared.
• popup/views/onboarding-view.js
  • Updated the security message on the onboarding view to reflect that GitHub sign-in stays in Chrome session storage for the current browser session only.
• shared/auth.js
  • Imported isValidGitHubAuthUrl from security.js.
  • Added validation using isValidGitHubAuthUrl before opening the GitHub device-flow verification page, throwing an error for unexpected URLs.
• shared/crypto-utils.js
  • Removed the entire file, eliminating cryptographic utility functions for secure auth session storage.
• shared/dom-optimizer.js
  • Imported sanitizeImageUrl from sanitize.js.
  • Applied sanitizeImageUrl to the activity.authorAvatar before rendering, ensuring only safe image URLs are used.
• shared/security.js
  • Added a new exported function isValidGitHubAuthUrl to validate URLs for the GitHub device-flow verification page, ensuring they match https://github.com/login/device.
• shared/storage-helpers.js
  • Removed imports for encryptData and decryptData.
  • Defined LEGACY_AUTH_STORAGE_KEYS to include encryptedGithubAuthSession and encryptionKey.
  • Introduced clearLegacyAuthStorage function to remove old authentication keys from local storage.
  • Modified getAuthSession to prioritize session storage, and to call clearLegacyAuthStorage opportunistically, removing logic for decrypting local storage.
  • Updated setAuthSession to store sessions only in chrome.storage.session and to call clearLegacyAuthStorage.
  • Modified clearAuthSession to call clearLegacyAuthStorage instead of setting AUTH_SESSION_STORAGE_KEY to null.
• tests/auth.test.js
  • Added a new test case to verify that openGitHubDevicePage rejects unexpected verification URLs and does not attempt to open a tab.
• tests/dom-optimizer.test.js
  • Added a test case to confirm that ActivityListRenderer falls back to a safe placeholder avatar when an invalid image URL is provided.
• tests/options-main.test.js
  • Updated the clearAuthSession test to assert that chrome.storage.local.remove is called with ['encryptedGithubAuthSession', 'encryptionKey'].
• tests/options.test.js
  • Modified mock chrome.storage.local.remove, chrome.storage.sync.remove, and chrome.storage.session.remove functions to accept keys and callback arguments.
  • Removed the jest.unstable_mockModule for ../shared/crypto-utils.js.
• tests/security.test.js
  • Imported isValidGitHubAuthUrl.
  • Added a new test suite for isValidGitHubAuthUrl to verify it allows expected GitHub device-flow URLs and rejects unexpected hosts or paths.
• tests/storage-helpers.test.js
  • Removed the jest.unstable_mockModule for ../shared/crypto-utils.js and associated mock functions.
  • Updated mock chrome.storage.sync.remove and chrome.storage.local.remove to accept keys and callback arguments.
  • Modified auth session tests to reflect the new session-only storage behavior, including verifying that legacy local storage keys are removed.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[sentry]

Codecov Report

❌ Patch coverage is 84.84848% with 5 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
shared/security.js	66.66%	2 Missing ⚠️
shared/storage-helpers.js	90.90%	2 Missing ⚠️
options/options.js	0.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[gemini-code-assist]

Code Review

This pull request introduces significant security enhancements by moving the GitHub authentication session from persistent local storage to session-only storage, which is a great improvement. The changes include removing the now-obsolete encryption utilities and adding logic to clear legacy storage keys. I appreciate the additional hardening, such as validating the device-flow URL to prevent open redirects and tightening the Content Security Policy for images. The code is well-structured, and the tests have been updated to cover the new functionality. I have one suggestion to improve the robustness of the new storage helper function.

[gemini-code-assist]

For consistency with other storage helpers in this file (e.g., getLocalItem, setLocalItem), it's good practice to check for chrome.runtime.lastError in the callback and reject the promise if an error occurs. This ensures that storage operation failures are propagated and can be handled by the caller.

  return new Promise((resolve, reject) => {
    chrome.storage.local.remove(LEGACY_AUTH_STORAGE_KEYS, () => {
      if (chrome.runtime?.lastError) {
        return reject(new Error(chrome.runtime.lastError.message));
      }
      legacyAuthStorageChecked = true;
      resolve();
    });
  });