Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

meeshal's avatar

Laravel Passport and Chrome Extensions

What will be the perfect way to make auth:api requests from a chrome extension to laravel passport api?

Conditions:

  1. Chrome extension users should not have to go though the Oauth process of redirection.
  2. Once a user is logged in they should be logged in until they logout, I mean even if they close the browser they should be logged in.
  3. Issued tokens cannot be used with other devices

What I am currently doing:

  1. On register/login I am creating a password access client and issuing a token and a refresh token, valid for an year.
  2. Storing these tokens in local storage of that device (chrome.storage.local)
  3. Using these token to know if the user is valid or not, logged in or not.

Ofcouse this is not a good idea because anyone can register, which will generate a token and this can be used to access allowed resources (i am using laratrust for ACL), from any device or bot to exploit my API.

My platform/server: Laravel 6, Passport 9, Laratrust 5

I have multiple clients for the API, a mobile app, own website (using CreateFreshApiToken middleware), other 3rd party clients (using Oauth), I need to add this new chrome extension to have access to the API.

Any help will be great, Thanks

0 likes
3 replies
bobbybouwmann's avatar

I think your current approach is correct.

What you can do is store the access token encrypted in local storage. You can probably find a way to create a unique key per install to prevent stealing it from each other.

The rest looks good

meeshal's avatar

First of all thanks for your response.

I am thinking of a unique serial number for each installs, with chrome extension ID combined with device ID/mac ID, and creating a middleware to verify each api requests (originated from chrome extensions) if the access token belongs to the correct device.

if (YES); then go ahead with the request else; return 403, logout, delete tokens, and record the IP and MAC

So, I'll need to create a new guard - api-cx only for chrome extension and add this middleware to it OR separate routes with this middleware?

Yacine Chi's avatar

Hi, would show me how did you do with this issue (using ab bit of code) and how do you do to protect others from expoilting your passport API as you mentioned. Thanks.

Please or to participate in this conversation.