Authentication

Session

Learn how to manage the user session in your extension.

We're not implementing fully-featured auth flow in the extension. Instead, we're sharing the same auth session with the web app.

It's a common practice in the industry used e.g. by Notion and Google Workspace.

That way, when the user is signed in to the web app, the extension can use the same session to authenticate the user, so he doesn't have to sign in again. Also signing out from the extension will affect both platforms.

Remember to add your extension scheme as trusted origin

For browser extensions, we need to define an authentication trusted origin using an extension scheme.

Extension schemes (like chrome-extension://...) are used for redirecting users to specific screens after authentication and sharing the auth session with the web app.

To find your extension ID, open Chrome and go to chrome://extensions/, enable Developer Mode in the top right, and look for your extension's ID. Then add it to your auth server configuration:

server.ts
export const auth = betterAuth({
  ...
 
  trustedOrigins: ["chrome-extension://your-extension-id"],
 
  ...
});

Adding your extension scheme to the trusted origins list is crucial for security - it prevents CSRF attacks and blocks malicious open redirects by ensuring only requests from approved origins (your extension) are allowed through.

Read more about auth security in Better Auth's documentation.

Cookies

When the user signs in to the web app through our Better Auth API, web app is setting the cookie with the session token under your app's domain, which is later used to validate the session on the server.

You can find your cookie in Cookies tab in the browser's developer tools (remember to be logged in to the app to check it):

Session cookie

To enable your extension to read the cookie and that way share the session with the web app, you need to set the cookies permission in the wxt.config.ts under manifest.permissions field:

wxt.config.ts
export default defineConfig({
  manifest: {
    permissions: ["cookies"],
  },
});

And to be able to read the cookie from your app url, you need to set host_permissions, which will include your app url:

wxt.config.ts
export default defineConfig({
  manifest: {
    host_permissions: ["http://localhost/*", "https://your-app-url.com/*"],
  },
});

Then you would be able to share the cookie with API requests and also read its value using chrome.cookies API.

Avoid "<all_urls>"

Avoid using <all_urls> in host_permissions. It affects all urls and may cause security issues, as well as a rejection from the destination store.

Declare permissions

developer.chrome.com

chrome.cookies

developer.chrome.com

Reading session

You don't need to worry about reading, parsing, or validating the session cookie. TurboStarter comes with a pre-built solution that ensures your session is correctly shared with the web app.

It also ensures that appropriate cookies are passed to API requests, so you can safely use protected endpoints (that require authentication) in your extension.

To get session details in your extension code (e.g., inside a popup window), you can leverage the useSession hook provided by the auth client (which is also used in the web and mobile apps):

user.tsx
import { useSession } from "~/lib/auth";
 
const User = () => {
  const {
    data: { user, session },
    isPending,
  } = useSession();
 
  if (isPending) {
    return <p>Loading...</p>;
  }
 
  /* do something with the session data... */
  return <p>{user?.email}</p>;
};

That's how you can access user details right in your extension.

Signing out

Signing out from the extension also involves using the well-known signOut function that is derived from our auth client:

logout.tsx
import { signOut } from "~/lib/auth";
 
export const Logout = () => {
  return <button onClick={() => signOut()}>Log out</button>;
};

The session is automatically invalidated, so the next use of useSession or any other query that depends on the session will return null. The UI for both the extension and the web app will be updated to show the user as logged out.

This will sign out the user from the web app as well

As web app is using the same session cookie, the user will be signed out from the web app as well. This is intentional, as your extension will most probably serves as an add-on for the web app and it doesn't make sense to keep the user signed in there if the extension is not used.

Sign out

Last updated on

Previous

Overview

Next

Billing

On this page

Ship your startup everywhere. In minutes.