I am building a chrome extension that sends GET requests to a flask API I’ve built. I want to add some sort of authentication to the API so that only my chrome extension can receive that data.
I have looked into using a JSON web token but it seems that by doing that, I would have to have the username and password in my chrome extension code, which is easily accessible to anyone once the chrome extension is published.
Am I thinking about this in the wrong way?
You should not store a JWT with such data as some constant in the chrome extension code.
JWTs should be generated dynamically in this use case; I recommend this tutorial from Miguel.
I don’t think, however, that this is the way to go. Read this. If you provide authentication (you know who your users are and they need to log in), then you can use those details to create a session based authentication or a JWT token approach (see Flask-Login, Flask-Security, Flask-Principal, Flask-JWT, etc.).
Answered By – miquelvir