I have built a site using Rails 7 and it is using Devise for user management. I have also built a chrome extension, which is currently using the rails session cookie to handle auth to the site and everything is working just great.
I would however like the user to be able to login via the chrome extension if the session has timed out, without having to open the site and login. There are however a few restrictions being applied here. Firstly the chrome extension is blocked from opening links, so I cannot redirect to the login page, and secondly, all javascript requests have to be made by the background service-worker.
In order to achieve the above, I believed that I could perform a simple GET request in the service-worker to ‘/users/sign-in’ to get the CSRF token, and then present the user with a login form, capture the details, and send everything back with to the site via a POST request. It was at this point that I discovered that the chrome extension will set the ‘Origin’ header on all non-GET requests to chrome-extension://#{ chrome extension id alphanumeric }. This then causes various errors which you can mostly get around by setting the X-Forwarded-* headers. But this then gets stopped by rack because the only allowed schemes are http, https, ws, and wss. At this point I modified the rack request.rb to add in chrome-extension but the token is then invalid as it has ‘http://localhost:3000’ set and not ‘chrome-extension://#{ chrome extension id }’.
I would like to know if there is some config setting in rails that will allow me to add the necessary scheme and if the CSRF token can also be updated to handle the request coming from the chrome extension?