Ext Probe
Security Overview
This page summarizes how Ext Probe currently handles tokens, permissions, revocation, and audit visibility.
Security Principles
- Request only the scopes needed for monitoring workflows.
- Keep token secret material out of normal frontend workspace responses.
- Encrypt marketplace tokens before storage.
- Give users a clear disconnect and revoke-at-source path.
- Record audit events without exposing secrets in normal trust views.
Current Token Handling
- Marketplace tokens are encrypted using AES-256-GCM before storage.
- Access and refresh tokens are only decrypted when the backend needs to call the marketplace API.
- The frontend receives token metadata such as expiry and scopes, not the secret token values themselves.
Storage Model
- The product supports encrypted token persistence through PostgreSQL when `DATABASE_URL` is configured.
- Pending Shopee auth sessions, revoke reminders, and Telegram notification state can also be persisted.
- If production storage is not configured, some state remains process-local and is not suitable for a serious public deployment.
Extension Permissions
- `storage` is used for API base URL and local preferences.
- `tabs` is used to open marketplace authorization pages in the browser.
- Host permissions should be limited to the real Ext Probe API domain and the marketplace domains required for auth handoff.
Disconnect And Revocation
- Disconnecting a store removes locally stored encrypted credentials from Ext Probe.
- Users should also revoke the marketplace app authorization from the source seller platform to fully invalidate access.
- Ext Probe includes revoke guidance and reminder tracking for this flow.
Audit Visibility
Ext Probe exposes a trust status view that summarizes vault mode, storage mode, and recent audit activity without returning token secret material. Audit events help explain successful auth, disconnect, alert delivery, and revoke-related actions.
Current Limits
- This build is a strong scaffold, not a finished enterprise security program.
- You still need production key management, a real support process, privacy policy hosting, and least-privilege production host permissions before public release.
- Chrome Web Store submission should use the current Shopee-first product scope and avoid overclaiming platform support.