Authentication & Storage

How SpikePrimeGit stores your data securely

📖 Overview

YES, We Store Authentication Information

SpikePrimeGit does store authentication information locally in your browser using Chrome's secure storage API (chrome.storage.local).

Important: All data is stored locally in your browser and is NEVER transmitted to third-party servers.

💾 What Authentication Data is Stored?

1

GitHub OAuth Tokens

Storage Key: github_tokens

Stored after successful GitHub authentication:

{
  accessToken: "ghu_xxxxx",
  refreshToken: "ghr_xxxxx",
  expiresAt: 1699564800000,
  scope: "repo,user"
}
  • accessToken: GitHub access token for API authentication
  • refreshToken: Token for automatic renewal when access token expires
  • expiresAt: Timestamp (milliseconds) when token expires
  • scope: Permissions granted to the token

Purpose: Authenticate API requests to GitHub without requiring you to log in repeatedly.

2

GitHub App Installation Data

Storage Key: github_installation

Stored after GitHub App authorization:

{
  id: 12345678,
  account: {
    login: "username",
    id: 987654,
    type: "User"
  },
  repository_selection: "selected",
  created_at: "2024-11-09T12:00:00Z"
}
  • id: GitHub App installation ID
  • account: Your GitHub account information
  • repository_selection: Whether you selected "all" or specific repositories
  • created_at: When the installation was created

Purpose: Track which GitHub App installation to use for API requests.

3

User Settings

Storage Key: user_settings

{
  selectedRepo: "username/spike-projects",
  selectedBranch: "main",
  projectPath: "projects/"
}
  • selectedRepo: Your chosen GitHub repository
  • selectedBranch: Selected branch (usually "main")
  • projectPath: Directory path where projects are saved

Purpose: Remember your preferences so you don't have to reconfigure on each sync.

4

Sync History

Storage Key: sync_history

Stored after each successful sync (limited to 50 entries):

[
  {
    projectName: "MyRobot.llsp3",
    repository: "username/spike-projects",
    branch: "main",
    timestamp: 1699564800000
  }
]

Purpose: Display recent syncs in the extension popup for your reference.

5

Temporary Auth State (Auto-Deleted)

Storage Key: auth_state

⚠️ Temporary Only: This token is created during OAuth authentication and automatically deleted after the authentication completes.

Purpose: Prevent Cross-Site Request Forgery (CSRF) attacks during OAuth flow.

Lifecycle: Created before OAuth → Verified on callback → Immediately deleted

🔒 Security Measures

✅ Local Storage Only

  • All data stored in chrome.storage.local (Chrome's secure storage API)
  • Encrypted by Chrome's built-in storage security
  • Isolated from other extensions and websites
  • Never transmitted to third-party servers
  • Only sent directly to GitHub's official API when needed

✅ Automatic Token Refresh

  • Tokens automatically refreshed before expiration
  • Old tokens replaced with new ones
  • No manual intervention required
  • Prevents authentication failures

✅ CSRF Protection

  • State tokens prevent Cross-Site Request Forgery during OAuth
  • State verified on callback
  • Immediately deleted after verification
  • Protects against malicious authorization attempts

✅ OAuth 2.0 Best Practices

  • Industry-standard authentication protocol
  • GitHub's official OAuth implementation
  • Secure token exchange
  • No password storage (uses GitHub's auth page)

🎛️ User Control & Data Deletion

How to Clear Authentication Data

Option 1: Disconnect in Extension (Recommended)

  1. Click the SpikePrimeGit extension icon
  2. Click "Disconnect" button
  3. All authentication data is immediately cleared

Clears: OAuth tokens, installation data, user settings (but keeps sync history)

Option 2: Uninstall Extension

  1. Go to chrome://extensions/
  2. Find SpikePrimeGit
  3. Click "Remove"

Clears: ALL extension data (tokens, settings, history, everything)

Option 3: Clear Chrome Extension Storage

  1. Go to chrome://settings/content/all
  2. Search for "chrome-extension"
  3. Find SpikePrimeGit and clear its data

Clears: ALL stored data

Option 4: Revoke GitHub App Access

To completely revoke SpikePrimeGit's access to your GitHub account:

  1. Visit GitHub App Installations
  2. Find "SpikePrimeGit" in the list
  3. Click "Configure" or "Uninstall"

Effect: Extension can no longer access your GitHub repositories (tokens become invalid)

🎉 You're Always in Control

All stored data can be viewed, managed, and deleted at any time. You decide what stays and what goes!

🔍 Open Source Transparency

Verify Everything: SpikePrimeGit is completely open source. You can:

  • Review the complete source code at github.com/varunmehta/spike-prime-git
  • Audit exactly what data is stored and how it's used
  • Verify that no data is transmitted to third-party servers
  • See the authentication implementation in background/github-auth.js
  • Submit security concerns or questions via GitHub Issues

📚 Related Documentation